Microsoft Virtualization Discussions

VB.net developer looking to manage CIFS shares via a console app

Runnindave
1,853 Views

As a VB.net developer I need to be able to manage remote SMB\CIFS shares on a Netapp array. All I want to do initially is set an existing share that contains a single ACE of Authenticated Users with Full access, to Read Only. 

 

All of the microsoft objects and methods can manage ACLs in the sub folders of the share, but the  main share seems off limits since it exists on the Netapp array. 

 

Is there a way to manage these shares using .net framework? Is there an API that I can install that will allow me to code the solution in Visual Studio and ideally in VB.net?

 

 

1 ACCEPTED SOLUTION

mbeattie
1,755 Views

Hi Dave,

 

You can modify the CIFS Share ACL using this PowerShell cmdlet:

 

PS C:\> get-help Set-NcCifsShareAcl

NAME
    Set-NcCifsShareAcl

SYNOPSIS
    Set the permissions for a user or group on a defined CIFS share.


SYNTAX
    Set-NcCifsShareAcl [-Share] <String> [-UserOrGroup] <String> [-Permission] <String> [-UserGroupType <String>] [-Winsid <String>] [-VserverContext <String>] [-Controller <NcController[]>] [-InformationAction
    <ActionPreference>] [-InformationVariable <String>] [-PipelineVariable <String>] [-ZapiRetryCount <Int32>] [<CommonParameters>]


DESCRIPTION
    Set the permissions for a user or group on a defined CIFS share.

 There is also an equivalent REST API for modifying the CIFS share ACL available from ONTAP 9.6:

/protocols/cifs/shares/{svm.uuid}/{share}/acls/{user_or_group}/{type}

https://library.netapp.com/ecmdocs/ECMLP2876964/html/index.html#/NAS/cifs_share_acl_modify

The links to the previous ZAPI's were only if you were running an old version of ONTAP prior to 9.6

Hope this helps

 

/Matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

5 REPLIES 5

mbeattie
1,813 Views

Hi Dave,

 

You can set the ACL of the share during provisioning using the REST API

 

https://library.netapp.com/ecmdocs/ECMLP2876964/html/index.html#/NAS/cifs_share_create

 

Which version of ONTAP are you using? If you are using an older version you can use the NMSDK.

The ZAPI you are looking for is "cifs-share-access-control-modify". The XML syntax is:

 

<?xml version="1.0" encoding="UTF-8"?>
<netapp  xmlns="http://www.netapp.com/filer/admin" version="1.0">
  <cifs-share-access-control-modify>
    <permission></permission>
    <share></share>
    <user-group-type></user-group-type>
    <user-or-group></user-or-group>
    <winsid></winsid>
  </cifs-share-access-control-modify>
</netapp>

 

Here's a C# example:

 

using System;
using System.Text;
using System.Collections.Generic;
using NetApp.Manage;

namespace NetApp.NMSDK.Example
{
  class ApiClient 
  {
	 static void Main(string[] args)
	 {
		 try
		 {
			NaServer s = new NaServer("cluster1.testlab.local", 1 , 0);
			s.ServerType = NaServer.SERVER_TYPE.FILER;
			s.TransportType = NaServer.TRANSPORT_TYPE.HTTPS;
			s.Port = 443;
			s.Style = NaServer.AUTH_STYLE.LOGIN_PASSWORD;
			s.SetAdminUser("admin", "<password>");


			NaElement api = new NaElement("cifs-share-access-control-modify");
			api.AddNewChild("permission","<permission>");
			api.AddNewChild("share","<share>");
			api.AddNewChild("user-group-type","<user-group-type>");
			api.AddNewChild("user-or-group","<user-or-group>");
			api.AddNewChild("winsid","<winsid>");

			NaElement xo = s.InvokeElem(api);
			Console.WriteLine(xo.ToPrettyString(""));


		}
		catch (NaAuthException e)
		{
			Console.Error.WriteLine("Authorization Failed: " + e.Message);
		}
		catch (NaApiFailedException e)
		{
			Console.Error.WriteLine("API FAILED: " + e.Message);
		}
		 catch (Exception e)
		{
			Console.Error.WriteLine(e.Message);
		}
	 }
  }
}

 

Does that help?

 

/Matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Runnindave
1,796 Views

Thanks Matt for the reply...

One thing you said makes me a little worried. 

"You can set the ACL of the share during provisioning using the REST API"

 

Am I not able to modify the existing ACL on an already provisioned share?

Im using the Ontap 9.8.0 with Powershell currently.  No problem creating the share and setting the Authenticated users to Modify, the problem now is setting the existing share to READ. 

 

Do you have any examples of using the REST API to modify existing shares?

 

mbeattie
1,756 Views

Hi Dave,

 

You can modify the CIFS Share ACL using this PowerShell cmdlet:

 

PS C:\> get-help Set-NcCifsShareAcl

NAME
    Set-NcCifsShareAcl

SYNOPSIS
    Set the permissions for a user or group on a defined CIFS share.


SYNTAX
    Set-NcCifsShareAcl [-Share] <String> [-UserOrGroup] <String> [-Permission] <String> [-UserGroupType <String>] [-Winsid <String>] [-VserverContext <String>] [-Controller <NcController[]>] [-InformationAction
    <ActionPreference>] [-InformationVariable <String>] [-PipelineVariable <String>] [-ZapiRetryCount <Int32>] [<CommonParameters>]


DESCRIPTION
    Set the permissions for a user or group on a defined CIFS share.

 There is also an equivalent REST API for modifying the CIFS share ACL available from ONTAP 9.6:

/protocols/cifs/shares/{svm.uuid}/{share}/acls/{user_or_group}/{type}

https://library.netapp.com/ecmdocs/ECMLP2876964/html/index.html#/NAS/cifs_share_acl_modify

The links to the previous ZAPI's were only if you were running an old version of ONTAP prior to 9.6

Hope this helps

 

/Matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
1,752 Views

Hi Dave,

 

Here is an example of modifying an ACL for an existing share using the REST API

$Credential = Get-Credential -Credential "admin"
$Cluster    = "cluster1.testlab.local"
$Vserver    = "vserver1"
$share      = "share1"
$group      = "Authenticated Users"
$type       = "windows"
$permission = "change"
$auth       = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($Credential.UserName + ':' + $Credential.GetNetworkCredential().Password))
$headers = @{
   "Authorization" = "Basic $auth"
   "Accept"        = "application/json"
   "Content-Type"  = "application/json"
}
$uri = "https://$cluster/api/svm/svms?name=$vserver"
$result = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

$uuid   = $result.records.uuid
$uri    = "https://$cluster/api/protocols/cifs/shares/$uuid/$share/acls/$group/$type"
$body   = @{"permission" = "$permission"} | ConvertTo-Json
$result = Invoke-RestMethod -Method Patch -Uri $uri -Body $body -Headers $headers

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Runnindave
1,728 Views

I was able to modify the Authenticated Users ACE to READ using the powershell example. One thing that was a problem is the group that I entered was "Authenticated users" and it would not apply the Set command. However, when I changed the group param to NT Authority\Authenticated Users the ACE was modified to READ. 

 

Just in case someone hits a wall like this, 

 

Thanks for your assistance with this.

 

 

Public