Module netapp_ontap.resources.file_directory_security

Copyright © 2022 NetApp Inc. All rights reserved.

Overview

Using this API, You can manage NTFS file security and audit policies of file or directory without the need of a client. It works similar to what you could do with a cacls in windows client. It will create an NTFS security descriptor(SD) to which you can add access control entries (ACEs) to the discretionary access control list (DACL) and the system access control list (SACL). Generally, an SD contains following information:

  • Security identifiers (SIDs) for the owner and primary group of an object. A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and is stored in a security database.
  • A DACL identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it.
  • A SACL enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
  • A set of control bits that qualify the meaning of a SD or its individual members.

Currently, in ONTAP CLI, creating and applying NTFS ACLs is a 5-step process:

  • Create an SD.
  • Add DACLs and SACLs to the NTFS SD. If you want to audit file and directory events, you must configure auditing on the Vserver, in addition, to adding a SACL to the SD.
  • Create a file/directory security policy. This step associates the policy with a SVM.
  • Create a policy task. A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Among other things, the task defines which SD to apply to a path.
  • Apply a policy to the associated SVM.

This REST API to set the DACL/SACL is similar to the windows GUI. The approach used here has been simplified by combining all steps into a single step. The REST API uses only minimal and mandatory parameters to create access control entries (ACEs), which can be added to the discretionary access control list (DACL) and the system access control list (SACL). Based on information provided, SD is created and applied on the target path.
From 9.10.1, SLAG (Storage-Level Access Guard) ACLs can also be configured through these endpoints. SLAG is designed to be set on a volume or qtree. Storage-level security cannot be revoked from a client, not even by a system (Windows or UNIX) administrator. It is designed to be modified by storage administrators only, which precedes the share/export permission and the Windows ACLs or UNIX mode bits. Similiar to configuring file-directory ACLs, configuring SLAG ACLs is also simplified by combining all steps into a single step.

Examples

Creating a new SD

Use this endpoint to apply a fresh set of SACLs and DACLs. A new SD is created based on the input parameters and it replaces the old SD for the given target path:


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurity

with HostConnection(
    "10.140.101.39", username="admin", password="password", verify=False
):
    resource = FileDirectorySecurity()
    resource.acls = [
        {
            "access": "access_allow",
            "advanced_rights": {
                "append_data": True,
                "delete": True,
                "delete_child": True,
                "execute_file": True,
                "full_control": True,
                "read_attr": True,
                "read_data": True,
                "read_ea": True,
                "read_perm": True,
                "write_attr": True,
                "write_data": True,
                "write_ea": True,
                "write_owner": True,
                "write_perm": True,
            },
            "apply_to": {"files": True, "sub_folders": True, "this_folder": True},
            "user": "administrator",
        }
    ]
    resource.control_flags = "32788"
    resource.group = "S-1-5-21-2233347455-2266964949-1780268902-69700"
    resource.ignore_paths = ["/parent/child2"]
    resource.owner = "S-1-5-21-2233347455-2266964949-1780268902-69304"
    resource.propagation_mode = "propagate"
    resource.post(hydrate=True, return_timeout=0)
    print(resource)

FileDirectorySecurity(
    {
        "owner": "S-1-5-21-2233347455-2266964949-1780268902-69304",
        "group": "S-1-5-21-2233347455-2266964949-1780268902-69700",
        "control_flags": "32788",
        "ignore_paths": ["/parent/child2"],
        "propagation_mode": "propagate",
        "acls": [
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "user": "administrator",
            }
        ],
    }
)


Configuring a new set of SLAG DACLs and SACLs

Use this endpoint to apply a fresh set of SLAG DACLs and SACLs. A new SD is created based on the input parameters and it replaces the old SLAG pemissions for the given target path:


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurity

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = FileDirectorySecurity()
    resource.access_control = "slag"
    resource.acls = [
        {
            "access": "access_allow",
            "advanced_rights": {
                "append_data": True,
                "delete": True,
                "delete_child": True,
                "execute_file": True,
                "full_control": True,
                "read_attr": True,
                "read_data": True,
                "read_ea": True,
                "read_perm": True,
                "write_attr": True,
                "write_data": True,
                "write_ea": True,
                "write_owner": True,
                "write_perm": True,
            },
            "apply_to": {"files": True, "sub_folders": True, "this_folder": True},
            "user": "user1",
        },
        {
            "access": "audit_success",
            "advanced_rights": {
                "append_data": True,
                "delete": True,
                "delete_child": True,
                "execute_file": True,
                "full_control": True,
                "read_attr": True,
                "read_data": True,
                "read_ea": True,
                "read_perm": True,
                "write_attr": True,
                "write_data": True,
                "write_ea": True,
                "write_owner": True,
                "write_perm": True,
            },
            "apply_to": {"files": True, "sub_folders": True, "this_folder": True},
            "user": "user2",
        },
    ]
    resource.post(hydrate=True, return_timeout=0)
    print(resource)

FileDirectorySecurity(
    {
        "acls": [
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "user": "user1",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "audit_success",
                "user": "user2",
            },
        ],
        "access_control": "slag",
    }
)


Retrieving file permissions

Use this endpoint to retrieve all the security and auditing information of a directory or file:


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurity

with HostConnection(
    "10.140.101.39", username="admin", password="password", verify=False
):
    resource = FileDirectorySecurity(
        path="/parent", **{"svm.uuid": "9479099d-5b9f-11eb-9c4e-0050568e8682"}
    )
    resource.get()
    print(resource)

FileDirectorySecurity(
    {
        "effective_style": "ntfs",
        "text_dos_attr": "----D---",
        "owner": "BUILTIN\\Administrators",
        "text_mode_bits": "rwxrwxrwx",
        "group": "BUILTIN\\Administrators",
        "group_id": "0",
        "inode": 64,
        "control_flags": "0x8014",
        "dos_attributes": "10",
        "mode_bits": 777,
        "security_style": "mixed",
        "acls": [
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "access_control": "file_directory",
                "user": "BUILTIN\\Administrators",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "access_control": "file_directory",
                "user": "BUILTIN\\Users",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "access_control": "file_directory",
                "user": "CREATOR OWNER",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "access_control": "file_directory",
                "user": "Everyone",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
                "access": "access_allow",
                "access_control": "file_directory",
                "user": "NT AUTHORITY\\SYSTEM",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True},
                "access": "access_allow",
                "access_control": "slag",
                "user": "user1",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"files": True},
                "access": "access_allow",
                "access_control": "slag",
                "user": "user1",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"this_folder": True, "sub_folders": True},
                "access": "audit_success",
                "access_control": "slag",
                "user": "user2",
            },
            {
                "advanced_rights": {
                    "write_attr": True,
                    "read_ea": True,
                    "write_ea": True,
                    "read_data": True,
                    "append_data": True,
                    "delete": True,
                    "read_attr": True,
                    "execute_file": True,
                    "delete_child": True,
                    "synchronize": True,
                    "write_perm": True,
                    "full_control": True,
                    "read_perm": True,
                    "write_owner": True,
                    "write_data": True,
                },
                "apply_to": {"files": True},
                "access": "audit_success",
                "access_control": "slag",
                "user": "user2",
            },
        ],
        "user_id": "0",
    }
)


Updating SD-specific information

Use this end point to update the following information:

  • Primary owner of the file/directory.
  • Primary group of the file/directory.
  • Control flags associated with with SD of the file/directory.

from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurity

with HostConnection(
    "10.140.101.39", username="admin", password="password", verify=False
):
    resource = FileDirectorySecurity(
        path="/parent", **{"svm.uuid": "9479099d-5b9f-11eb-9c4e-0050568e8682"}
    )
    resource.control_flags = "32788"
    resource.group = "everyone"
    resource.owner = "user1"
    resource.patch(hydrate=True, return_timeout=0)


Removing all SLAG ACLs

Use this end point to remove all SLAG ACLs.


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurity

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = FileDirectorySecurity(
        path="/test_vol", **{"svm.uuid": "713f569f-d4bc-11eb-b24a-005056ac6ce1"}
    )
    resource.delete(access_control="slag")


Adding a single file-directory DACL/SACL ACE

Use this endpoint to add a single SACL/DACL ACE for a new user or for an existing user with a different access type (allow or deny). The given ACE is merged with an existing SACL/DACL and based on the type of “propagation-mode”, it is reflected to the child object:


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurityAcl

with HostConnection(
    "10.140.101.39", username="admin", password="password", verify=False
):
    resource = FileDirectorySecurityAcl("/parent")
    resource.access = "access_allow"
    resource.apply_to = {"files": True, "sub_folders": True, "this_folder": True}
    resource.ignore_paths = ["/parent/child2"]
    resource.propagation_mode = "propagate"
    resource.rights = "read"
    resource.user = "himanshu"
    resource.post(hydrate=True, return_timeout=0, return_records=False)
    print(resource)

FileDirectorySecurityAcl(
    {
        "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
        "rights": "read",
        "access": "access_allow",
        "ignore_paths": ["/parent/child2"],
        "propagation_mode": "propagate",
        "user": "himanshu",
    }
)


Adding a single SLAG DACL/SACL ACE

Use this endpoint to add a single SLAG SACL/DACL ACE to an existing set of ACLs for a user or for an existing user with a different access type (allow or deny).


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurityAcl

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = FileDirectorySecurityAcl("/test_vol")
    resource.access = "access_allow"
    resource.access_control = "slag"
    resource.advanced_rights = {
        "append_data": True,
        "delete": True,
        "delete_child": True,
        "execute_file": True,
        "full_control": True,
        "read_attr": True,
        "read_data": True,
        "read_ea": True,
        "read_perm": True,
        "write_attr": True,
        "write_data": True,
        "write_ea": True,
        "write_owner": True,
        "write_perm": True,
    }
    resource.apply_to = {"files": True, "sub_folders": True, "this_folder": True}
    resource.user = "user1"
    resource.post(hydrate=True, return_timeout=0, return_records=False)
    print(resource)

FileDirectorySecurityAcl(
    {
        "advanced_rights": {
            "write_attr": True,
            "read_ea": True,
            "write_ea": True,
            "read_data": True,
            "append_data": True,
            "delete": True,
            "read_attr": True,
            "execute_file": True,
            "delete_child": True,
            "write_perm": True,
            "full_control": True,
            "read_perm": True,
            "write_owner": True,
            "write_data": True,
        },
        "apply_to": {"this_folder": True, "sub_folders": True, "files": True},
        "access": "access_allow",
        "access_control": "slag",
        "user": "user1",
    }
)


Updating existing SACL/DACL ACE

Use this endpoint to update the rights/advanced rights for an existing user, for a specified path. You cannot update the access type using this end point. Based on the type of “propagation-mode”, it is reflected to the child object:


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurityAcl

with HostConnection(
    "10.140.101.39", username="admin", password="password", verify=False
):
    resource = FileDirectorySecurityAcl("/parent", user="himanshu")
    resource.access = "access_allow"
    resource.advanced_rights = {
        "append_data": True,
        "delete": True,
        "delete_child": True,
        "execute_file": True,
        "full_control": True,
        "read_attr": False,
        "read_data": False,
        "read_ea": False,
        "read_perm": False,
        "write_attr": True,
        "write_data": True,
        "write_ea": True,
        "write_owner": True,
        "write_perm": True,
    }
    resource.apply_to = {"files": True, "sub_folders": True, "this_folder": True}
    resource.ignore_paths = ["/parent/child2"]
    resource.propagation_mode = "propagate"
    resource.patch(hydrate=True, return_timeout=0)


Updating an existing SLG SACL/DACL ACE

Use this endpoint to update the SLAG rights/advanced rights for an existing user, for a specified path. You cannot update the access type using this end point.


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurityAcl

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = FileDirectorySecurityAcl("/test_vol", user="user1")
    resource.access = "access_allow"
    resource.access_control = "slag"
    resource.apply_to = {"files": True, "sub_folders": True, "this_folder": True}
    resource.rights = "read"
    resource.patch(hydrate=True, return_records=False, return_timeout=0)


Deleting an existing SACL/DACL ACE

Use this endpoint to delete any of the existing rights/advanced_rights for a user. Based on the type of “propagation-mode”, it is reflected to the child object:


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurityAcl

with HostConnection(
    "10.140.101.39", username="admin", password="password", verify=False
):
    resource = FileDirectorySecurityAcl("/parent", user="himanshu")
    resource.delete(
        body={
            "access": "access_allow",
            "apply_to": {"files": True, "sub_folders": True, "this_folder": True},
            "ignore_paths": ["/parent/child2"],
            "propagation_mode": "propagate",
        },
        return_timeout=0,
    )


Deleting an existing SLAG SACL/DACL ACE

Use this endpoint to delete any SLAG ACE for a user.


from netapp_ontap import HostConnection
from netapp_ontap.resources import FileDirectorySecurityAcl

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = FileDirectorySecurityAcl("/test_vol", user="user1")
    resource.delete(
        body={
            "access": "access_allow",
            "access_control": "slag",
            "apply_to": {"files": True, "sub_folders": True, "this_folder": True},
        },
        return_records=False,
        return_timeout=0,
    )


Classes

class FileDirectorySecurity (*args, **kwargs)

Manages New Technology File System (NTFS) security and NTFS audit policies.

Initialize the instance of the resource.

Any keyword arguments are set on the instance as properties. For example, if the class was named 'MyResource', then this statement would be true:

MyResource(name='foo').name == 'foo'

Args

*args
Each positional argument represents a parent key as used in the URL of the object. That is, each value will be used to fill in a segment of the URL which refers to some parent object. The order of these arguments must match the order they are specified in the URL, from left to right.
**kwargs
each entry will have its key set as an attribute name on the instance and its value will be the value of that attribute.

Ancestors

Static methods

def delete_collection(*args, records: Iterable[_ForwardRef('FileDirectorySecurity')] = None, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, connection: HostConnection = None, **kwargs) -> NetAppResponse

Remove all SLAG ACLs for specified path. Bulk deletion is supported only for SLAG

Related ONTAP Commands

  • vserver security file-directory remove-slag

Learn more


Delete all objects in a collection which match the given query.

All records on the host which match the query will be deleted.

Args

*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to delete the collection of bars for a particular foo, the foo.name value should be passed.
records
Can be provided in place of a query. If so, this list of objects will be deleted from the host.
body
The body of the delete request. This could be a Resource instance or a dictionary object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be deleted.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def patch_collection(body: dict, *args, records: Iterable[_ForwardRef('FileDirectorySecurity')] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, connection: HostConnection = None, **kwargs) -> NetAppResponse

Updates SD specific Information. For example, owner, group and control-flags. SD specific information of SLAG ACLs is not modifiable.

  • vserver security file-directory ntfs modify

Learn more


Patch all objects in a collection which match the given query.

All records on the host which match the query will be patched with the provided body.

Args

body
A dictionary of name/value pairs to set on all matching members of the collection. The body argument will be ignored if records is provided.
*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to patch the collection of bars for a particular foo, the foo.name value should be passed.
records
Can be provided in place of a query. If so, this list of objects will be patched on the host.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def post_collection(records: Iterable[_ForwardRef('FileDirectorySecurity')], *args, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, connection: HostConnection = None, **kwargs) -> Union[List[FileDirectorySecurity], NetAppResponse]

Applies an SD to the given path. You must keep the following points in mind while using these endpoints: * Either SLAG ACL/s or file-directory ACL/s can be configured in one API call. Both cannot be configured in the same API call. * SLAG applies to all files and/or directories in a volume hence, inheritance is not required to be propagated. * Set access_control field to slag while configuring SLAG ACLs. * Set access_control field to file_directory while configuring file-directory ACLs. By Default access_control field is set to file_directory. * For SLAG, valid apply_to combinations are "this-folder, sub-folders", "files", "this-folder, sub-folders, files".

  • vserver security file-directory ntfs create
  • vserver security file-directory ntfs dacl add
  • vserver security file-directory ntfs sacl add
  • vserver security file-directory policy create
  • vserver security file-directory policy task add
  • vserver security file-directory apply

Learn more


Send this collection of objects to the host as a creation request.

Args

records
A list of Resource objects to send to the server to be created.
*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to create a bar for a particular foo, the foo.name value should be passed.
hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of each object. When hydrate is set to True, poll must also be set to True.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.

Returns

A list of Resource objects matching the provided
type which have been created by the host and returned. This is _not_
 
the same list that was provided, so to continue using the object, you
 

should save this list. If poll is set to False, then a NetAppResponse object is returned instead.

Raises

NetAppRestError: If the API call returned a status code >= 400

Methods

def delete(self, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Remove all SLAG ACLs for specified path. Bulk deletion is supported only for SLAG

Related ONTAP Commands

  • vserver security file-directory remove-slag

Learn more


Send a deletion request to the host for this object.

Args

body
The body of the delete request. This could be a Resource instance or a dictionary object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def get(self, **kwargs) -> NetAppResponse

Retrieves file permissions

  • vserver security file-directory show

Learn more


Fetch the details of the object from the host.

Requires the keys to be set (if any). After returning, new or changed properties from the host will be set on the instance.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def patch(self, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Updates SD specific Information. For example, owner, group and control-flags. SD specific information of SLAG ACLs is not modifiable.

  • vserver security file-directory ntfs modify

Learn more


Send the difference in the object's state to the host as a modification request.

Calculates the difference in the object's state since the last time we interacted with the host and sends this in the request body.

Args

hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will normally be sent as query parameters to the host. If any of these pairs are parameters that are sent as formdata then only parameters of that type will be accepted and all others will be discarded.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def post(self, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Applies an SD to the given path. You must keep the following points in mind while using these endpoints: * Either SLAG ACL/s or file-directory ACL/s can be configured in one API call. Both cannot be configured in the same API call. * SLAG applies to all files and/or directories in a volume hence, inheritance is not required to be propagated. * Set access_control field to slag while configuring SLAG ACLs. * Set access_control field to file_directory while configuring file-directory ACLs. By Default access_control field is set to file_directory. * For SLAG, valid apply_to combinations are "this-folder, sub-folders", "files", "this-folder, sub-folders, files".

  • vserver security file-directory ntfs create
  • vserver security file-directory ntfs dacl add
  • vserver security file-directory ntfs sacl add
  • vserver security file-directory policy create
  • vserver security file-directory policy task add
  • vserver security file-directory apply

Learn more


Send this object to the host as a creation request.

Args

hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will normally be sent as query parameters to the host. If any of these pairs are parameters that are sent as formdata then only parameters of that type will be accepted and all others will be discarded.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

Inherited members

class FileDirectorySecuritySchema (*, only: Union[Sequence[str], Set[str]] = None, exclude: Union[Sequence[str], Set[str]] = (), many: bool = False, context: Dict = None, load_only: Union[Sequence[str], Set[str]] = (), dump_only: Union[Sequence[str], Set[str]] = (), partial: Union[bool, Sequence[str], Set[str]] = False, unknown: str = None)

The fields of the FileDirectorySecurity object

Ancestors

  • netapp_ontap.resource.ResourceSchema
  • marshmallow.schema.Schema
  • marshmallow.base.SchemaABC

Class variables

access_control POST

An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value slag is not supported on FlexGroups volumes. The default value is "file-directory".

Valid choices:

  • file_directory
  • slag
acls GET POST

A discretionary access security list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the access control entries (ACEs) in the object's DACL to determine whether to grant access to it.

control_flags GET POST PATCH

Specifies the control flags in the SD. It is a Hexadecimal Value.

Example: 8014

dos_attributes GET

Specifies the file attributes on this file or directory.

Example: 10

effective_style GET

Specifies the effective style of the SD. The following values are supported:

  • unix - UNIX style
  • ntfs - NTFS style
  • mixed - Mixed style
  • unified - Unified style

Valid choices:

  • unix
  • ntfs
  • mixed
  • unified
group GET POST PATCH

Specifies the owner's primary group. You can specify the owner group using either a group name or SID.

Example: S-1-5-21-2233347455-2266964949-1780268902-69700

group_id GET

Specifies group ID on this file or directory.

Example: 2

ignore_paths POST

Specifies that permissions on this file or directory cannot be replaced.

Example: ["/dir1/dir2/","/parent/dir3"]

inode GET

Specifies the File Inode number.

Example: 64

mode_bits GET

Specifies the mode bits on this file or directory.

Example: 777

owner GET POST PATCH

Specifies the owner of the SD. You can specify the owner using either a user name or security identifier (SID). The owner of the SD can modify the permissions on the file (or folder) or files (or folders) to which the SD is applied and can give other users the right to take ownership of the object or objects to which the SD is applied.

Example: S-1-5-21-2233347455-2266964949-1780268902-69304

propagation_mode POST

Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:

  • propogate - propagate inheritable permissions to all subfolders and files
  • replace - replace existing permissions on all subfolders and files with inheritable permissions

Valid choices:

  • propagate
  • replace
security_style GET

Specifies the security style of the SD. The following values are supported:

  • unix - UNIX style
  • ntfs - NTFS style
  • mixed - Mixed style
  • unified - Unified style

Valid choices:

  • unix
  • ntfs
  • mixed
  • unified
text_dos_attr GET

Specifies the textual format of file attributes on this file or directory.

Example: —A----

text_mode_bits GET

Specifies the textual format of mode bits on this file or directory.

Example: rwxrwxrwx

user_id GET

Specifies user ID of this file or directory.

Example: 10