Carl,
What is your use case, what are you trying to achieve? Is it a big once-off permissions change you want to implement or an ongoing requirement to be regularly changing permissions back to some standard? The ONTAP ansible modules seem to have everything you'd need, i.e. create the SD, add the DACLs, create policy and tasks. I'm not sure what a windows/NTFS centric ansible collection would offer (assuming it exists), but I expect executing file permission changes directly on the filer would be faster than via a CIFS client so theres that benefit.
One thing I guess is that any "idempotence" of using ONTAP ansible modules for something like this is a bit of an illusion, because it's the ONTAP config of 'ntfs-sd's, DACLs and policy tasks that you're actually keeping consistent, not directly the permissions themselves. Looking at the ansible module for file-directory policy, it would execute the policy if a change was made to it like a new task is added, but not if you just need it to run because you know the actual NTFS permissions need a tune up, it's using that ONTAP policy configuration to manage idempotence, which is the right thing to do, but isn't really what you would be expecting in practice.
Cheers Graham
On Sun., 24 Oct. 2021, 4:10 am Carl Howell, chowell@uwf.edu wrote:
Thanks Graham!
So, if you're trying to set NTFS ACL's via Ansible, is there a benefit to doing it through the ONTAP Ansible Collection > ONTAP Policy > ntfs-sd, or would it be simpler, and perhaps more portable, to do it via an Ansible/WIndows/NTFS Collection(if such a thing exists)?
Thanks
--Carl
On Sat, Oct 23, 2021 at 9:42 AM Timothy Naple tnaple@berkcom.com wrote:
Carl,
First I would see if you have created any security descriptors yet: vserver security file-directory ntfs show
If not, then create one: vserver security file-directory ntfs create
And then you can modify it.
Here is a link that might be helpful as well:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmp...
Thank you, Tim
*From:* Toasters toasters-bounces@teaparty.net on behalf of Carl Howell chowell@uwf.edu *Sent:* Saturday, October 23, 2021 7:03 AM *To:* Toasters toasters@teaparty.net *Subject:* Security Descriptor noob question
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl
Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters