ONTAP Rest API Discussions

Remove Everyone/Full from new share in Python REST API

Cjones
1,019 Views

This code works, but also leaves Everyone/Full on the new share.  Is there a way to remove it during creation, or is that a follow up step?

 

share_info = {
        "path": thepath,
        "svm": {
            "name": svm_name
        },
        "name": user,
        "acls": [
            {"permission": "full_control", "type": "windows", "user_or_group": fulladgroup},
            {"permission": "change", "type": "windows", "user_or_group": rwadgroup},
            {"permission": "read", "type": "windows", "user_or_group": roadgroup}
        ]
    }
    myShare = CifsShare.from_dict(share_info)
    try:
        if myShare.post(poll=True😞
            print("cifsshare %s created Successfully" % myShare.name)
1 ACCEPTED SOLUTION

RobertBlackhart
856 Views

Sorry, that part I can help with. I thought maybe you knew that part and just wanted to find a one step solution instead.

 

To remove an ACL, you would want to call DELETE on /api/protocols/cifs/shares/{svm.uuid}/{share}/acls/{user_or_group}/{type} where {user_or_group} should be Everyone and {type} should be full_control. So to add to your code from the first post, I think it might look like this (untested, but you can modify for your needs):

 

share_info = {
    "path": thepath,
    "svm": {
        "name": svm_name
    },
    "name": user,
    "acls": [
        {"permission": "full_control", "type": "windows", "user_or_group": fulladgroup},
        {"permission": "change", "type": "windows", "user_or_group": rwadgroup},
        {"permission": "read", "type": "windows", "user_or_group": roadgroup}
    ]
}
myShare = CifsShare.from_dict(share_info)
myShare.post(hydrate=True)

everyone_acl = CifsShareAcl.find(myShare.svm.uuid, myShare.name, user_or_group="Everyone")
if everyone_acl is not None:
    everyone_acl.delete()

print("cifsshare %s created Successfully" % myShare.name)

View solution in original post

6 REPLIES 6

RobertBlackhart
895 Views

I'm not very familiar with the CIFS shares feature specifically, but the documentation says that passing acls (as you already are) should prevent the default Everyone/Full-Control from being used:

 

From the DOC /protocols/cifs/shares section:

Permissions can be assigned to this newly created share by specifying the 'acls' field. When a CIFS share is created, ONTAP creates a default ACL for this share with 'Full-Control' permissions for an 'Everyone' user.

 

If that's not how it's behaving for you, then I think opening a ticket with your request and result would be the next step. Perhaps there's some bug in the API.

Cjones
872 Views

Thanks for your reply, the API is perhaps not behaving appropriately.  Despite specifying ACLs during creation, Everyone/Full is still added to the share on creation.  I will open a case and see what they say, report back.   

RobertBlackhart
868 Views

Rereading the documentation blurb that I posted, one might also interpret it to mean that ONTAP will always create the default 'Everyone' user when a CIFS share is created. It would be interesting to see if support comes back with that being intended and if there would be a way to prevent that on initial creation.

Cjones
861 Views

Unfortunately support is sorry to tell me that this situation is out of their scope.  

I expect that adding Everyone/Full is the default, and unavoidable.  The issue is, it will take some time for me to figure out how to remove it, testing, playing around.  I see no examples in the Github scripts Netapp provides as samples.  They only create one share in the cifssetup.py script, and they don't set ACLs on it, leaving Everyone/Full.  So need to figure out how to delete Everyone/Full, as you can imagine, adding Everyone/Full with no_access does not achieve the goal 😄  Will post back if/when I figure it out.  

RobertBlackhart
857 Views

Sorry, that part I can help with. I thought maybe you knew that part and just wanted to find a one step solution instead.

 

To remove an ACL, you would want to call DELETE on /api/protocols/cifs/shares/{svm.uuid}/{share}/acls/{user_or_group}/{type} where {user_or_group} should be Everyone and {type} should be full_control. So to add to your code from the first post, I think it might look like this (untested, but you can modify for your needs):

 

share_info = {
    "path": thepath,
    "svm": {
        "name": svm_name
    },
    "name": user,
    "acls": [
        {"permission": "full_control", "type": "windows", "user_or_group": fulladgroup},
        {"permission": "change", "type": "windows", "user_or_group": rwadgroup},
        {"permission": "read", "type": "windows", "user_or_group": roadgroup}
    ]
}
myShare = CifsShare.from_dict(share_info)
myShare.post(hydrate=True)

everyone_acl = CifsShareAcl.find(myShare.svm.uuid, myShare.name, user_or_group="Everyone")
if everyone_acl is not None:
    everyone_acl.delete()

print("cifsshare %s created Successfully" % myShare.name)

Cjones
854 Views

Tested, that works, thanks!  I was thinking ideally it would be nice to create it as needed to begin with, but the code to remove it does the job as well.  Much appreciated.

Public