In a previous post, I covered multiprotocol NAS in ONTAP, as well as mixed security styles. The following post covers how to manage permissions from the ONTAP CLI, as well as how to centralize permission management from a single Linux client. Some of the following was moved from the previous post to this one to make it easier to read and digest.
Viewing permissions in multiprotocol NAS
There are options to display permissions from both types of clients. For viewing UNIX permissions from Windows property tabs, use the cifs option is-unix-nt-acl-enabled.
cluster::*> cifs option show -vserver parisi-fields is-unix-nt-acl-enabled vserver is-unix-nt-acl-enabled ----------- ---------------------- parisi true
When using this option, the Windows clients will show a security tab entry that approximates the UNIX mode bits into ACLs. It will show the owner, group and “other” permissions. It will also attempt to convert the UNIX UID into a Windows-friendly SID so the client can display it. The Windows user will look like this:
That user is a “fake SID” that is tied to the cluster’s Storage Virtual Machine. It translates to a SID that ONTAP creates based on the numeric ID of the user or group. The Windows client uses that SID to translate into a name.
For example:
cluster::*> diag secd authentication translate -node node1 -vserver SVM -win-name UNIXPermUid\root S-1-5-21-2038298172-1297133386-11111-0 cluster::*> diag secd authentication translate -node node1 -vserver SVM -unix-user-name root 0 cluster::*> diag secd authentication translate -node node1 -vserver SVM -win-name UNIXPermUid\user3 S-1-5-21-2038298172-1297133386-11111-703 cluster::*> diag secd authentication translate -node node1 -vserver SVM -unix-user-name user3 703 cluster::*> diag secd authentication translate -node node1 -vserver SVM -win-name UNIXPermGid\homedirs S-1-5-21-2038298172-1297133386-22222-1002 cluster::*> diag secd authentication translate -node node1 -vserver SVM -unix-group-name homedirs 1002
From Windows, we can see the level of access for the users from the “Change Permissions” window:
On the NFS side, mode bits have no clue how to translate NTFS permission concepts like extended attributes. Instead, the clients only know Read, Write, Execute, Traverse, etc. It’s possible to show an approximation of those mode bits in UNIX for NTFS security style volumes with this option:
cluster::*> nfs server show -fields ntacl-display-permissive-perms vserver ntacl-display-permissive-perms ----------- ------------------------------ parisi disabled
When that option is disabled, NTFS ACLs show up as closely to UNIX permissions as they can. In the following example, I have an NTFS security style folder that allowed only the owner to have full control, but allows read to “Everyone.” With the option mentioned, we see that reflected as “755” in permissions:
drwxr-xr-x 3 user1 homedirs 4096 Nov 8 14:15 user1
Translating NTFS style DACLs
As previously mentioned, in ONTAP we can view the Windows ACLs on a file, folder or volume using vserver security file-directory show.
cluster::*> vserver security file-directory show -vserver SVM-path /homedir1/user1 Vserver: SVM File Path: /homedir1/user1 File Inode Number: 10363 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 701 UNIX Group Id: 1002 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:CPOC\user1 Group:CPOC\Domain Users DACL - ACEs ALLOW-CPOC\Administrator-0xe0000040-OI|IO ALLOW-CPOC\Administrator-0x1201ff-CI ALLOW-CPOC\user1-0x10000000-OI|IO ALLOW-CPOC\user1-0x1f01ff-CI ALLOW-Everyone-0xa0000000-OI|IO ALLOW-Everyone-0x1200a9-CI
However, as you can see, those ACLs don’t make a ton of sense unless you can read hexadecimal. (If you can, more power to ya.)
Let’s break down the ACLs a bit to understand them better.
- First, DACL means “Discretionary Access Control List.” From MSDN:
- An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
- In the DACLs above, we can see whether the DACL is an ALLOW or a DENY ACL. (Deny ACLs override ALLOWS.) We can also see the user or group being allowed access. After that, the information isn’t really in a “human readable” format.
- The CI, IO, OI values are “ACE strings” and tell us whether the ACL was inherited by the owner or container. MSDN has a handy list of those here: ACE Strings
The rest of the ACLs are hexadecimal values and translate into what the actual permissions that were set were.
Expanding ACLs
Rather than try to decode all of those, ONTAP has an option on the file-directory show command that allows you to expand the ACL mask from the CLI (-expand-mask). This actually cracks open the DACLs and shows an expanded view of what actual permissions are allowed.
For example:
cluster::> vserver security file-directory show -vserver parisi -path /cifs -expand-mask true Vserver: parisi File Path: /cifs File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: 0x10 ...0 .... .... .... = Offline .... ..0. .... .... = Sparse .... .... 0... .... = Normal .... .... ..0. .... = Archive .... .... ...1 .... = Directory .... .... .... .0.. = System .... .... .... ..0. = Hidden .... .... .... ...0 = Read Only UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 1... .... .... .... = Self Relative .0.. .... .... .... = RM Control Valid ..0. .... .... .... = SACL Protected ...0 .... .... .... = DACL Protected .... 0... .... .... = SACL Inherited .... .0.. .... .... = DACL Inherited .... ..0. .... .... = SACL Inherit Required .... ...0 .... .... = DACL Inherit Required .... .... ..0. .... = SACL Defaulted .... .... ...0 .... = SACL Present .... .... .... 0... = DACL Defaulted .... .... .... .1.. = DACL Present .... .... .... ..0. = Group Defaulted .... .... .... ...0 = Owner Defaulted Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 1... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...1 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ALLOW-Everyone-0x10000000-OI|CI|IO 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...1 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...0 .... .... .... .... .... = Synchronize .... .... .... 0... .... .... .... .... = Write Owner .... .... .... .0.. .... .... .... .... = Write DAC .... .... .... ..0. .... .... .... .... = Read Control .... .... .... ...0 .... .... .... .... = Delete .... .... .... .... .... ...0 .... .... = Write Attributes .... .... .... .... .... .... 0... .... = Read Attributes .... .... .... .... .... .... .0.. .... = Delete Child .... .... .... .... .... .... ..0. .... = Execute .... .... .... .... .... .... ...0 .... = Write EA .... .... .... .... .... .... .... 0... = Read EA .... .... .... .... .... .... .... .0.. = Append .... .... .... .... .... .... .... ..0. = Write .... .... .... .... .... .... .... ...0 = Read
This also works with NFSv4 ACLs:
cluster::*> vserver security file-directory show -vserver DEMO -path /shared/unix -expand-mask true Vserver: DEMO File Path: /shared/unix File Inode Number: 20034 Security Style: unix Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: 0x10 ...0 .... .... .... = Offline .... ..0. .... .... = Sparse .... .... 0... .... = Normal .... .... ..0. .... = Archive .... .... ...1 .... = Directory .... .... .... .0.. = System .... .... .... ..0. = Hidden .... .... .... ...0 = Read Only UNIX User Id: 1100 UNIX Group Id: 1101 UNIX Mode Bits: 770 UNIX Mode Bits in Text: rwxrwx--- ACLs: NFSV4 Security Descriptor Control:0x8014 1... .... .... .... = Self Relative .0.. .... .... .... = RM Control Valid ..0. .... .... .... = SACL Protected ...0 .... .... .... = DACL Protected .... 0... .... .... = SACL Inherited .... .0.. .... .... = DACL Inherited .... ..0. .... .... = SACL Inherit Required .... ...0 .... .... = DACL Inherit Required .... .... ..0. .... = SACL Defaulted .... .... ...1 .... = SACL Present .... .... .... 0... = DACL Defaulted .... .... .... .1.. = DACL Present .... .... .... ..0. = Group Defaulted .... .... .... ...0 = Owner Defaulted DACL - ACEs ALLOW-OWNER@-0x1601ff 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 0... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...0 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ALLOW-user-prof1-0x1601ff 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 0... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...0 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ALLOW-GROUP@-0x1201ff-IG 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 0... .... .... .... .... = Write Owner .... .... .... .0.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...0 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ALLOW-EVERYONE@-0x120080 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 0... .... .... .... .... = Write Owner .... .... .... .0.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...0 .... .... .... .... = Delete .... .... .... .... .... ...0 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .0.. .... = Delete Child .... .... .... .... .... .... ..0. .... = Execute .... .... .... .... .... .... ...0 .... = Write EA .... .... .... .... .... .... .... 0... = Read EA .... .... .... .... .... .... .... .0.. = Append .... .... .... .... .... .... .... ..0. = Write .... .... .... .... .... .... .... ...0 = Read
However, with a ton of ACLs on an object, this could get a bit overwhelming. So, translating the hex might be better overall. This blog covers it in a bit more detail:
About the ACCESS_MASK structure
In the above ACL, we see 0x1f01ff for Everyone. That’s Full Control. In addition, 0x10000000 is considered GENERIC_ALL.
Applying ACLs to objects from the storage
In addition to displaying ACLs, vserver security file-directory commands can be used to apply SACLs and DACLs to objects from the cluster’s CLI.
The general steps are covered in this KB article:
The following shows an example of doing this on a single qtree in ONTAP.
This is a qtree called “mixed.” It has an effective security style of UNIX, unix permissions 770 and root:sharedgroup as the owners.
cluster::*> vserver security file-directory show -vserver DEMO -path /shared/mixed Vserver: DEMO File Path: /shared/mixed File Inode Number: 20035 Security Style: mixed Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1206 UNIX Mode Bits: 770 UNIX Mode Bits in Text: rwxrwx--- ACLs: -
To change permissions on this object (or other objects, if desired), first create a security policy:
cluster::*> file-directory policy create -vserver DEMO -policy-name Policy1 (vserver security file-directory policy create) cluster::*> vserver security file-directory policy show -vserver DEMO -instance Vserver: DEMO Policy Name: Policy1
Then, create a security descriptor, which allows a storage admin to add access control entries (ACEs) to the discretionary access control list (DACL) and the system access control list (SACL). This provides the ability to add, in bulk, an owner, group or control flags in raw hex:
cluster::*> vserver security file-directory ntfs create -vserver DEMO -ntfs-sd sdname -owner ntfsonly cluster::*> vserver security file-directory ntfs show -instance Vserver: DEMO NTFS Security Descriptor Name: sdname Owner: NTAP\ntfsonly Primary Group: - Raw Control Flags: -
Next, create one or more DACLs or SACLs. In this case, I’ve created 2 DACLs. This command allows the following:
cluster::*> vserver security file-directory ntfs dacl add ?
-vserver Vserver
[-ntfs-sd] NTFS Security Descriptor Name
[-access-type] {deny|allow} Allow or Deny
[-account] Account Name or SID
{ [[-rights] {no-access|full-control|modify|read-and-execute|read|write}] DACL ACE's Access Rights
| [ -advanced-rights , ... ] DACL ACE's Advanced Access Rights
| [ -rights-raw ] } *DACL ACE's Raw Access Rights
[ -apply-to {this-folder|sub-folders|files}, ... ] Apply DACL Entry
The users I’m adding are ntfsonly and student1. Ntfsonly gets full control; student1 gets readonly access. I’m applying the DACL to all objects (this-folder, sub-folders, files).
NOTE: If you don’t apply the DACL to the top level folder, you run the risk of denying access to everyone because the owner doesn’t get set properly.
ontap9-tme-8040::*> vserver security file-directory ntfs dacl add -vserver DEMO -ntfs-sd sdname -access-type allow -account ntfsonly -apply-to this-folder,sub-folders,files -advanced-rights full-control ontap9-tme-8040::*> vserver security file-directory ntfs dacl add -vserver DEMO -ntfs-sd sdname -access-type allow -account student1 -rights read -apply-to this-folder,sub-folders,files
In addition to the ACLs we define, we also get default built-in DACLs. Feel free to delete those as needed.
ontap9-tme-8040::*> vserver security file-directory ntfs dacl show -vserver DEMO -instance Vserver: DEMO NTFS Security Descriptor Name: sdname Allow or Deny: allow Account Name or SID: BUILTIN\Administrators Access Rights: full-control Raw Access Rights: - Advanced Access Rights: - Apply DACL Entry: this-folder, sub-folders, files Access Rights: full-control Vserver: DEMO NTFS Security Descriptor Name: sdname Allow or Deny: allow Account Name or SID: BUILTIN\Users Access Rights: full-control Raw Access Rights: - Advanced Access Rights: - Apply DACL Entry: this-folder, sub-folders, files Access Rights: full-control Vserver: DEMO NTFS Security Descriptor Name: sdname Allow or Deny: allow Account Name or SID: CREATOR OWNER Access Rights: full-control Raw Access Rights: - Advanced Access Rights: - Apply DACL Entry: this-folder, sub-folders, files Access Rights: full-control Vserver: DEMO NTFS Security Descriptor Name: sdname Allow or Deny: allow Account Name or SID: NT AUTHORITY\SYSTEM Access Rights: full-control Raw Access Rights: - Advanced Access Rights: - Apply DACL Entry: this-folder, sub-folders, files Access Rights: full-control Vserver: DEMO NTFS Security Descriptor Name: sdname Allow or Deny: allow Account Name or SID: NTAP\ntfsonly Access Rights: - Raw Access Rights: - Advanced Access Rights: full-control Apply DACL Entry: this-folder, sub-folders, files Access Rights: full-control Vserver: DEMO NTFS Security Descriptor Name: sdname Allow or Deny: allow Account Name or SID: NTAP\student1 Access Rights: read Raw Access Rights: - Advanced Access Rights: - Apply DACL Entry: this-folder, sub-folders, files Access Rights: read 6 entries were displayed.
Now that the policy is created and I have the desired DACLs and SACLs, I can apply them to whatever paths I want. In the above, I’ve set the DACLs to only apply to the specific folder. To apply the policy, create a new task and define the path you want to re-ACL. The task will “propogate” by default. You can also specify “replace” if desired.
cluster::*> file-directory policy task add -vserver DEMO -policy-name Policy1 -path /shared/mixed -ntfs-sd sdname (vserver security file-directory policy task add) cluster::*> file-directory policy task show (vserver security file-directory policy task show) Vserver: DEMO Policy: Policy1 Index File/Folder Access Security NTFS NTFS Security Path Control Type Mode Descriptor Name ----- ----------- --------------- -------- ---------- --------------- 1 /shared/mixed file-directory ntfs propagate sdname
Once everything appears in order, apply the policy:
cluster::*> file-directory apply -vserver DEMO -policy-name Policy1 (vserver security file-directory apply) [Job 3229] Job is queued: Fsecurity Apply. Use the "job show -id 3229" command to view the status of this operation.
If you want status of the progress, use job show. If you want detailed progress, use job show -instance.
cluster::*> job show -id 3229 Owning Job ID Name Vserver Node State ------ -------------------- ---------- -------------- ---------- 3229 Fsecurity Apply cluster cluster2 Success Description: File Directory Security Apply Job
Then, check your ACLs. Note how the effective style of the mixed qtree has changed from UNIX to NTFS:
cluster::*> vserver security file-directory show -vserver DEMO -path /shared/mixed Vserver: DEMO File Path: /shared/mixed File Inode Number: 20035 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8014 Owner:NTAP\ntfsonly Group:BUILTIN\Administrators DACL - ACEs ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI ALLOW-BUILTIN\Users-0x1f01ff-OI|CI ALLOW-CREATOR OWNER-0x1f01ff-OI|CI ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI ALLOW-NTAP\ntfsonly-0x1f01ff ALLOW-NTAP\student1-0x120089
If you want to apply the policy to other paths (or multiple paths at once), create new tasks:
cluster::*> vserver security file-directory show -vserver DEMO -path /shared/security Vserver: DEMO File Path: /shared/security File Inode Number: 96 Security Style: mixed Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 770 UNIX Mode Bits in Text: rwxrwx--- ACLs: - cluster::*> file-directory policy task add -vserver DEMO -policy-name Policy1 -path /shared/security -ntfs-sd sdname (vserver security file-directory policy task add) cluster::*> file-directory policy task show (vserver security file-directory policy task show) Vserver: DEMO Policy: Policy1 Index File/Folder Access Security NTFS NTFS Security Path Control Type Mode Descriptor Name ----- ----------- --------------- -------- ---------- --------------- 1 /shared/mixed file-directory ntfs propagate sdname 2 /shared/security file-directory ntfs propagate sdname 2 entries were displayed. cluster::*> file-directory apply -vserver DEMO -policy-name Policy1 (vserver security file-directory apply) [Job 3232] Job is queued: Fsecurity Apply. Use the "job show -id 3232" command to view the status of this operation. cluster::*> vserver security file-directory show -vserver DEMO -path /shared/security Vserver: DEMO File Path: /shared/security File Inode Number: 96 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8014 Owner:NTAP\ntfsonly Group:BUILTIN\Administrators DACL - ACEs ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI ALLOW-BUILTIN\Users-0x1f01ff-OI|CI ALLOW-CREATOR OWNER-0x1f01ff-OI|CI ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI ALLOW-NTAP\ntfsonly-0x1f01ff ALLOW-NTAP\student1-0x120089
Example of a running job with more information:
cluster::*> job show -id 3317 -instance Job ID: 3317 Owning Vserver: cluster Name: Fsecurity Apply Description: File Directory Security Apply Job Priority: Low Node: cluster02 Affinity: Cluster Schedule: @now Queue Time: 01/24 09:45:19 Start Time: 01/24 09:45:19 End Time: - Drop-dead Time: - Restarted?: false State: Running Status Code: 0 Completion String: Job Type: FSEC_APPLY Job Category: FSECURITY UUID: b9e7bf61-e243-11e6-a40c-00a0986b1210 Execution Progress: Fsecurity Apply processed 46766 files/dirs. Last Processed: /shared/security/files/topdir_77/subdir_81 User Name: admin Process: mgwd Restart Is or Was Delayed?: false Restart Is Delayed by Module: -
Centralizing permission management
With multiprotocol NAS, it’s possible to view and manage ACLs from multiple clients, as well as the storage. The way I did this was to set up passwordless SSH on a Linux client and then create simple shell scripts that call SSH commands to the cluster. Another way to do this would be to leverage the ONTAP SDK. I’ll write up a post on the SDK at some point in the future, but for now, we’ll focus on the bash scripts.
To set up passwordless SSH to the cluster, do the following (from TR-4073):
Create the SSH Keypair
In the following example, ssh-keygen is used on a Linux box.
- If a ssh key pair already exists, there is no need to generate one using ssh-keygen.
monitor@linux:/$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: monitor@linux:/$ ls -lsa ~/.ssh total 16 4 drwx------ 2 monitor monitor 4096 2008-08-26 11:47 . 4 drwxr-xr-x 3 monitor monitor 4096 2008-08-26 11:47 .. 4 -rw------- 1 monitor monitor 1679 2008-08-26 11:47 id_rsa 4 -rw-r--r-- 1 monitor monitor 401 2008-08-26 11:47 id_rsa.pub
Create the User with a Public Key Authentication Method
cluster::> security login create -username monitor -application ssh -authmethod publickey -profile admin
Create the Public Key on the Cluster
Copy the public key contents of the id_rsa.pub file and place it between quotes in the security login public key create command. Take caution not to add carriage returns or other data that modifies the keystring; leave it in one line.
netapp::> security login publickey create -username monitor -index 1 -publickey “ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5s4vVbwEO1sOsq7r64V5KYBRXBDb2I5mtGmt0+3p1jjPJrXx4/IPHFLalXAQkG7LhV5Dyc5jyQiGKVawBYwxxSZ3GqXJNv1aORZHJEuCd0zvSTBGGZ09vra5uCfxkpz8nwaTeiAT232LS2lZ6RJ4dsCz+GAj2eidpPYMldi2z6RVoxpZ5Zq68MvNzz8b15BS9T7bvdHkC2OpXFXu2jndhgGxPHvfO2zGwgYv4wwv2nQw4tuqMp8e+z0YP73Jg0T3jV8NYraXO951Rr5/9ZT8KPUqLEgPZxiSNkLnPC5dnmfTyswlofPGud+qmciYYr+cUZIvcFaYRG+Z6DM/HInX7w== monitor@linux”
Alternatively, you can use the load-from-uri function to bring the public key from another source.
cluster::> security login publickey load-from-uri -username monitor -uri http://linux/id_rsa.pub
Verify Creation
netapp::> security login publickey show -username monitor
UserName: monitor Index: 1
Public Key:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5s4vVbwEO1sOsq7r64V5KYBRXBDb2I5mtGmt0+3p1jjPJrXx4/IPHFLalXAQkG7LhV5Dyc5jyQiGKVawBYwxxSZ3GqXJNv1aORZHJEuCd0zvSTBGGZ09vra5uCfxkpz8nwaTeiAT232LS2lZ6RJ4dsCz+GAj2eidpPYMldi2z6RVoxpZ5Zq68MvNzz8b15BS9T7bvdHkC2OpXFXu2jndhgGxPHvfO2zGwgYv4wwv2nQw4tuqMp8e+z0YP73Jg0T3jV8NYraXO951Rr5/9ZT8KPUqLEgPZxiSNkLnPC5dnmfTyswlofPGud+qmciYYr+cUZIvcFaYRG+Z6DM/HInX7w==monitor@linux
Test Access from the Host
monitor@linux:~$ ssh 10.61.64.150 The authenticity of host '10.61.64.150 (10.61.64.150)' can't be established. DSA key fingerprint is d9:15:cf:4b:d1:7b:a9:67:4d:b0:a9:20:e4:fa:f4:69. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.61.64.150' (DSA) to the list of known hosts.
Once that’s done, you can set up scripts to make SSH calls without having to interact.
Sample scripts
I’ve posted some sample bash scripts on GitHub to allow for open-sourcing of the tasks. But, essentially, the scripts I created can:
- Show ACLs for specified paths
- Change ACLs en masse for a specified object
- Clean up policies and DACLs created
- Be used as a wrapper
Creating a wrapper command
In addition to the scripts above, it’s also possible to create a simple wrapper command in Linux that will call a script to make life easier for an administrator. To do this, modify the .bashrc file in the user’s home directory. In the following example, I created a command called ONTAP_ACL and pointed it to my script.
# cat ~/.bashrc # .bashrc # User specific aliases and functions alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias ONTAP_ACL='/scripts/./show-ACL.sh'
Once this is done, you can restart the shell session and the command can be run to execute the script. In the above, the show-ACL script simply takes the path input and asks a yes/no question and dumps the output.
# ONTAP_ACL /home Do you want to expand the ACL masks to show all fields? (enter 1 or 2) CAUTION: Output may be lengthy 1) Yes 2) No #? 2 Vserver: DEMO File Path: /home File Inode Number: 64 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 711 UNIX Mode Bits in Text: rwx--x--x ACLs: NTFS Security Descriptor Control:0x9504 Owner:NTAP\Administrator Group:NTAP\Domain Users DACL - ACEs ALLOW-NTAP\Administrator-0x1f01ff-OI|CI ALLOW-Everyone-0x100020-OI|CI
I could also apply a wrapper to other scripts, such as the script to modify ACLs if I chose. This allows a simple way to centrally manage your file and folder ACLs rather than having to jump between clients and storage.
Testing the scripts
Be sure to test the scripts only in protected environments, rather than on your production data. Make generous use of ONTAP features such as FlexClone, SnapMirror (to new Storage Virtual Machines) and Snapshots.
Questions? Leave them in the comments!
Why Is The Internet Broken? 
Pingback: Mixed perceptions with NetApp multiprotocol NAS access | Why Is The Internet Broken?
Is it possible to add ACE’s to an existing DACL that is already applied to a directory? In my tests it seems to only apply the ACE’s I specify on the CLI, overwriting any pre-existing permissions.
Great write-up – thank you!
LikeLike
Unfortunately, not yet.
LikeLike
Good to know, thanks for the quick response.
LikeLike
Hi Justin,
7-mode “fsecurity show” DACLs shows a user’s rights as well as the hex next to each entry, e.g.
NTFS Security descriptor:
Owner: BUILTIN\Administrators
Group: BUILTIN\Administrators
DACL:
Allow – DOMAIN\user1 – 0x001f01ff (Full Control) – OI|CI
Allow – DOMAIN\group1 – 0x001301bf (Modify) – OI|CI
Allow – DOMAIN\group2 – 0x001200a9 (Read and Execute) – OI|CI
However it seems cDOT only shows the hex value and not the human readable options, so do you know if it’s possible to show these please (using 8.3.x for now)? For example, cDOT’s “vserver security file-directory show” command gives:
ACLs: NTFS Security Descriptor
Control:0x9504
Owner: BUILTIN\Administrators
Group: BUILTIN\Administrators
DACL – ACEs
ALLOW-DOMAIN\user2-0x1f01ff-OI|CI
ALLOW-DOMAIN\group3-0x1f01ff-OI|CI
I know you can use the expand-mask option to show the hex details, but I actually just need to know whether a user or group has read, full control, or modify, etc. The reason for this is that when using the “… file-directory ntfs dacl add..” command, the -rights option lets you specify these attributes.
Ultimately the main reason I’m asking is because I’m writing a script to read existing NTFS ACLs to then reapply them with new entries. It would be much easier to just look for (Full Control) or (Modify) for example rather than interpreting the hex.
Thanks in advance,
Paul.
LikeLike
Can’t show the human values until a later release of ONTAP. (I forget which one we added it to, but it’s definitely after 9.1)
But essentially, this is what it looks like now:
::*> vserver security file-directory show -vserver DEMO -path /shared –
-instance -volume-name -share-name
-lookup-names -expand-mask -textual-mask
-sddl -security-style -effective-style
-dos-attributes -text-dos-attr -expanded-dos-attr
-user-id -group-id -mode-bits
-text-mode-bits -acls -fields
To show the friendly stuff, use textual mask:
::*> vserver security file-directory show -vserver DEMO -path /shared -textual-mask true
Vserver: DEMO
File Path: /shared
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: —-D—
Expanded Dos Attributes: –
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x9514 (DACL Present, SACL Present, DACL Inherit Required, DACL Inherited, DACL Protected, Self Relative)
Owner:NTAP\Administrator
Group:NTAP\DomainUsers
DACL – ACEs
ALLOW-NTAP\Administrator-0x1f01ff (Read, Write, Append, Read EA, Write EA, Execute, Delete Child, Read Attributes, Write Attributes, Delete, Read Control, Write DAC, Write Owner, Synchronize)-OI|CI
ALLOW-NTAP\sharedgroup-0x1301ff (Read, Write, Append, Read EA, Write EA, Execute, Delete Child, Read Attributes, Write Attributes, Delete, Read Control, Synchronize)-OI|CI
LikeLike
hi Justin
Thanks for the sample workflow. I found the job shows success before DACL entries are removed.
In my case the
DACL – ACEs
ALLOW-Everyone-0x1f01ff
ALLOW-Everyone-0x10000000-OI|CI|IO
were cleaned up later — which through me for a loop as I went searching for how to clean them up from the command line only to find them already gone when I checked later.
After a task has been used do we need to remove them so they will not show up in the output of
file-directory policy task show
or will they expire after a while?
I am working on a script to apply default permissions after a new ntfs volume is created.
thanks
LikeLike
Thanks for such a wonderful description. Its pretty clear but I need your suggestion on one of the use case..
In my test lab I tried setting DACL of qtree and its working well. In this case my volume security style was unix and a qtree inside it with NTFS style.
But when I have both volume and qtree security-style as NTFS , and trying to replace qtree DACL, its Inheriting Everyone from volume. Rest are permissions are correctly getting applied. I dont want to have this Everyone on qtree. Why its happening if volume is NTFS and Is there a way to remove this Everyone. ?
LikeLike
“Everyone” might be getting inherited from the vserver root volume’s ACLs. What security style is the vsroot? What ACLs are on that volume?
LikeLike
Hi Justin,
I face a lot of scenarios wherein the NTFS permissions ( DACL ) set from the Windows host end is restrictive as such the owners of those shares are not able to add any more DACL. Now, I tested setting and propagating the DACL permissions from the ONTAP end and it works perfectly well. The problem is there doesn’t seem to be any option to just add the DACL on top of what is already existing.
This can work well if the Directory structure is not complex, but when we are talking about tends of folders with hundreds of subfolders which maintain their distinct permission structures and not necessarily inherit permissions from the root folder, then this method is not a fit solution.
Do you know of any other workaround whereby full access can be restored by only adding new DACL ?
LikeLike
I don’t know of a way to do it via ONTAP without wiping out what is already there. You might be able to use it to take ownership, but honestly, Windows should be able to accomplish this without having things break.
LikeLike