IN THIS ARTICLE
This article explains how you can create and modify Qumulo Core file permissions by using the qq
CLI.
REQUIREMENTS
- A cluster with Qumulo Core 2.9.6 (or higher)
- Administrative privileges for the cluster
PROCESS
To Create a New ACL
The following are examples of commands you can use to create a new access control list (ACL).
qq fs_modify_acl --path /<path> add_entry -t "DOMAIN\\domain users" \
-y Allowed -r "Execute/Traverse" "Read" \
-f "Object inherit" "Container inherit"
qq fs_modify_acl --path /<path> add_entry -t "uid:5005" -y Allowed \
-r "Execute/Traverse" "Read" -f "Object inherit" "Container inherit"
qq fs_modify_acl --path /<path> add_entry -t "gid:5005" -y Allowed \
-r "Execute/Traverse" "Read" -f "Object inherit" "Container inherit"
- The
-t
flag specifies a trustee. - The
-y
flag specifiesAllowed
orDenied
. - The
-r
flag specifies rights.
Tip: Use-r All
for full control. - The
-f
flag specifies ACL flags.
Note: Use"Object inherit" "Container inherit"
when you want the ACL to apply to newly created files automatically.
To Modify an Existing ACL
The following are examples of commands you can use to modify an existing ACL.
qq fs_modify_acl --path=/<path> modify_entry \
--old-trustee Everyone --new-rights=Read New permissions: Position Trustee Type Flags Rights ======== =========== ======= ===== ================================================ 1 local:admin Allowed Delete child, Execute/Traverse, Read, Write file 2 local:Users Allowed Delete child, Execute/Traverse, Read, Write file 3 Everyone Allowed Read
qq fs_modify_acl --path=/<path> modify_entry \
--old-trustee Everyone --new-rights=All New permissions: Position Trustee Type Flags Rights ======== =========== ======= ===== =================================================================================== 1 local:admin Allowed Delete child, Execute/Traverse, Read, Write file 2 local:Users Allowed Delete child, Execute/Traverse, Read, Write file 3 Everyone Allowed Delete, Delete child, Execute/Traverse, Read, Take ownership, Write ACL, Write file
To Remove an ACL
- To remove a specific position, use the following command with the path and the
-p
flag with the position number.qq fs_modify_acl --path /<path> remove_entry -p <position number>
- To remove all ACLs, use the following command with the path and the
-a
flag.qq fs_modify_acl --path /<path> remove_entry -a
- To remove a single trustee, use the following command with the path and specify the trustee to remove.
qq fs_modify_acl --path /<path> remove_entry \
--trustee="DOMAIN\\Domain Users"
To Recursively Add a New ACL (with Multithreading)
qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
xargs -d '\n' -I % -n1 -P 4 qq fs_modify_acl \
--path '%' add_entry -t "DOMAIN\username" -y Allowed \
-r "Read" "Execute/Traverse" -f "Object inherit" "Container inherit"
Note: For larger directories, we recommend running this command in a screen session.
To Recursively Apply a Permissions Template (Permission Repair Job)
Important: Before deploying production permissions, we strongly recommend performing a dry run on a test directory.
You can use a new or existing file with the required permissions as a template. To copy the ACL, run the following command on each node.
qq fs_get_acl --path <path_to_file> --json >/history/new_perms.json
In the following example, you must specify the path.
qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
xargs -I % -n1 -P 4 qq fs_set_acl --path '%' \
--file /history/new_perms.json >> 1&>/dev/null
To Recursively Modify SMB Attributes
qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
xargs -I % -n1 -P 4 qq fs_file_set_smb_attrs --path % --hidden false
Comments
0 comments