Print Email PDF

Managing Permissions from the qq CLI

IN THIS ARTICLE 

This article explains how you can create and modify Qumulo Core file permissions by using the qq CLI.

REQUIREMENTS

  • A cluster with Qumulo Core 2.9.6 (or higher)
  • Administrative privileges for the cluster

PROCESS

To Create a New ACL  

The following are examples of commands you can use to create a new access control list (ACL).

qq fs_modify_acl --path /<path> add_entry -t "DOMAIN\\domain users" \
-y Allowed -r "Execute/Traverse" "Read" \
-f "Object inherit" "Container inherit"
qq fs_modify_acl --path /<path> add_entry -t "uid:5005" -y Allowed \
-r "Execute/Traverse" "Read" -f "Object inherit" "Container inherit"
qq fs_modify_acl --path /<path> add_entry -t "gid:5005" -y Allowed \
-r "Execute/Traverse" "Read" -f "Object inherit" "Container inherit"
  • The -t flag specifies a trustee.
  • The -y flag specifies Allowed or Denied.
  • The -r flag specifies rights.
    Tip: Use -r All for full control.
  • The -f flag specifies ACL flags.
    Note: Use "Object inherit" "Container inherit" when you want the ACL to apply to newly created files automatically.

To Modify an Existing ACL  

The following are examples of commands you can use to modify an existing ACL.

qq fs_modify_acl --path=/<path> modify_entry \
--old-trustee Everyone --new-rights=Read New permissions: Position Trustee Type Flags Rights ======== =========== ======= ===== ================================================ 1 local:admin Allowed Delete child, Execute/Traverse, Read, Write file 2 local:Users Allowed Delete child, Execute/Traverse, Read, Write file 3 Everyone Allowed Read
qq fs_modify_acl --path=/<path> modify_entry \
--old-trustee Everyone --new-rights=All New permissions: Position Trustee Type Flags Rights ======== =========== ======= ===== =================================================================================== 1 local:admin Allowed Delete child, Execute/Traverse, Read, Write file 2 local:Users Allowed Delete child, Execute/Traverse, Read, Write file 3 Everyone Allowed Delete, Delete child, Execute/Traverse, Read, Take ownership, Write ACL, Write file

To Remove an ACL

  • To remove a specific position, use the following command with the path and the -p flag with the position number.
    qq fs_modify_acl --path /<path> remove_entry -p <position number>
  • To remove all ACLs, use the following command with the path and the -a flag.
    qq fs_modify_acl --path /<path> remove_entry -a
  • To remove a single trustee, use the following command with the path and specify the trustee to remove.
    qq fs_modify_acl --path /<path> remove_entry \
    --trustee="DOMAIN\\Domain Users"

To Recursively Add a New ACL (with Multithreading)

qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
xargs -d '\n' -I % -n1 -P 4 qq fs_modify_acl \
--path '%' add_entry -t "DOMAIN\username" -y Allowed \
-r "Read" "Execute/Traverse" -f "Object inherit" "Container inherit"

Note: For larger directories, we recommend running this command in a screen session.

To Recursively Apply a Permissions Template (Permission Repair Job)

Important: Before deploying production permissions, we strongly recommend performing a dry run on a test directory.

You can use a new or existing file with the required permissions as a template. To copy the ACL, run the following command on each node.

qq fs_get_acl --path <path_to_file> --json >/history/new_perms.json

In the following example, you must specify the path.

qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
xargs -I % -n1 -P 4 qq fs_set_acl --path '%' \
--file /history/new_perms.json >> 1&>/dev/null

To Recursively Modify SMB Attributes

qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
xargs -I % -n1 -P 4 qq fs_file_set_smb_attrs --path % --hidden false

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.