Carl,
What is your use case, what are you trying to achieve? Is it a big once-off
permissions change you want to implement or an ongoing requirement to be
regularly changing permissions back to some standard? The ONTAP ansible
modules seem to have everything you'd need, i.e. create the SD, add the
DACLs, create policy and tasks. I'm not sure what a windows/NTFS centric
ansible collection would offer (assuming it exists), but I expect executing
file permission changes directly on the filer would be faster than via a
CIFS client so theres that benefit.
One thing I guess is that any "idempotence" of using ONTAP ansible modules
for something like this is a bit of an illusion, because it's the ONTAP
config of 'ntfs-sd's, DACLs and policy tasks that you're actually keeping
consistent, not directly the permissions themselves. Looking at the ansible
module for file-directory policy, it would execute the policy if a change
was made to it like a new task is added, but not if you just need it to run
because you know the actual NTFS permissions need a tune up, it's using
that ONTAP policy configuration to manage idempotence, which is the right
thing to do, but isn't really what you would be expecting in practice.
Cheers
Graham
On Sun., 24 Oct. 2021, 4:10 am Carl Howell, <chowell@uwf.edu> wrote:
> Thanks Graham!
>
> So, if you're trying to set NTFS ACL's via Ansible, is there a benefit to
> doing it through the ONTAP Ansible Collection > ONTAP Policy > ntfs-sd, or
> would it be simpler, and perhaps more portable, to do it via an
> Ansible/WIndows/NTFS Collection(if such a thing exists)?
>
> Thanks
>
> --Carl
>
> On Sat, Oct 23, 2021 at 9:42 AM Timothy Naple <tnaple@berkcom.com> wrote:
>
>> Carl,
>>
>> First I would see if you have created any security descriptors yet:
>> vserver security file-directory ntfs show
>>
>> If not, then create one:
>> vserver security file-directory ntfs create
>>
>> And then you can modify it.
>>
>> Here is a link that might be helpful as well:
>>
>> https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-900%2Fvserver__security__file-directory__ntfs__modify.html
>>
>> Thank you,
>> Tim
>>
>> ------------------------------
>> *From:* Toasters <toasters-bounces@teaparty.net> on behalf of Carl
>> Howell <chowell@uwf.edu>
>> *Sent:* Saturday, October 23, 2021 7:03 AM
>> *To:* Toasters <toasters@teaparty.net>
>> *Subject:* Security Descriptor noob question
>>
>> I have a test volume with a CIFS share and default permissions. If I want
>> to modify the NTFS permissions using either vserver security file-directory
>> ntfs modify...or something like Ansible, how do I find the security
>> descriptor to modify(ntfs-sd):
>>
>> vserver security file-directory show -vserver svm1 -path /test4 -instance
>>
>> Vserver: svm1
>> File Path: /test4
>> File Inode Number: 64
>> Security Style: ntfs
>> Effective Style: ntfs
>> DOS Attributes: 10
>> DOS Attributes in Text: ----D---
>> Expanded Dos Attributes: -
>> UNIX User Id: 0
>> UNIX Group Id: 0
>> UNIX Mode Bits: 777
>> UNIX Mode Bits in Text: rwxrwxrwx
>> ACLs: NTFS Security Descriptor
>> Control:0x8004
>> Owner:BUILTIN\Administrators
>> Group:BUILTIN\Administrators
>> DACL - ACEs
>> ALLOW-Everyone-0x1f01ff
>> ALLOW-Everyone-0x10000000-OI|CI|IO
>>
>> Feel like I'm missing something obvious here. . .
>>
>> Thanks,
>>
>> --Carl
>>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters