Print Email PDF

FTP in Qumulo Core

  1. Qumulo Care
  2. Qumulo Core Features

This article explains how to configure FTP in Qumulo Core by using the qq CLI or the Web UI.

Important:

  • Changing FTP settings directly impacts the level of access to your cluster's file system. Before enabling this feature, consider the various aspects of your system environment.
  • Because Qumulo Core doesn't support the CPSV or SSCN FTP extension commands, it isn't possible to connect to a Qumulo Core cluster by using File eXchange Protocol (FXP) over SSL.

REQUIREMENTS

  • Cluster running Qumulo Core version 2.7.5 or above
  • Command-Line tools installed

DETAILS

The FTP feature can be enabled via the Web UI or the qq CLI (it is disabled by default). Once enabled, all users will have FTP access according to their configured permissions. Configuring specific fields and features for the FTP must be done via the qq CLI and is not supported on the read-only FTP page.

Note: If no Home directory is configured for the user, they will see the root directory. For more information, see the Setting the User's Home Directory section.

Enabling FTP Access by Using the Web UI

  1. Login to the Web UI.
  2. Hover over the Cluster menu and click FTP Settings.

    FTP_menu.png

  3. Toggle the Enabled button to ON to enable FTP.

    FTP_toggle.png

To disable FTP in the UI, toggle the Enabled button to OFF. Refer to the instructions below to configure FTP using the qq CLI.

Enabling FTP Access by Using the qq CLI

  • Enable FTP with the following command:
qq ftp_modify_settings --enabled true
  • Disable FTP by running the following:
qq ftp_modify_settings --enabled false
  • With FTP, you can allow FXP (server-to-server transfer) using the command below.
    • Keep in mind that using FXP can make your server vulnerable to an FTP bounce. Review the article on File eXchange Protocol for additional details on risks and benefits. 
qq ftp_modify_settings --check-remote-host false  

Monitoring FTP by Using the qq CLI

Once FTP is enabled, you can check server status and settings by utilizing the following command:

qq ftp_get_status

Enabling FTP Access for Anonymous Users

An anonymous user can be enabled and mapped to a local user with version 2.8.5 or above of Qumulo Core. Use the guest account or input the name of the local user in place of guest as outlined with the command below:

qq ftp_modify_settings --anonymous-user-as-local-user guest

To disable the anonymous user and return to default behavior, run the following command:

qq ftp_modify_settings --anonymous-user-none

Configuring FTP Access for Active Directory Users

An Active Directory user can connect to the cluster running Qumulo Core 2.8.6 or above. For example, a user would log in using the DOMAIN\\username syntax as outlined below:

computer:~$ ftp cluster.company.com
Connected to cluster.company.com
220-

| _ | | |
| | | |_ _ _ __ ___ _ _| | ___
| | | | | | | '_ ` _ \| | | | |/ _ \
\ \/' | |_| | | | | | | |_| | | (_) |
 \_/\_\\__,_|_| |_| |_|\__,_|_|\___/


 ______ ___________
 | ___|_ _| ___ \
 | |_ | | | |_/ /
 | _| | | | __/
 | | | | | |
 \_| \_/ \_|

220 Qumulo FTP server ready.
Name (cluster:computer): DOMAIN\\username
331 Password required.
Password:
230 Login succeeded
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Setting the User's Home Directory 

Qumulo supports setting the home directory for local or Active Directory users via the qq command line. Once this setting is enabled, the user will start in their home directory instead of in the root of the cluster.

To set the local user's home directory, run the following command:

qq auth_mod_user --id localusername --home-directory /home/localusername

To set the AD user's home directory (Qumulo Core 2.13.3 or above), run the command below:

qq identity_attributes_set adusername --home-directory /home/adusername

Note that the user will require traverse rights from the root of the cluster to successfully land in their home directory as outlined above. If the user does not have traverse rights, they will abide by the default behavior and land in the root of the cluster.

Creating FTP Access for Local Users

If you wish to simply create FTP access for local users (rather than using Active Directory), you can follow the steps in this section.

Use the auth_mod_user command as detailed in the previous section to configure the local user's home directory. Then create an FTP directory in the path specified with the following command:

qq fs_create_dir --path DIRECTORY_PATH --name DIRECTORY_NAME

EXAMPLE
admin@qumulotest:~$ qq fs_create_dir --path / --name FTP
{
 "blocks": "1", 
 "change_time": "2020-03-18T20:37:09.912546055Z", 
 "child_count": 0, 
 "creation_time": "2020-03-18T20:37:09.912546055Z", 
 "datablocks": "0", 
 "directory_entry_hash_policy": "FS_DIRECTORY_HASH_VERSION_FOLDED", 
 "extended_attributes": {
 "archive": false, 
 "compressed": false, 
 "hidden": false, 
 "not_content_indexed": false, 
 "read_only": false, 
 "sparse_file": false, 
 "system": false, 
 "temporary": false
 }, 
 "file_number": "3", 
 "group": "513", 
 "group_details": {
 "id_type": "LOCAL_GROUP", 
 "id_value": "Users"
 }, 
 "id": "3", 
 "major_minor_numbers": {
 "major": 0, 
 "minor": 0
 }, 
 "metablocks": "1", 
 "mode": "0755", 
 "modification_time": "2020-03-18T20:37:09.912546055Z", 
 "name": "FTP", 
 "num_links": 2, 
 "owner": "500", 
 "owner_details": {
 "id_type": "LOCAL_USER", 
 "id_value": "admin"
 }, 
 "path": "/FTP/", 
 "size": "0", 
 "symlink_target_type": "FS_FILE_TYPE_UNKNOWN", 
 "type": "FS_FILE_TYPE_DIRECTORY"
}

Grant the user account permission to access the new directory with the following command:

qq fs_modify_acl --path DIRECTORY_PATH add_entry -t local:USER -y Allowed -r Read, Write directory, Delete child, Execute/Traverse

EXAMPLE
admin@qumulotest:~$ qq fs_modify_acl --path /FTP add_entry -t local:ftp-user -y Allowed -r Read, Write directory, Delete child, Execute/Traverse
New permissions:
ID Trustee Type Flags Rights 
== ============== ======= ===== ================================================
1 local:admin Allowed Delete child, Execute/Traverse, Read, Write file
2 local:Users Allowed Execute/Traverse, Read 
3 Everyone Allowed Execute/Traverse, Read 
4 local:ftp-user Allowed Delete child, Execute/Traverse, Read, Write file

Changing the Root Directory for Users

Admins can optionally change the root directory for users to their home directories when they connect via FTP by using the following command in version 2.8.6 or above of Qumulo Core:

qq ftp_modify_settings --chroot-users true

To disable and return to default behavior, run the following command:

qq ftp_modify_settings --chroot-users false

As specified above, if you are configuring a local user, the user will require traverse rights from the root of the cluster to their home directory to successfully connect.

ADDITIONAL RESOURCES

FTP: TLS Security

QQ CLI: FTP

File eXchange Protocol

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.