IN THIS ARTICLE
The following is a basic example for configuring Access Control Lists (ACLs) on Qumulo SMB shares without Active Directory (i.e., using local users and groups). The example uses the permissions model illustrated below, where an 'administrators' group is given write/delete privileges throughout the directory structure, while the 'users' group is limited to writes and deletes only below the top-level folders. The following illustration shows a sample directory tree, where the folders in red are unmodifiable by members of the 'users' group, while those in green are modifiable/deletable by all.
- A Qumulo cluster with the root path enabled as an SMB share
- Qumulo Core shares this path by default
- A Windows 7 or 8 client
- In the Sharing menu on your cluster’s web UI, click on Users & Groups.
- In the Groups section, click on Create to create a new ‘administrators’ group. Note that this group will be used to manage file privileges for your ‘admin’ level users, and has no bearing on the administrative access to your cluster -- in other words, it is just another group with no additional ‘raised’ system privileges. Before closing the dialog box, click on Members and add the ‘admin’ account to the group you are creating, then click the Create button to finish.
- In the Users section, click on the Create button to create a new user. In this example, we are calling our user ‘nas-admin’ and we are adding the ‘nas-admin’ user to the ‘administrators’ group. The ‘administrators’ group will be given the full range of read/write/delete access control entries, whereas the ‘users’ group will only have read access.
- Create a second user and add the account to the ‘users’ group. Again, this will be our ‘read-only’ group.
- When done creating your users, your user and group list should look similar to this:
- On a Windows 8 or 7 client, connect to the default SMB share on your cluster via Windows Explorer using UNC path (\\cluster-name\) or by mapping a network drive. When prompted to log in, authenticate with the Qumulo ‘admin’ account. Use the cluster name as your domain.
- Right-click on the “Files” share, select “Properties,” click on the “Security” tab, then the “Advanced” button to edit the Access Control List.
- Click on the “Change Permissions” button below the Access Control List, then select the entry for “Everyone” and click the “Remove” button to remove the entry. Then, edit the entry for ‘admin’ and change it to the ‘administrators’ group instead. This will give the users in the ‘administrators’ group read/write/delete access at the root path.
- Click “OK” when done. Your access control list should look like the screenshot below.
- In the Qumulo Web UI, click the Sharing Menu, then SMB Shares. Create a new share inside the root path (this will put your new share inside of the “Files” share when connecting from a client machine). In the below example, we are creating a share called “ops.” Be sure to select the box next to “Create new directory with inherited permissions” so that the directory is created on share creation. Click “Save” when done.
The “ops” folder will be created at “/ops” and should be deletable/modifiable by only the ‘admin’ account. All other users will be able to read/write/delete inside of “ops” but not delete the “/ops” directory itself. Any other share you create inside of the root path should also exhibit this permissions set.
To give additional users the ability to create and delete files at the top level of your directory structure (at “/“), simply add them to the ‘administrators’ group you created in step 2 above.
You should now be able to successfully manage ACLs with local users and groups.
Like what you see? Share this article with your network!