13 Replies Latest reply: May 10, 2013 8:01 AM by narendrathawani Branched to a new discussion. RSS

How to set File Level Security

narendrathawani Sprinter
Currently Being Moderated

Hello! How to set File Level Security (ACL) on a qtree (or folder) with WFA ? Usually we use fsecurity or set it from Windows //FilerA/C$/vol/vol_name, right click the qtree, Select Properties and set it from Security tab. Wondering how can it be Automated by WFA.

Thanks !

  • Re: How to set File Level Security
    SCOTT.LINDLEY Sprinter
    Currently Being Moderated

    I'm wondering the same thing. This would be the greatest help that I can imagine with NAS storage provisioning.

     

    I wish that there was an API call in the NMSDK, that would make it easy. I really don't want to have to learn PowerShell in order to do this, and for all I know it can't do it either.

     

    Anyone automated this? Perl would be perfect.

  • Re: How to set File Level Security
    bdave NetApp Employee Cyclist
    Currently Being Moderated

    Have you seen the WFA commands called "Set CIFS Share ACL" and "Set CIFS Share Multiple ACLs"?  Do they provide what you need?

    • Re: How to set File Level Security
      narendrathawani Sprinter
      Currently Being Moderated

      Those commands are to set Share Level Access. They do not provide setting File Level Permissions.

      • Re: How to set File Level Security
        bdave NetApp Employee Cyclist
        Currently Being Moderated

        Ah, I see. 

         

        Since WFA runs on a Windows host, you could use PowerShell in a WFA command to 1) mount the share as a drive on the WFA server, 2) navigate to the folder containing the files you want to update, 3) Use Get-ACL and Set-ACL cmdlets to manipulate file level permissions, like shown here: http://technet.microsoft.com/en-us/library/hh849810.aspx 4) Remove the mount as part of clean-up for the command.

         

        Sorry, Scott, I don't have an example WFA command that does this at the moment.  Without someone posting an example command or workflow, some PowerShell scripting would be involved.

         

        Hope this helps,

        Dave

        • Re: How to set File Level Security
          goodrum NetApp Employee Cyclist
          Currently Being Moderated

          So +1 to Dave's suggestion.  But I will give another option.  Since you are already familiar with fsecurity, you could implement that option.  The DataONTAP PoSH toolkit does not contain a fsecurity cmdlet (I checked the version included with WFA).  The other option would be to use Invoke-NaSSH to send the fsecurity command directly to ONTAP.  I took a quick look to see if the API was exposed for this in the NMSDK but I don't see anything that matches.

           

           

          Jeremy Goodrum, NetApp

          The Pirate

          Twitter: @virtpirate

          Blog: www.virtpirate.com

        • Re: How to set File Level Security
          narendrathawani Sprinter
          Currently Being Moderated

          Has anybody used Get-ACL or Set-ACL cmdlet on a NetApp File / Folder ? I tried couple of options but couldn't make it work.

          • Re: How to set File Level Security
            goodrum NetApp Employee Cyclist
            Currently Being Moderated

            So the challenge with Get-ACL and Set-ACL is that these default cmdlets use a file path.  This means that if you want to set NTFS file permissions, you will need to have a Cifs Share available to the WFA host where the command will be run.  This becomes a slight challenge when dealing with secure tenancies.  I did try to see if I could 'access' the file path using the Get-NaFile cmdlet but no go.  It looks like you will need to map the share to the WFA host and then you can use the Get-ACL and Set-ACL cmdlet.

             

             

            Jeremy Goodrum, NetApp

            The Pirate

            Twitter: @virtpirate

            Blog: www.virtpirate.com

            • Re: How to set File Level Security
              SCOTT.LINDLEY Sprinter
              Currently Being Moderated

              I'm assuming that Get-ACL and Set-ACL are PowerShell commands. I'd really rather stick to Perl than learn a whole new language. Is this the only way to do this, and if so, where does one find documentation on the PowerShell commands? I'm a PowerShell virgin, and frankly I'd rather stay that way. There ought to be a way to do this via the NMSDK using Perl (or any of the other NMSDK supported languages). Since a Filer can do it, why can't NMSDK?

              • Re: How to set File Level Security
                goodrum NetApp Employee Cyclist
                Currently Being Moderated

                The problem that I found was that it doesn't look like this functionality was exposed in the api. I looked at the NMSDK to see if it was listed but like I said, I didn't see anything for this feature. It might be worth a cross post in the NMSDK community.

                 

                Yes those were cmdlets that I mentioned and there for would be PoSH. Maybe there is a Perl equivalent for setting Windows File permissions. I am not aware of one though.

                 

                Jeremy Goodrum, NetApp

                The Pirate

                Twitter: @virtpirate

                Blog: www.virtpirate.com

                 

                 

                • Re: How to set File Level Security
                  madden NetApp Employee Cyclist
                  Currently Being Moderated

                  I was just presented with this request today for a customer using vfilers and where WFA cannot access CIFS in them and found this post.

                   

                  I can imagine a WFA command that does the following:

                  1) Build a properly formatted fsecurity.conf file with the things you want to set NTFS permissions on (see TR-3596 for more info)

                  2) Puts this file on the storage controller

                  3) Use invoke-nassh to run fsecurity apply with the fsecurity.conf file as input

                   

                  And then a 2nd WFA command that does:

                  1) Watch status of previous fsecurity apply command repeatedly until it finishes

                   

                  I guess I'll add it to my to-do list unless someone has already done it (please share!) or someone has a better/easier way to accomplish.

                  • Re: How to set File Level Security
                    narendrathawani Sprinter
                    Currently Being Moderated

                    Hi,

                    I was able to set the File Level permissions with fsecurity command as below

                     

                    # connect to controller

                    Connect-WFAController -Array $Array -VFiler $vFilerName

                      

                    # validate volume existence - throws error if the volume does not exist

                    Get-NaVol -Names $VolumeName -ErrorAction Stop

                     

                    $fullPath = "/vol/" + $vFilerName + "_root/etc/fsecurity_" +  $VolumeName + ".conf"

                     

                    Write-NaFile $fullPath -Data "cb56f6f4`n" -NoOverwrite

                    #success?

                    Write-NaFile $fullPath -Data "1,0,`"/vol/$VolumeName`",2,`"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)`"" -Append

                    Write-NaFile $fullPath -Data "`n"  -Append

                     

                    $command = "vfiler run $vFilerName fsecurity apply " + $fullPath

                    $command_out = Invoke-NaSsh -Command $command

                     

                     

                    Has anyone tried to construct the fsecurity file?

                    With the given information below, is it possible to build fsecurity file

                     

                    -Access Level-              DACL                       INHERIT
                      
                    Full Control             0x001f01ff            CIOI
                    Modify                   0x001301bf            CIOI
                    Read                        0x00120089       CIOI
                    Read and Execute   0x001200a9       CIOI
                    Write                        0x00100116            CIOI

                     

                    Security Group                 Access Level

                     

                    Web_developer                  Modify 
                    Web_operator                  Read 
                    OSFOPS                        Read and Execute 

                     

                    1,0,"/vol/Vol_data/qtreedata",0,"D:(A;CIOI;0x001301bf;;;Web_developer)(A;CIOI;0x00120089;;;Web_operator)(A;CIOI;0x001200a9;;;OSFOPS)"

  • Re: How to set File Level Security
    TABER_BRANDEN Sprinter
    Currently Being Moderated

    Does this help? It has been my way to set Files/NTFS permissions rather than just the share permissions.

    https://communities.netapp.com/docs/DOC-25480

    • Re: How to set File Level Security
      narendrathawani Sprinter
      Currently Being Moderated

      One of my colleagues suggested to use a new cmdlet using 2.1 NTFSSecurity Module which works fine on command line

       

      PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Add-Ace -Account Domain\Global_Group -AccessRights FullControl

      PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Get-Ace

       

          Path: \\ toaster1\c$\vol\vol0018a (Inheritance disabled)

       

      Account                             Access Rights       Applies to                Type               IsInherited

      -------                             -------------       ----------                ----               -----------

      BUILTIN\Administrators (S-1-5-32... FullControl         ThisFolderSubfoldersAn... Allow              False

      Domain\Global_Group (S-1-5-21-5883715... FullControl         ThisFolderSubfoldersAn... Allow              False

       

      Question, How do I Import 2.1 NTFSSecurity Module so that WFA recognizes the Add-Ace cmdlet.

      I downloaded the command let and added Import-Module command in profile.ps1 file @ C:\Program Files\netapp\WFA\PoSH

       

      Import-Module $ModulesDir\Modules\WFA

      Import-Module $ModulesDir\Modules\WFAWrapper

      Import-Module $ModulesDir\Modules\DataONTAP

      Import-Module $ModulesDir\Modules\NTFSSecurity

       

      But I get “The term 'Add-Ace' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”

      Any suggestion on how to import a new module to WFA ?

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points