ONTAP Rest API Discussions
ONTAP Rest API Discussions
This code works, but also leaves Everyone/Full on the new share. Is there a way to remove it during creation, or is that a follow up step?
Solved! See The Solution
Sorry, that part I can help with. I thought maybe you knew that part and just wanted to find a one step solution instead.
To remove an ACL, you would want to call DELETE on /api/protocols/cifs/shares/{svm.uuid}/{share}/acls/{user_or_group}/{type} where {user_or_group} should be Everyone and {type} should be full_control. So to add to your code from the first post, I think it might look like this (untested, but you can modify for your needs):
share_info = {
"path": thepath,
"svm": {
"name": svm_name
},
"name": user,
"acls": [
{"permission": "full_control", "type": "windows", "user_or_group": fulladgroup},
{"permission": "change", "type": "windows", "user_or_group": rwadgroup},
{"permission": "read", "type": "windows", "user_or_group": roadgroup}
]
}
myShare = CifsShare.from_dict(share_info)
myShare.post(hydrate=True)
everyone_acl = CifsShareAcl.find(myShare.svm.uuid, myShare.name, user_or_group="Everyone")
if everyone_acl is not None:
everyone_acl.delete()
print("cifsshare %s created Successfully" % myShare.name)
I'm not very familiar with the CIFS shares feature specifically, but the documentation says that passing acls (as you already are) should prevent the default Everyone/Full-Control from being used:
From the DOC /protocols/cifs/shares section:
Permissions can be assigned to this newly created share by specifying the 'acls' field. When a CIFS share is created, ONTAP creates a default ACL for this share with 'Full-Control' permissions for an 'Everyone' user.
If that's not how it's behaving for you, then I think opening a ticket with your request and result would be the next step. Perhaps there's some bug in the API.
Thanks for your reply, the API is perhaps not behaving appropriately. Despite specifying ACLs during creation, Everyone/Full is still added to the share on creation. I will open a case and see what they say, report back.
Rereading the documentation blurb that I posted, one might also interpret it to mean that ONTAP will always create the default 'Everyone' user when a CIFS share is created. It would be interesting to see if support comes back with that being intended and if there would be a way to prevent that on initial creation.
Unfortunately support is sorry to tell me that this situation is out of their scope.
I expect that adding Everyone/Full is the default, and unavoidable. The issue is, it will take some time for me to figure out how to remove it, testing, playing around. I see no examples in the Github scripts Netapp provides as samples. They only create one share in the cifssetup.py script, and they don't set ACLs on it, leaving Everyone/Full. So need to figure out how to delete Everyone/Full, as you can imagine, adding Everyone/Full with no_access does not achieve the goal 😄 Will post back if/when I figure it out.
Sorry, that part I can help with. I thought maybe you knew that part and just wanted to find a one step solution instead.
To remove an ACL, you would want to call DELETE on /api/protocols/cifs/shares/{svm.uuid}/{share}/acls/{user_or_group}/{type} where {user_or_group} should be Everyone and {type} should be full_control. So to add to your code from the first post, I think it might look like this (untested, but you can modify for your needs):
share_info = {
"path": thepath,
"svm": {
"name": svm_name
},
"name": user,
"acls": [
{"permission": "full_control", "type": "windows", "user_or_group": fulladgroup},
{"permission": "change", "type": "windows", "user_or_group": rwadgroup},
{"permission": "read", "type": "windows", "user_or_group": roadgroup}
]
}
myShare = CifsShare.from_dict(share_info)
myShare.post(hydrate=True)
everyone_acl = CifsShareAcl.find(myShare.svm.uuid, myShare.name, user_or_group="Everyone")
if everyone_acl is not None:
everyone_acl.delete()
print("cifsshare %s created Successfully" % myShare.name)
Tested, that works, thanks! I was thinking ideally it would be nice to create it as needed to begin with, but the code to remove it does the job as well. Much appreciated.