Managing Permissions from the qq CLI

IN THIS ARTICLE 

This article explains how you can create and modify Qumulo Core file permissions by using the qq CLI.

REQUIREMENTS

• A cluster with Qumulo Core 2.9.6 (or higher)
• Administrative privileges for the cluster

PROCESS

To Create a New ACL  

The following are examples of commands you can use to create a new access control list (ACL).

qq fs_modify_acl --path /<path> add_entry -t "DOMAIN\\domain users" \
  -y Allowed -r "Execute/Traverse" "Read" \
  -f "Object inherit" "Container inherit"

qq fs_modify_acl --path /<path> add_entry -t "uid:5005" -y Allowed \
  -r "Execute/Traverse" "Read" -f "Object inherit" "Container inherit"

qq fs_modify_acl --path /<path> add_entry -t "gid:5005" -y Allowed \
  -r "Execute/Traverse" "Read" -f "Object inherit" "Container inherit"

• The -t flag specifies a trustee.
• The -y flag specifies Allowed or Denied.
• The -r flag specifies rights.
  Tip: Use -r All for full control.
• The -f flag specifies ACL flags.
  Note: Use "Object inherit" "Container inherit" when you want the ACL to apply to newly created files automatically.
  

To Modify an Existing ACL  

The following are examples of commands you can use to modify an existing ACL.

qq fs_modify_acl --path=/<path> modify_entry \
  --old-trustee Everyone --new-rights=Read
New permissions:
Position  Trustee      Type     Flags  Rights
========  ===========  =======  =====  ================================================
1         local:admin  Allowed         Delete child, Execute/Traverse, Read, Write file
2         local:Users  Allowed         Delete child, Execute/Traverse, Read, Write file
3         Everyone     Allowed         Read

qq fs_modify_acl --path=/<path> modify_entry \
  --old-trustee Everyone --new-rights=All
New permissions:
Position  Trustee      Type     Flags  Rights
========  ===========  =======  =====  ===================================================================================
1         local:admin  Allowed         Delete child, Execute/Traverse, Read, Write file
2         local:Users  Allowed         Delete child, Execute/Traverse, Read, Write file
3         Everyone     Allowed         Delete, Delete child, Execute/Traverse, Read, Take ownership, Write ACL, Write file

To Remove an ACL

• To remove a specific position, use the following command with the path and the -p flag with the position number.

  qq fs_modify_acl --path /<path> remove_entry -p <position number>

• To remove all ACLs, use the following command with the path and the -a flag.

  qq fs_modify_acl --path /<path> remove_entry -a

• To remove a single trustee, use the following command with the path and specify the trustee to remove.

  qq fs_modify_acl --path /<path> remove_entry \
    --trustee="DOMAIN\\Domain Users"

To Recursively Add a New ACL (with Multithreading)

qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
  xargs -d '\n' -I % -n1 -P 4 qq fs_modify_acl \
  --path '%' add_entry -t "DOMAIN\username" -y Allowed \
  -r "Read" "Execute/Traverse" -f "Object inherit" "Container inherit"

Note: For larger directories, we recommend running this command in a screen session.

To Recursively Apply a Permissions Template (Permission Repair Job)

Important: Before deploying production permissions, we strongly recommend performing a dry run on a test directory.

You can use a new or existing file with the required permissions as a template. To copy the ACL, run the following command on each node.

qq fs_get_acl --path <path_to_file> --json >/history/new_perms.json

In the following example, you must specify the path.

qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
  xargs -I % -n1 -P 4 qq fs_set_acl --path '%' \
  --file /history/new_perms.json >> 1&>/dev/null

To Recursively Modify SMB Attributes

qq fs_walk_tree --path /<path> | jq -r '.tree_nodes[].path' | \
  xargs -I % -n1 -P 4 qq fs_file_set_smb_attrs --path % --hidden false