Using NFSv4.x ACLs with NFSv3 in NetApp ONTAP? You betcha!

One thing I’ve come to realize from being in IT so long is that you should be constantly learning new things. If you aren’t, it’s not because you’re smart or because you know everything; it’s because you’re stagnating.

So, I was not surprised when I heard it was possible to apply NFSv4.x ACLs to files and folders and then mount them via NFSv3 and have the ACLs still work! I already knew that you could do audit ACEs from NFSv4.x for NFSv3 (covered in TR-4067), but had no idea this could extend into the permissions realm. If so, this solves a pretty big problem with NFSv3 in general, where your normal permissions are limited only to owner, group and then everyone else. That makes it hard to do any sort of granular access control for NFSv3 mounts, presents problems for some environments.

It also allows you to keep using NFSv3 for your workloads, whether for legacy application or general performance concerns. NFSv4.x has a lot of advantages over NFSv3, but if you don’t need stateful operations or the NFSv4.x features, or integrated locking, then you are safe to stay with NFSv3.

So, is it possible to use NFSv4.x ACLs with NFSv3 objects?

You betcha!

fargo-film-marge.jpg

The method for doing this is pretty straightforward.

  1. Configure and enable NFSv4.x in ONTAP and on your client
  2. Enable NFSv4.x ACL support in ONTAP
  3. Mount the export via NFSv4.x
  4. Apply the NFSv4.x ACLs
  5. Unmount and then remount the export using NFSv3 and test it out!

 

Configuring NFSv4.x

When you’re setting up NFSv4.x in an environment, there are a few things to keep in mind:

  • Client and NFS server support for NFSv4.x
  • NFS utilities installed on clients (for NFSv4.x functionality)
  • NFSv4.x configured on the client in idmapd.conf
  • NFSv4.x configured on the server in ONTAP (ACLS allowed)
  • Export policies and rules configured in ONTAP
  • Ideally, a name service server (like LDAP) to negotiate the server/client conversation of user identities

One of the reasons NFS4.x is more secure than NFSv3 is the use of user ID strings (such as user@domain.com) to help limit cases of user spoofing in NFS conversations. This ID string is required to be case-sensitive. If the string doesn’t match on both client and server, then the NFSv4.x mounts will get squashed to the defined “nobody” user in the NFSv4.x client. One of the more common issues seen with NFSv4.x mounts is the “nobody:nobody” user and group on files and folders. One of the most common causes of this is when a domain string is mismatched on the client and server.

In a client that domain string is defined in the idmapd.conf file. Sometimes, it will default to the DNS domain. In ONTAP, the v4-id-domain string should be configured to the same value on the client to provide proper NFSv4.x authentication.

Other measures, such as Kerberos encryption, can help lock the NFS conversations down further. NFSv4.x ACLs are a way to ensure that files and folders are only seen by those entities that have been granted access and is considered to be authorization, or, what you are allowed to do once you authenticate. For more complete steps on setting up NFSv4.x, see TR-4067 and TR-4073.

However, we’re only setting up NFSv4.x to allow us to configure the ACLs…

What are NFSv4.x ACLs?

NFSv4.x ACLs are a way to apply granular permissions to files and folders in NFS outside of the normal “read/write/execute” of NFSv3, and across more objects than simple “owner/group/everyone.” NFSv4.x ACLs allow administrators to set permissions for multiple users and groups on the same file or folder and treat NFS ACLs more like Windows ACLs. For more information on NFSv4.x ACLs, see:

http://wiki.linux-nfs.org/wiki/index.php/ACLs

https://linux.die.net/man/5/nfs4_acl

http://www.netapp.com/us/media/tr-4067.pdf

NFSv3 doesn’t have this capability by default. The only way to get more granular ACLs in NFSv3 natively is to use POSIX ACLs, which ONTAP doesn’t support.

Once you’ve enabled ACLs in ONTAP (v4.0-acl and/or v4.1-acl options), you can mount an NFS export via NFSv4.x and start applying NFSv4.x ACLs.

In my environment, I mounted a homedir volume and then set up an ACL on a file owned by root for a user called “prof1” using nfs4_setfacl -e (which allows you to edit a file rather than have to type in a long command).

[root@centos7 /]# mount demo:/home /mnt
[root@centos7 /]# mount | grep mnt
demo:/home on /mnt type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.193.67.225,local_lock=none,addr=10.193.67.237)

The file lives in the root user’s homedir. The root homedir is set to 755, which means anyone can read them, but no one but the owner (root) can write to them.

drwxr-xr-x 2 root root 4096 Jul 13 10:42 root

That is, unless, I set NFSv4.x ACLs to allow a user full control:

[root@centos7 mnt]# nfs4_getfacl /mnt/root/file
A::prof1@ntap.local:rwaxtTnNcCy
A::OWNER@:rwaxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy

I can also see those permissions from the ONTAP CLI:

ontap9-tme-8040::*> vserver security file-directory show -vserver DEMO -path /home/root/file

Vserver: DEMO
 File Path: /home/root/file
 File Inode Number: 8644
 Security Style: unix
 Effective Style: unix
 DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
 UNIX User Id: 0
 UNIX Group Id: 1
 UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
 ACLs: NFSV4 Security Descriptor
 Control:0x8014
 DACL - ACEs
 ALLOW-user-prof1-0x1601bf
 ALLOW-OWNER@-0x1601bf
 ALLOW-GROUP@-0x1200a9-IG
 ALLOW-EVERYONE@-0x1200a9

I can also expand the mask to translate the hex:

ontap9-tme-8040::*> vserver security file-directory show -vserver DEMO -path /home/root/file -expand-mask true

Vserver: DEMO
 File Path: /home/root/file
 File Inode Number: 8644
 Security Style: unix
 Effective Style: unix
 DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: 0x20
 ...0 .... .... .... = Offline
 .... ..0. .... .... = Sparse
 .... .... 0... .... = Normal
 .... .... ..1. .... = Archive
 .... .... ...0 .... = Directory
 .... .... .... .0.. = System
 .... .... .... ..0. = Hidden
 .... .... .... ...0 = Read Only
 UNIX User Id: 0
 UNIX Group Id: 1
 UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
 ACLs: NFSV4 Security Descriptor
 Control:0x8014

1... .... .... .... = Self Relative
 .0.. .... .... .... = RM Control Valid
 ..0. .... .... .... = SACL Protected
 ...0 .... .... .... = DACL Protected
 .... 0... .... .... = SACL Inherited
 .... .0.. .... .... = DACL Inherited
 .... ..0. .... .... = SACL Inherit Required
 .... ...0 .... .... = DACL Inherit Required
 .... .... ..0. .... = SACL Defaulted
 .... .... ...1 .... = SACL Present
 .... .... .... 0... = DACL Defaulted
 .... .... .... .1.. = DACL Present
 .... .... .... ..0. = Group Defaulted
 .... .... .... ...0 = Owner Defaulted

DACL - ACEs
 ALLOW-user-prof1-0x1601bf
 0... .... .... .... .... .... .... .... = Generic Read
 .0.. .... .... .... .... .... .... .... = Generic Write
 ..0. .... .... .... .... .... .... .... = Generic Execute
 ...0 .... .... .... .... .... .... .... = Generic All
 .... ...0 .... .... .... .... .... .... = System Security
 .... .... ...1 .... .... .... .... .... = Synchronize
 .... .... .... 0... .... .... .... .... = Write Owner
 .... .... .... .1.. .... .... .... .... = Write DAC
 .... .... .... ..1. .... .... .... .... = Read Control
 .... .... .... ...0 .... .... .... .... = Delete
 .... .... .... .... .... ...1 .... .... = Write Attributes
 .... .... .... .... .... .... 1... .... = Read Attributes
 .... .... .... .... .... .... .0.. .... = Delete Child
 .... .... .... .... .... .... ..1. .... = Execute
 .... .... .... .... .... .... ...1 .... = Write EA
 .... .... .... .... .... .... .... 1... = Read EA
 .... .... .... .... .... .... .... .1.. = Append
 .... .... .... .... .... .... .... ..1. = Write
 .... .... .... .... .... .... .... ...1 = Read

ALLOW-OWNER@-0x1601bf
 0... .... .... .... .... .... .... .... = Generic Read
 .0.. .... .... .... .... .... .... .... = Generic Write
 ..0. .... .... .... .... .... .... .... = Generic Execute
 ...0 .... .... .... .... .... .... .... = Generic All
 .... ...0 .... .... .... .... .... .... = System Security
 .... .... ...1 .... .... .... .... .... = Synchronize
 .... .... .... 0... .... .... .... .... = Write Owner
 .... .... .... .1.. .... .... .... .... = Write DAC
 .... .... .... ..1. .... .... .... .... = Read Control
 .... .... .... ...0 .... .... .... .... = Delete
 .... .... .... .... .... ...1 .... .... = Write Attributes
 .... .... .... .... .... .... 1... .... = Read Attributes
 .... .... .... .... .... .... .0.. .... = Delete Child
 .... .... .... .... .... .... ..1. .... = Execute
 .... .... .... .... .... .... ...1 .... = Write EA
 .... .... .... .... .... .... .... 1... = Read EA
 .... .... .... .... .... .... .... .1.. = Append
 .... .... .... .... .... .... .... ..1. = Write
 .... .... .... .... .... .... .... ...1 = Read

ALLOW-GROUP@-0x1200a9-IG
 0... .... .... .... .... .... .... .... = Generic Read
 .0.. .... .... .... .... .... .... .... = Generic Write
 ..0. .... .... .... .... .... .... .... = Generic Execute
 ...0 .... .... .... .... .... .... .... = Generic All
 .... ...0 .... .... .... .... .... .... = System Security
 .... .... ...1 .... .... .... .... .... = Synchronize
 .... .... .... 0... .... .... .... .... = Write Owner
 .... .... .... .0.. .... .... .... .... = Write DAC
 .... .... .... ..1. .... .... .... .... = Read Control
 .... .... .... ...0 .... .... .... .... = Delete
 .... .... .... .... .... ...0 .... .... = Write Attributes
 .... .... .... .... .... .... 1... .... = Read Attributes
 .... .... .... .... .... .... .0.. .... = Delete Child
 .... .... .... .... .... .... ..1. .... = Execute
 .... .... .... .... .... .... ...0 .... = Write EA
 .... .... .... .... .... .... .... 1... = Read EA
 .... .... .... .... .... .... .... .0.. = Append
 .... .... .... .... .... .... .... ..0. = Write
 .... .... .... .... .... .... .... ...1 = Read

ALLOW-EVERYONE@-0x1200a9
 0... .... .... .... .... .... .... .... = Generic Read
 .0.. .... .... .... .... .... .... .... = Generic Write
 ..0. .... .... .... .... .... .... .... = Generic Execute
 ...0 .... .... .... .... .... .... .... = Generic All
 .... ...0 .... .... .... .... .... .... = System Security
 .... .... ...1 .... .... .... .... .... = Synchronize
 .... .... .... 0... .... .... .... .... = Write Owner
 .... .... .... .0.. .... .... .... .... = Write DAC
 .... .... .... ..1. .... .... .... .... = Read Control
 .... .... .... ...0 .... .... .... .... = Delete
 .... .... .... .... .... ...0 .... .... = Write Attributes
 .... .... .... .... .... .... 1... .... = Read Attributes
 .... .... .... .... .... .... .0.. .... = Delete Child
 .... .... .... .... .... .... ..1. .... = Execute
 .... .... .... .... .... .... ...0 .... = Write EA
 .... .... .... .... .... .... .... 1... = Read EA
 .... .... .... .... .... .... .... .0.. = Append
 .... .... .... .... .... .... .... ..0. = Write
 .... .... .... .... .... .... .... ...1 = Read

In the above, I gave prof1 full control over the file. Then, I mounted via NFSv3:

[root@centos7 /]# mount -o nfsvers=3 demo:/home /mnt
[root@centos7 /]# mount | grep mnt
demo:/home on /mnt type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.193.67.219,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=10.193.67.219)

When I become a user that isn’t on the NFSv4.x ACL, I can’t write to the file:

[root@centos7 /]# su student1
sh-4.2$ cd /mnt/root
sh-4.2$ ls -la
total 8
drwxr-xr-x 2 root root 4096 Jul 13 10:42 .
drwxrwxrwx 11 root root 4096 Jul 10 10:04 ..
-rwxr-xr-x 1 root bin 0 Jul 13 10:23 file
-rwxr-xr-x 1 root root 0 Mar 29 11:37 test.txt

sh-4.2$ touch file
touch: cannot touch ‘file’: Permission denied
sh-4.2$ rm file
rm: remove write-protected regular empty file ‘file’? y
rm: cannot remove ‘file’: Permission denied

When I change to the prof1 user, I have access to do whatever I want, even though the mode bit permissions in v3 say I can’t:

[root@centos7 /]# su prof1
sh-4.2$ cd /mnt/root
sh-4.2$ ls -la
total 8
drwxr-xr-x 2 root root 4096 Jul 13 10:42 .
drwxrwxrwx 11 root root 4096 Jul 10 10:04 ..
-rwxr-xr-x 1 root bin 0 Jul 13 10:23 file
-rwxr-xr-x 1 root root 0 Mar 29 11:37 test.txt

sh-4.2$ vi file
sh-4.2$ cat file
NFSv4ACLS!

When I do a chmod, however, nothing seems to change from the NFSv4 ACL for the user. I set 700 on the file, which shows up in NFSv3 mode bits:

sh-4.2$ chmod 700 file
sh-4.2$ ls -la
total 8
drwxr-xr-x 2 root root 4096 Jul 13 10:42 .
drwxrwxrwx 11 root root 4096 Jul 10 10:04 ..
-rwx------ 1 root bin 11 Aug 11 09:58 file
-rwxr-xr-x 1 root root 0 Mar 29 11:37 test.txt

But notice how the prof1 user still has full control:

ontap9-tme-8040::*> vserver security file-directory show -vserver DEMO -path /home/root/file

Vserver: DEMO
 File Path: /home/root/file
 File Inode Number: 8644
 Security Style: unix
 Effective Style: unix
 DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
 UNIX User Id: 0
 UNIX Group Id: 1
 UNIX Mode Bits: 700
 UNIX Mode Bits in Text: rwx------
 ACLs: NFSV4 Security Descriptor
 Control:0x8014
 DACL - ACEs
 ALLOW-user-prof1-0x1601bf
 ALLOW-OWNER@-0x1601bf
 ALLOW-GROUP@-0x120088-IG
 ALLOW-EVERYONE@-0x120088

This is because of an ONTAP option known as “ACL Preservation.”

ontap9-tme-8040::*> nfs show -vserver DEMO -fields v4-acl-preserve
vserver v4-acl-preserve
------- ---------------
DEMO enabled

When I set the option to enabled, the NFSv4.x ACLs will survive mode bit changes. If I disable the option, the ACLs get blown away when a chmod is done:

ontap9-tme-8040::*> nfs modify -vserver DEMO -v4-acl-preserve disabled

ontap9-tme-8040::*> nfs show -vserver DEMO -fields v4-acl-preserve
vserver v4-acl-preserve
------- ---------------
DEMO disabled


[root@centos7 root]# chmod 755 file

And the ACLs are wiped out:

ontap9-tme-8040::*> vserver security file-directory show -vserver DEMO -path /home/root/file

Vserver: DEMO
 File Path: /home/root/file
 File Inode Number: 8644
 Security Style: unix
 Effective Style: unix
 DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
 UNIX User Id: 0
 UNIX Group Id: 1
 UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
 ACLs: -

I’d personally recommend setting that option to “enabled” if you want to do v3 mounts with v4.x ACLs.

So, there you have it… a new way to secure your NFSv3 mounts!

Advertisements

Managing ACLs via the ONTAP Command Line

In a previous post, I covered multiprotocol NAS in ONTAP, as well as mixed security styles. The following post covers how to manage permissions from the ONTAP CLI, as well as how to centralize permission management from a single Linux client. Some of the following was moved from the previous post to this one to make it easier to read and digest.

Viewing permissions in multiprotocol NAS

There are options to display permissions from both types of clients. For viewing UNIX permissions from Windows property tabs, use the cifs option is-unix-nt-acl-enabled.

cluster::*> cifs option show -vserver parisi-fields is-unix-nt-acl-enabled
vserver is-unix-nt-acl-enabled
----------- ----------------------
parisi     true

When using this option, the Windows clients will show a security tab entry that approximates the UNIX mode bits into ACLs. It will show the owner, group and “other” permissions. It will also attempt to convert the UNIX UID into a Windows-friendly SID so the client can display it. The Windows user will look like this:

unix-windows-acl1

That user is a “fake SID” that is tied to the cluster’s Storage Virtual Machine. It translates to a SID that ONTAP creates based on the numeric ID of the user or group. The Windows client uses that SID to translate into a name.

For example:

cluster::*> diag secd authentication translate -node node1 -vserver SVM -win-name UNIXPermUid\root
S-1-5-21-2038298172-1297133386-11111-0

cluster::*> diag secd authentication translate -node node1 -vserver SVM -unix-user-name root
0

cluster::*> diag secd authentication translate -node node1 -vserver SVM -win-name UNIXPermUid\user3
S-1-5-21-2038298172-1297133386-11111-703

cluster::*> diag secd authentication translate -node node1 -vserver SVM -unix-user-name user3
703

cluster::*> diag secd authentication translate -node node1 -vserver SVM -win-name UNIXPermGid\homedirs
S-1-5-21-2038298172-1297133386-22222-1002

cluster::*> diag secd authentication translate -node node1 -vserver SVM -unix-group-name homedirs
1002

From Windows, we can see the level of access for the users from the “Change Permissions” window:

unix-windows-acl2

On the NFS side, mode bits have no clue how to translate NTFS permission concepts like extended attributes. Instead, the clients only know Read, Write, Execute, Traverse, etc. It’s possible to show an approximation of those mode bits in UNIX for NTFS security style volumes with this option:

cluster::*> nfs server show -fields ntacl-display-permissive-perms
vserver ntacl-display-permissive-perms
----------- ------------------------------
parisi     disabled

When that option is disabled, NTFS ACLs show up as closely to UNIX permissions as they can. In the following example, I have an NTFS security style folder that allowed only the owner to have full control, but allows read to “Everyone.” With the option mentioned, we see that reflected as “755” in permissions:

unix-windows-acl3

drwxr-xr-x 3 user1 homedirs 4096 Nov 8 14:15 user1

Translating NTFS style DACLs

As previously mentioned, in ONTAP we can view the Windows ACLs on a file, folder or volume using vserver security file-directory show.

cluster::*> vserver security file-directory show -vserver SVM-path /homedir1/user1

Vserver: SVM
 File Path: /homedir1/user1
 File Inode Number: 10363
 Security Style: mixed
 Effective Style: ntfs
 DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
 UNIX User Id: 701
 UNIX Group Id: 1002
 UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
 ACLs: NTFS Security Descriptor
 Control:0x8004
 Owner:CPOC\user1
 Group:CPOC\Domain Users
 DACL - ACEs
 ALLOW-CPOC\Administrator-0xe0000040-OI|IO
 ALLOW-CPOC\Administrator-0x1201ff-CI
 ALLOW-CPOC\user1-0x10000000-OI|IO
 ALLOW-CPOC\user1-0x1f01ff-CI
 ALLOW-Everyone-0xa0000000-OI|IO
 ALLOW-Everyone-0x1200a9-CI

However, as you can see, those ACLs don’t make a ton of sense unless you can read hexadecimal. (If you can, more power to ya.)

Let’s break down the ACLs a bit to understand them better.

  • First, DACL means “Discretionary Access Control List.” From MSDN:
  • An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
  • In the DACLs above, we can see whether the DACL is an ALLOW or a DENY ACL. (Deny ACLs override ALLOWS.) We can also see the user or group being allowed access. After that, the information isn’t really in a “human readable” format.
  • The CI, IO, OI values are “ACE strings” and tell us whether the ACL was inherited by the owner or container. MSDN has a handy list of those here: ACE Strings

The rest of the ACLs are hexadecimal values and translate into what the actual permissions that were set were.

Expanding ACLs

Rather than try to decode all of those, ONTAP has an option on the file-directory show command that allows you to expand the ACL mask from the CLI (-expand-mask). This actually cracks open the DACLs and shows an expanded view of what actual permissions are allowed.

For example:

cluster::> vserver security file-directory show -vserver parisi -path /cifs -expand-mask true

Vserver: parisi
 File Path: /cifs
 File Inode Number: 64
 Security Style: ntfs
 Effective Style: ntfs
 DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
 ...0 .... .... .... = Offline
 .... ..0. .... .... = Sparse
 .... .... 0... .... = Normal
 .... .... ..0. .... = Archive
 .... .... ...1 .... = Directory
 .... .... .... .0.. = System
 .... .... .... ..0. = Hidden
 .... .... .... ...0 = Read Only
 UNIX User Id: 0
 UNIX Group Id: 0
 UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
 ACLs: NTFS Security Descriptor
 Control:0x8004

1... .... .... .... = Self Relative
 .0.. .... .... .... = RM Control Valid
 ..0. .... .... .... = SACL Protected
 ...0 .... .... .... = DACL Protected
 .... 0... .... .... = SACL Inherited
 .... .0.. .... .... = DACL Inherited
 .... ..0. .... .... = SACL Inherit Required
 .... ...0 .... .... = DACL Inherit Required
 .... .... ..0. .... = SACL Defaulted
 .... .... ...0 .... = SACL Present
 .... .... .... 0... = DACL Defaulted
 .... .... .... .1.. = DACL Present
 .... .... .... ..0. = Group Defaulted
 .... .... .... ...0 = Owner Defaulted

Owner:BUILTIN\Administrators
 Group:BUILTIN\Administrators
 DACL - ACEs
 ALLOW-Everyone-0x1f01ff
 0... .... .... .... .... .... .... .... = Generic Read
 .0.. .... .... .... .... .... .... .... = Generic Write
 ..0. .... .... .... .... .... .... .... = Generic Execute
 ...0 .... .... .... .... .... .... .... = Generic All
 .... ...0 .... .... .... .... .... .... = System Security
 .... .... ...1 .... .... .... .... .... = Synchronize
 .... .... .... 1... .... .... .... .... = Write Owner
 .... .... .... .1.. .... .... .... .... = Write DAC
 .... .... .... ..1. .... .... .... .... = Read Control
 .... .... .... ...1 .... .... .... .... = Delete
 .... .... .... .... .... ...1 .... .... = Write Attributes
 .... .... .... .... .... .... 1... .... = Read Attributes
 .... .... .... .... .... .... .1.. .... = Delete Child
 .... .... .... .... .... .... ..1. .... = Execute
 .... .... .... .... .... .... ...1 .... = Write EA
 .... .... .... .... .... .... .... 1... = Read EA
 .... .... .... .... .... .... .... .1.. = Append
 .... .... .... .... .... .... .... ..1. = Write
 .... .... .... .... .... .... .... ...1 = Read

ALLOW-Everyone-0x10000000-OI|CI|IO
 0... .... .... .... .... .... .... .... = Generic Read
 .0.. .... .... .... .... .... .... .... = Generic Write
 ..0. .... .... .... .... .... .... .... = Generic Execute
 ...1 .... .... .... .... .... .... .... = Generic All
 .... ...0 .... .... .... .... .... .... = System Security
 .... .... ...0 .... .... .... .... .... = Synchronize
 .... .... .... 0... .... .... .... .... = Write Owner
 .... .... .... .0.. .... .... .... .... = Write DAC
 .... .... .... ..0. .... .... .... .... = Read Control
 .... .... .... ...0 .... .... .... .... = Delete
 .... .... .... .... .... ...0 .... .... = Write Attributes
 .... .... .... .... .... .... 0... .... = Read Attributes
 .... .... .... .... .... .... .0.. .... = Delete Child
 .... .... .... .... .... .... ..0. .... = Execute
 .... .... .... .... .... .... ...0 .... = Write EA
 .... .... .... .... .... .... .... 0... = Read EA
 .... .... .... .... .... .... .... .0.. = Append
 .... .... .... .... .... .... .... ..0. = Write
 .... .... .... .... .... .... .... ...0 = Read

This also works with NFSv4 ACLs:

cluster::*> vserver security file-directory show -vserver DEMO -path /shared/unix -expand-mask true

                Vserver: DEMO
              File Path: /shared/unix
      File Inode Number: 20034
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
     ...0 .... .... .... = Offline
     .... ..0. .... .... = Sparse
     .... .... 0... .... = Normal
     .... .... ..0. .... = Archive
     .... .... ...1 .... = Directory
     .... .... .... .0.. = System
     .... .... .... ..0. = Hidden
     .... .... .... ...0 = Read Only
           UNIX User Id: 1100
          UNIX Group Id: 1101
         UNIX Mode Bits: 770
 UNIX Mode Bits in Text: rwxrwx---
                   ACLs: NFSV4 Security Descriptor
                         Control:0x8014
                              1... .... .... .... = Self Relative
                              .0.. .... .... .... = RM Control Valid
                              ..0. .... .... .... = SACL Protected
                              ...0 .... .... .... = DACL Protected
                              .... 0... .... .... = SACL Inherited
                              .... .0.. .... .... = DACL Inherited
                              .... ..0. .... .... = SACL Inherit Required
                              .... ...0 .... .... = DACL Inherit Required
                              .... .... ..0. .... = SACL Defaulted
                              .... .... ...1 .... = SACL Present
                              .... .... .... 0... = DACL Defaulted
                              .... .... .... .1.. = DACL Present
                              .... .... .... ..0. = Group Defaulted
                              .... .... .... ...0 = Owner Defaulted

                         DACL - ACEs
                           ALLOW-OWNER@-0x1601ff
                              0... .... .... .... .... .... .... .... = Generic Read
                              .0.. .... .... .... .... .... .... .... = Generic Write
                              ..0. .... .... .... .... .... .... .... = Generic Execute
                              ...0 .... .... .... .... .... .... .... = Generic All
                              .... ...0 .... .... .... .... .... .... = System Security
                              .... .... ...1 .... .... .... .... .... = Synchronize
                              .... .... .... 0... .... .... .... .... = Write Owner
                              .... .... .... .1.. .... .... .... .... = Write DAC
                              .... .... .... ..1. .... .... .... .... = Read Control
                              .... .... .... ...0 .... .... .... .... = Delete
                              .... .... .... .... .... ...1 .... .... = Write Attributes
                              .... .... .... .... .... .... 1... .... = Read Attributes
                              .... .... .... .... .... .... .1.. .... = Delete Child
                              .... .... .... .... .... .... ..1. .... = Execute
                              .... .... .... .... .... .... ...1 .... = Write EA
                              .... .... .... .... .... .... .... 1... = Read EA
                              .... .... .... .... .... .... .... .1.. = Append
                              .... .... .... .... .... .... .... ..1. = Write
                              .... .... .... .... .... .... .... ...1 = Read

                           ALLOW-user-prof1-0x1601ff
                              0... .... .... .... .... .... .... .... = Generic Read
                              .0.. .... .... .... .... .... .... .... = Generic Write
                              ..0. .... .... .... .... .... .... .... = Generic Execute
                              ...0 .... .... .... .... .... .... .... = Generic All
                              .... ...0 .... .... .... .... .... .... = System Security
                              .... .... ...1 .... .... .... .... .... = Synchronize
                              .... .... .... 0... .... .... .... .... = Write Owner
                              .... .... .... .1.. .... .... .... .... = Write DAC
                              .... .... .... ..1. .... .... .... .... = Read Control
                              .... .... .... ...0 .... .... .... .... = Delete
                              .... .... .... .... .... ...1 .... .... = Write Attributes
                              .... .... .... .... .... .... 1... .... = Read Attributes
                              .... .... .... .... .... .... .1.. .... = Delete Child
                              .... .... .... .... .... .... ..1. .... = Execute
                              .... .... .... .... .... .... ...1 .... = Write EA
                              .... .... .... .... .... .... .... 1... = Read EA
                              .... .... .... .... .... .... .... .1.. = Append
                              .... .... .... .... .... .... .... ..1. = Write
                              .... .... .... .... .... .... .... ...1 = Read

                           ALLOW-GROUP@-0x1201ff-IG
                              0... .... .... .... .... .... .... .... = Generic Read
                              .0.. .... .... .... .... .... .... .... = Generic Write
                              ..0. .... .... .... .... .... .... .... = Generic Execute
                              ...0 .... .... .... .... .... .... .... = Generic All
                              .... ...0 .... .... .... .... .... .... = System Security
                              .... .... ...1 .... .... .... .... .... = Synchronize
                              .... .... .... 0... .... .... .... .... = Write Owner
                              .... .... .... .0.. .... .... .... .... = Write DAC
                              .... .... .... ..1. .... .... .... .... = Read Control
                              .... .... .... ...0 .... .... .... .... = Delete
                              .... .... .... .... .... ...1 .... .... = Write Attributes
                              .... .... .... .... .... .... 1... .... = Read Attributes
                              .... .... .... .... .... .... .1.. .... = Delete Child
                              .... .... .... .... .... .... ..1. .... = Execute
                              .... .... .... .... .... .... ...1 .... = Write EA
                              .... .... .... .... .... .... .... 1... = Read EA
                              .... .... .... .... .... .... .... .1.. = Append
                              .... .... .... .... .... .... .... ..1. = Write
                              .... .... .... .... .... .... .... ...1 = Read

                           ALLOW-EVERYONE@-0x120080
                              0... .... .... .... .... .... .... .... = Generic Read
                              .0.. .... .... .... .... .... .... .... = Generic Write
                              ..0. .... .... .... .... .... .... .... = Generic Execute
                              ...0 .... .... .... .... .... .... .... = Generic All
                              .... ...0 .... .... .... .... .... .... = System Security
                              .... .... ...1 .... .... .... .... .... = Synchronize
                              .... .... .... 0... .... .... .... .... = Write Owner
                              .... .... .... .0.. .... .... .... .... = Write DAC
                              .... .... .... ..1. .... .... .... .... = Read Control
                              .... .... .... ...0 .... .... .... .... = Delete
                              .... .... .... .... .... ...0 .... .... = Write Attributes
                              .... .... .... .... .... .... 1... .... = Read Attributes
                              .... .... .... .... .... .... .0.. .... = Delete Child
                              .... .... .... .... .... .... ..0. .... = Execute
                              .... .... .... .... .... .... ...0 .... = Write EA
                              .... .... .... .... .... .... .... 0... = Read EA
                              .... .... .... .... .... .... .... .0.. = Append
                              .... .... .... .... .... .... .... ..0. = Write
                              .... .... .... .... .... .... .... ...0 = Read

However, with a ton of ACLs on an object, this could get a bit overwhelming. So, translating the hex might be better overall. This blog covers it in a bit more detail:

About the ACCESS_MASK structure

In the above ACL, we see 0x1f01ff for Everyone. That’s Full Control. In addition, 0x10000000 is considered GENERIC_ALL.

Applying ACLs to objects from the storage

In addition to displaying ACLs, vserver security file-directory commands can be used to apply SACLs and DACLs to objects from the cluster’s CLI.

The general steps are covered in this KB article:

https://kb.netapp.com/support/s/article/how-to-modify-permissions-on-files-and-folders-in-clustered-data-ontap-when-there-is-no-permission-to-take-ownership?t=1484836401866

The following shows an example of doing this on a single qtree in ONTAP.

This is a qtree called “mixed.” It has an effective security style of UNIX, unix permissions 770 and root:sharedgroup as the owners.

cluster::*> vserver security file-directory show -vserver DEMO -path /shared/mixed

                Vserver: DEMO
              File Path: /shared/mixed
      File Inode Number: 20035
         Security Style: mixed
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1206
         UNIX Mode Bits: 770
 UNIX Mode Bits in Text: rwxrwx---
                   ACLs: -

To change permissions on this object (or other objects, if desired), first create a security policy:

cluster::*> file-directory policy create -vserver DEMO -policy-name Policy1
  (vserver security file-directory policy create)
 
cluster::*> vserver security file-directory policy show -vserver DEMO -instance
    Vserver: DEMO
Policy Name: Policy1

Then, create a security descriptor, which allows a storage admin to add access control entries (ACEs) to the discretionary access control list (DACL) and the system access control list (SACL). This provides the ability to add, in bulk, an owner, group or control flags in raw hex:

cluster::*> vserver security file-directory ntfs create -vserver DEMO -ntfs-sd sdname 
 -owner ntfsonly

cluster::*> vserver security file-directory ntfs show -instance
                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                        Owner: NTAP\ntfsonly
                Primary Group: -
            Raw Control Flags: -

Next, create one or more DACLs or SACLs. In this case, I’ve created 2 DACLs. This command allows the following:

cluster::*> vserver security file-directory ntfs dacl add ?
    -vserver                                                   Vserver
   [-ntfs-sd]                                             NTFS Security Descriptor Name
   [-access-type] {deny|allow}                                               Allow or Deny
   [-account]                                                   Account Name or SID
  { [[-rights] {no-access|full-control|modify|read-and-execute|read|write}]  DACL ACE's Access Rights
  | [ -advanced-rights , ... ]                        DACL ACE's Advanced Access Rights
  | [ -rights-raw  ] }                                          *DACL ACE's Raw Access Rights
  [ -apply-to {this-folder|sub-folders|files}, ... ]                         Apply DACL Entry

The users I’m adding are ntfsonly and student1. Ntfsonly gets full control; student1 gets readonly access. I’m applying the DACL to all objects (this-folder, sub-folders, files).

NOTE: If you don’t apply the DACL to the top level folder, you run the risk of denying access to everyone because the owner doesn’t get set properly.

ontap9-tme-8040::*> vserver security file-directory ntfs dacl add -vserver DEMO -ntfs-sd sdname -access-type allow -account ntfsonly -apply-to this-folder,sub-folders,files -advanced-rights full-control

ontap9-tme-8040::*> vserver security file-directory ntfs dacl add -vserver DEMO -ntfs-sd sdname -access-type allow -account student1 -rights read -apply-to this-folder,sub-folders,files

In addition to the ACLs we define, we also get default built-in DACLs. Feel free to delete those as needed.

ontap9-tme-8040::*> vserver security file-directory ntfs dacl show -vserver DEMO -instance


                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                Allow or Deny: allow
          Account Name or SID: BUILTIN\Administrators
                Access Rights: full-control
            Raw Access Rights: -
       Advanced Access Rights: -
             Apply DACL Entry: this-folder, sub-folders, files
                Access Rights: full-control

                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                Allow or Deny: allow
          Account Name or SID: BUILTIN\Users
                Access Rights: full-control
            Raw Access Rights: -
       Advanced Access Rights: -
             Apply DACL Entry: this-folder, sub-folders, files
                Access Rights: full-control

                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                Allow or Deny: allow
          Account Name or SID: CREATOR OWNER
                Access Rights: full-control
            Raw Access Rights: -
       Advanced Access Rights: -
             Apply DACL Entry: this-folder, sub-folders, files
                Access Rights: full-control

                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                Allow or Deny: allow
          Account Name or SID: NT AUTHORITY\SYSTEM
                Access Rights: full-control
            Raw Access Rights: -
       Advanced Access Rights: -
             Apply DACL Entry: this-folder, sub-folders, files
                Access Rights: full-control

                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                Allow or Deny: allow
          Account Name or SID: NTAP\ntfsonly
                Access Rights: -
            Raw Access Rights: -
       Advanced Access Rights: full-control
             Apply DACL Entry: this-folder, sub-folders, files
                Access Rights: full-control

                      Vserver: DEMO
NTFS Security Descriptor Name: sdname
                Allow or Deny: allow
          Account Name or SID: NTAP\student1
                Access Rights: read
            Raw Access Rights: -
       Advanced Access Rights: -
             Apply DACL Entry: this-folder, sub-folders, files
                Access Rights: read
6 entries were displayed.

Now that the policy is created and I have the desired DACLs and SACLs, I can apply them to whatever paths I want. In the above, I’ve set the DACLs to only apply to the specific folder. To apply the policy, create a new task and define the path you want to re-ACL. The task will “propogate” by default. You can also specify “replace” if desired.

cluster::*> file-directory policy task add -vserver DEMO -policy-name Policy1 -path /shared/mixed -ntfs-sd sdname
  (vserver security file-directory policy task add)

cluster::*> file-directory policy task show
  (vserver security file-directory policy task show)

Vserver: DEMO
  Policy: Policy1

   Index  File/Folder  Access           Security  NTFS       NTFS Security
          Path         Control          Type      Mode       Descriptor Name
   -----  -----------  ---------------  --------  ---------- ---------------
   1      /shared/mixed
                       file-directory   ntfs      propagate  sdname

Once everything appears in order, apply the policy:

cluster::*> file-directory apply -vserver DEMO -policy-name Policy1
  (vserver security file-directory apply)

[Job 3229] Job is queued: Fsecurity Apply. Use the "job show -id 3229" command to view the status of this operation.

If you want status of the progress, use job show. If you want detailed progress, use job show -instance.

cluster::*> job show -id 3229
                            Owning
Job ID Name                 Vserver    Node           State
------ -------------------- ---------- -------------- ----------
3229   Fsecurity Apply      cluster
                                       cluster2
                                                      Success
       Description: File Directory Security Apply Job

Then, check your ACLs. Note how the effective style of the mixed qtree has changed from UNIX to NTFS:

cluster::*> vserver security file-directory show -vserver DEMO -path /shared/mixed

                Vserver: DEMO
              File Path: /shared/mixed
      File Inode Number: 20035
         Security Style: mixed
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8014
                         Owner:NTAP\ntfsonly
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
                           ALLOW-BUILTIN\Users-0x1f01ff-OI|CI
                           ALLOW-CREATOR OWNER-0x1f01ff-OI|CI
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
                           ALLOW-NTAP\ntfsonly-0x1f01ff
                           ALLOW-NTAP\student1-0x120089     

If you want to apply the policy to other paths (or multiple paths at once), create new tasks:

cluster::*> vserver security file-directory show -vserver DEMO -path /shared/security
                Vserver: DEMO
              File Path: /shared/security
      File Inode Number: 96
         Security Style: mixed
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 770
 UNIX Mode Bits in Text: rwxrwx---
                   ACLs: -

cluster::*> file-directory policy task add -vserver DEMO -policy-name Policy1 -path /shared/security -ntfs-sd sdname
  (vserver security file-directory policy task add)

cluster::*> file-directory policy task show
  (vserver security file-directory policy task show)
Vserver: DEMO
  Policy: Policy1
   Index  File/Folder  Access           Security  NTFS       NTFS Security
          Path         Control          Type      Mode       Descriptor Name
   -----  -----------  ---------------  --------  ---------- ---------------
   1      /shared/mixed
                       file-directory   ntfs      propagate  sdname
   2      /shared/security
                       file-directory   ntfs      propagate  sdname
2 entries were displayed.

cluster::*> file-directory apply -vserver DEMO -policy-name Policy1
  (vserver security file-directory apply)

[Job 3232] Job is queued: Fsecurity Apply. Use the "job show -id 3232" command to view the status of this operation.

cluster::*> vserver security file-directory show -vserver DEMO -path /shared/security
                Vserver: DEMO
              File Path: /shared/security
      File Inode Number: 96
         Security Style: mixed
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8014
                         Owner:NTAP\ntfsonly
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
                           ALLOW-BUILTIN\Users-0x1f01ff-OI|CI
                           ALLOW-CREATOR OWNER-0x1f01ff-OI|CI
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
                           ALLOW-NTAP\ntfsonly-0x1f01ff
                           ALLOW-NTAP\student1-0x120089

Example of a running job with more information:

cluster::*> job show -id 3317 -instance
                      Job ID: 3317
              Owning Vserver: cluster
                        Name: Fsecurity Apply
                 Description: File Directory Security Apply Job
                    Priority: Low
                        Node: cluster02
                    Affinity: Cluster
                    Schedule: @now
                  Queue Time: 01/24 09:45:19
                  Start Time: 01/24 09:45:19
                    End Time: -
              Drop-dead Time: -
                  Restarted?: false
                       State: Running
                 Status Code: 0
           Completion String:
                    Job Type: FSEC_APPLY
                Job Category: FSECURITY
                        UUID: b9e7bf61-e243-11e6-a40c-00a0986b1210
          Execution Progress: Fsecurity Apply processed 46766 files/dirs. Last Processed: /shared/security/files/topdir_77/subdir_81
                   User Name: admin
                     Process: mgwd
  Restart Is or Was Delayed?: false
Restart Is Delayed by Module: -

Centralizing permission management

With multiprotocol NAS, it’s possible to view and manage ACLs from multiple clients, as well as the storage. The way I did this was to set up passwordless SSH on a Linux client and then create simple shell scripts that call SSH commands to the cluster. Another way to do this would be to leverage the ONTAP SDK. I’ll write up a post on the SDK at some point in the future, but for now, we’ll focus on the bash scripts.

To set up passwordless SSH to the cluster, do the following (from TR-4073):

Create the SSH Keypair

In the following example, ssh-keygen is used on a Linux box.

  • If a ssh key pair already exists, there is no need to generate one using ssh-keygen.
monitor@linux:/$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
monitor@linux:/$ ls -lsa ~/.ssh
total 16
4 drwx------ 2 monitor monitor 4096 2008-08-26 11:47 .
4 drwxr-xr-x 3 monitor monitor 4096 2008-08-26 11:47 ..
4 -rw------- 1 monitor monitor 1679 2008-08-26 11:47 id_rsa
4 -rw-r--r-- 1 monitor monitor 401 2008-08-26 11:47 id_rsa.pub

Create the User with a Public Key Authentication Method

cluster::> security login create -username monitor -application ssh -authmethod publickey -profile admin

Create the Public Key on the Cluster

Copy the public key contents of the id_rsa.pub file and place it between quotes in the security login public key create command. Take caution not to add carriage returns or other data that modifies the keystring; leave it in one line.

netapp::> security login publickey create -username monitor -index 1 -publickey “ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5s4vVbwEO1sOsq7r64V5KYBRXBDb2I5mtGmt0+3p1jjPJrXx4/IPHFLalXAQkG7LhV5Dyc5jyQiGKVawBYwxxSZ3GqXJNv1aORZHJEuCd0zvSTBGGZ09vra5uCfxkpz8nwaTeiAT232LS2lZ6RJ4dsCz+GAj2eidpPYMldi2z6RVoxpZ5Zq68MvNzz8b15BS9T7bvdHkC2OpXFXu2jndhgGxPHvfO2zGwgYv4wwv2nQw4tuqMp8e+z0YP73Jg0T3jV8NYraXO951Rr5/9ZT8KPUqLEgPZxiSNkLnPC5dnmfTyswlofPGud+qmciYYr+cUZIvcFaYRG+Z6DM/HInX7w==  monitor@linux”

Alternatively, you can use the load-from-uri function to bring the public key from another source.

cluster::> security login publickey load-from-uri -username monitor -uri http://linux/id_rsa.pub

Verify Creation

netapp::> security login publickey show -username monitor

UserName: monitor Index: 1

Public Key:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5s4vVbwEO1sOsq7r64V5KYBRXBDb2I5mtGmt0+3p1jjPJrXx4/IPHFLalXAQkG7LhV5Dyc5jyQiGKVawBYwxxSZ3GqXJNv1aORZHJEuCd0zvSTBGGZ09vra5uCfxkpz8nwaTeiAT232LS2lZ6RJ4dsCz+GAj2eidpPYMldi2z6RVoxpZ5Zq68MvNzz8b15BS9T7bvdHkC2OpXFXu2jndhgGxPHvfO2zGwgYv4wwv2nQw4tuqMp8e+z0YP73Jg0T3jV8NYraXO951Rr5/9ZT8KPUqLEgPZxiSNkLnPC5dnmfTyswlofPGud+qmciYYr+cUZIvcFaYRG+Z6DM/HInX7w==monitor@linux

Test Access from the Host

monitor@linux:~$ ssh 10.61.64.150
The authenticity of host '10.61.64.150 (10.61.64.150)' can't be established.
DSA key fingerprint is d9:15:cf:4b:d1:7b:a9:67:4d:b0:a9:20:e4:fa:f4:69.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.61.64.150' (DSA) to the list of known hosts.

Once that’s done, you can set up scripts to make SSH calls without having to interact.

Sample scripts

I’ve posted some sample bash scripts on GitHub to allow for open-sourcing of the tasks. But, essentially, the scripts I created can:

  • Show ACLs for specified paths
  • Change ACLs en masse for a specified object
  • Clean up policies and DACLs created
  • Be used as a wrapper

Creating a wrapper command

In addition to the scripts above, it’s also possible to create a simple wrapper command in Linux that will call a script to make life easier for an administrator. To do this, modify the .bashrc file in the user’s home directory. In the following example, I created a command called ONTAP_ACL and pointed it to my script.

# cat ~/.bashrc
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ONTAP_ACL='/scripts/./show-ACL.sh'

Once this is done, you can restart the shell session and the command can be run to execute the script. In the above, the show-ACL script simply takes the path input and asks a yes/no question and dumps the output.

# ONTAP_ACL /home
Do you want to expand the ACL masks to show all fields? (enter 1 or 2)
CAUTION: Output may be lengthy

1) Yes
2) No
#? 2


 Vserver: DEMO
 File Path: /home
 File Inode Number: 64
 Security Style: mixed
 Effective Style: ntfs
 DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
 UNIX User Id: 0
 UNIX Group Id: 1
 UNIX Mode Bits: 711
 UNIX Mode Bits in Text: rwx--x--x
 ACLs: NTFS Security Descriptor
 Control:0x9504
 Owner:NTAP\Administrator
 Group:NTAP\Domain Users
 DACL - ACEs
 ALLOW-NTAP\Administrator-0x1f01ff-OI|CI
 ALLOW-Everyone-0x100020-OI|CI

I could also apply a wrapper to other scripts, such as the script to modify ACLs if I chose. This allows a simple way to centrally manage your file and folder ACLs  rather than having to jump between clients and storage.

Testing the scripts

Be sure to test the scripts only in protected environments, rather than on your production data. Make generous use of ONTAP features such as FlexClone, SnapMirror (to new Storage Virtual Machines) and Snapshots.

Questions? Leave them in the comments!