The use case is a volume with folders that have very specific permissions set on them. I agree with you. I think the ONTAP ansible modules are a good fit here.

Thanks for the great feedback.

--Carl

On Sat, Oct 23, 2021 at 6:35 PM Graham McGeown <mcg.graham@gmail.com> wrote:
Carl,

What is your use case, what are you trying to achieve? Is it a big once-off permissions change you want to implement or an ongoing requirement to be regularly changing permissions back to some standard? The ONTAP ansible modules seem to have everything you'd need, i.e. create the SD, add the DACLs, create policy and tasks. I'm not sure what a windows/NTFS centric ansible collection would offer (assuming it exists), but I expect executing file permission changes directly on the filer would be faster than via a CIFS client so theres that benefit. 

One thing I guess is that any "idempotence" of using ONTAP ansible modules for something like this is a bit of an illusion, because it's the ONTAP config of 'ntfs-sd's, DACLs and policy tasks that you're actually keeping consistent, not directly the permissions themselves. Looking at the ansible module for file-directory policy, it would execute the policy if a change was made to it like a new task is added, but not if you just need it to run because you know the actual NTFS permissions need a tune up, it's using that ONTAP policy configuration to manage idempotence, which is the right thing to do, but isn't really what you would be expecting in practice. 

Cheers
Graham


On Sun., 24 Oct. 2021, 4:10 am Carl Howell, <chowell@uwf.edu> wrote:
Thanks Graham!

So, if you're trying to set NTFS ACL's via Ansible, is there a benefit to doing it through the ONTAP Ansible Collection > ONTAP Policy > ntfs-sd, or would it be simpler, and perhaps more portable, to do it via an Ansible/WIndows/NTFS Collection(if such a thing exists)? 

Thanks

--Carl

On Sat, Oct 23, 2021 at 9:42 AM Timothy Naple <tnaple@berkcom.com> wrote:
Carl,

First I would see if you have created any security descriptors yet:
vserver security file-directory ntfs show 

If not, then create one:
vserver security file-directory ntfs create

And then you can modify it.

Here is a link that might be helpful as well:

Thank you,
Tim


From: Toasters <toasters-bounces@teaparty.net> on behalf of Carl Howell <chowell@uwf.edu>
Sent: Saturday, October 23, 2021 7:03 AM
To: Toasters <toasters@teaparty.net>
Subject: Security Descriptor noob question
 
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):

vserver security file-directory show -vserver svm1 -path /test4 -instance

                Vserver: svm1
              File Path: /test4
      File Inode Number: 64
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff
                           ALLOW-Everyone-0x10000000-OI|CI|IO

Feel like I'm missing something obvious here. . .

Thanks,

--Carl
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters