Data Infrastructure Management Software Discussions

How to set File Level Security

Hello! How to set File Level Security (ACL) on a qtree (or folder) with WFA ? Usually we use fsecurity or set it from Windows //FilerA/C$/vol/vol_name, right click the qtree, Select Properties and set it from Security tab. Wondering how can it be Automated by WFA.

Thanks !

13 REPLIES 13

Re: How to set File Level Security

I'm wondering the same thing. This would be the greatest help that I can imagine with NAS storage provisioning.

I wish that there was an API call in the NMSDK, that would make it easy. I really don't want to have to learn PowerShell in order to do this, and for all I know it can't do it either.

Anyone automated this? Perl would be perfect.

Re: How to set File Level Security

Have you seen the WFA commands called "Set CIFS Share ACL" and "Set CIFS Share Multiple ACLs"?  Do they provide what you need?

Re: How to set File Level Security

Those commands are to set Share Level Access. They do not provide setting File Level Permissions.

Re: How to set File Level Security

Ah, I see. 

Since WFA runs on a Windows host, you could use PowerShell in a WFA command to 1) mount the share as a drive on the WFA server, 2) navigate to the folder containing the files you want to update, 3) Use Get-ACL and Set-ACL cmdlets to manipulate file level permissions, like shown here: http://technet.microsoft.com/en-us/library/hh849810.aspx 4) Remove the mount as part of clean-up for the command.

Sorry, Scott, I don't have an example WFA command that does this at the moment.  Without someone posting an example command or workflow, some PowerShell scripting would be involved.

Hope this helps,

Dave

Re: How to set File Level Security

So +1 to Dave's suggestion.  But I will give another option.  Since you are already familiar with fsecurity, you could implement that option.  The DataONTAP PoSH toolkit does not contain a fsecurity cmdlet (I checked the version included with WFA).  The other option would be to use Invoke-NaSSH to send the fsecurity command directly to ONTAP.  I took a quick look to see if the API was exposed for this in the NMSDK but I don't see anything that matches.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

Re: How to set File Level Security

Has anybody used Get-ACL or Set-ACL cmdlet on a NetApp File / Folder ? I tried couple of options but couldn't make it work.

Re: How to set File Level Security

So the challenge with Get-ACL and Set-ACL is that these default cmdlets use a file path.  This means that if you want to set NTFS file permissions, you will need to have a Cifs Share available to the WFA host where the command will be run.  This becomes a slight challenge when dealing with secure tenancies.  I did try to see if I could 'access' the file path using the Get-NaFile cmdlet but no go.  It looks like you will need to map the share to the WFA host and then you can use the Get-ACL and Set-ACL cmdlet.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

Re: How to set File Level Security

I'm assuming that Get-ACL and Set-ACL are PowerShell commands. I'd really rather stick to Perl than learn a whole new language. Is this the only way to do this, and if so, where does one find documentation on the PowerShell commands? I'm a PowerShell virgin, and frankly I'd rather stay that way. There ought to be a way to do this via the NMSDK using Perl (or any of the other NMSDK supported languages). Since a Filer can do it, why can't NMSDK?

Re: How to set File Level Security

The problem that I found was that it doesn't look like this functionality was exposed in the api. I looked at the NMSDK to see if it was listed but like I said, I didn't see anything for this feature. It might be worth a cross post in the NMSDK community.

Yes those were cmdlets that I mentioned and there for would be PoSH. Maybe there is a Perl equivalent for setting Windows File permissions. I am not aware of one though.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

Re: How to set File Level Security

I was just presented with this request today for a customer using vfilers and where WFA cannot access CIFS in them and found this post.

I can imagine a WFA command that does the following:

1) Build a properly formatted fsecurity.conf file with the things you want to set NTFS permissions on (see TR-3596 for more info)

2) Puts this file on the storage controller

3) Use invoke-nassh to run fsecurity apply with the fsecurity.conf file as input

And then a 2nd WFA command that does:

1) Watch status of previous fsecurity apply command repeatedly until it finishes

I guess I'll add it to my to-do list unless someone has already done it (please share!) or someone has a better/easier way to accomplish.

Re: How to set File Level Security

Does this help? It has been my way to set Files/NTFS permissions rather than just the share permissions.

https://communities.netapp.com/docs/DOC-25480

Re: How to set File Level Security

One of my colleagues suggested to use a new cmdlet using 2.1 NTFSSecurity Module which works fine on command line

PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Add-Ace -Account Domain\Global_Group -AccessRights FullControl

PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Get-Ace

    Path: \\ toaster1\c$\vol\vol0018a (Inheritance disabled)

Account                             Access Rights       Applies to                Type               IsInherited

-------                             -------------       ----------                ----               -----------

BUILTIN\Administrators (S-1-5-32... FullControl         ThisFolderSubfoldersAn... Allow              False

Domain\Global_Group (S-1-5-21-5883715... FullControl         ThisFolderSubfoldersAn... Allow              False

Question, How do I Import 2.1 NTFSSecurity Module so that WFA recognizes the Add-Ace cmdlet.

I downloaded the command let and added Import-Module command in profile.ps1 file @ C:\Program Files\netapp\WFA\PoSH

Import-Module $ModulesDir\Modules\WFA

Import-Module $ModulesDir\Modules\WFAWrapper

Import-Module $ModulesDir\Modules\DataONTAP

Import-Module $ModulesDir\Modules\NTFSSecurity

But I get “The term 'Add-Ace' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”

Any suggestion on how to import a new module to WFA ?

Re: How to set File Level Security

Hi,

I was able to set the File Level permissions with fsecurity command as below

# connect to controller

Connect-WFAController -Array $Array -VFiler $vFilerName

  

# validate volume existence - throws error if the volume does not exist

Get-NaVol -Names $VolumeName -ErrorAction Stop

$fullPath = "/vol/" + $vFilerName + "_root/etc/fsecurity_" +  $VolumeName + ".conf"

Write-NaFile $fullPath -Data "cb56f6f4`n" -NoOverwrite

#success?

Write-NaFile $fullPath -Data "1,0,`"/vol/$VolumeName`",2,`"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)`"" -Append

Write-NaFile $fullPath -Data "`n"  -Append

$command = "vfiler run $vFilerName fsecurity apply " + $fullPath

$command_out = Invoke-NaSsh -Command $command

Has anyone tried to construct the fsecurity file?

With the given information below, is it possible to build fsecurity file

-Access Level-              DACL                       INHERIT
  
Full Control             0x001f01ff            CIOI
Modify                   0x001301bf            CIOI
Read                        0x00120089       CIOI
Read and Execute   0x001200a9       CIOI
Write                        0x00100116            CIOI

Security Group                 Access Level

Web_developer                  Modify 
Web_operator                  Read 
OSFOPS                        Read and Execute 

1,0,"/vol/Vol_data/qtreedata",0,"D:(A;CIOI;0x001301bf;;;Web_developer)(A;CIOI;0x00120089;;;Web_operator)(A;CIOI;0x001200a9;;;OSFOPS)"

Cloud Volumes ONTAP
Review Banner
All Community Forums
Public