Skip to main content
A newer release of this product is available.

Retrieve an FPolicy configuration

Contributors

GET /protocols/fpolicy

Introduced In: 9.6

Retrieves an FPolicy configuration.

  • fpolicy show

  • fpolicy policy show

  • fpolicy policy scope show

  • fpolicy policy event show

  • fpolicy policy external-engine show

Parameters

Name Type In Required Description

svm.uuid

string

query

False

Filter by svm.uuid

svm.name

string

query

False

Filter by svm.name

engines.format

string

query

False

Filter by engines.format

  • Introduced in: 9.11

engines.type

string

query

False

Filter by engines.type

engines.ssl_option

string

query

False

Filter by engines.ssl_option

  • Introduced in: 9.11

engines.secondary_servers

string

query

False

Filter by engines.secondary_servers

engines.name

string

query

False

Filter by engines.name

engines.max_server_requests

integer

query

False

Filter by engines.max_server_requests

  • Introduced in: 9.11

  • Max value: 10000

  • Min value: 1

engines.request_cancel_timeout

string

query

False

Filter by engines.request_cancel_timeout

  • Introduced in: 9.11

engines.request_abort_timeout

string

query

False

Filter by engines.request_abort_timeout

  • Introduced in: 9.11

engines.server_progress_timeout

string

query

False

Filter by engines.server_progress_timeout

  • Introduced in: 9.11

engines.status_request_interval

string

query

False

Filter by engines.status_request_interval

  • Introduced in: 9.11

engines.port

integer

query

False

Filter by engines.port

engines.resiliency.enabled

boolean

query

False

Filter by engines.resiliency.enabled

  • Introduced in: 9.11

engines.resiliency.directory_path

string

query

False

Filter by engines.resiliency.directory_path

  • Introduced in: 9.11

engines.resiliency.retention_duration

string

query

False

Filter by engines.resiliency.retention_duration

  • Introduced in: 9.11

engines.primary_servers

string

query

False

Filter by engines.primary_servers

engines.buffer_size.recv_buffer

integer

query

False

Filter by engines.buffer_size.recv_buffer

  • Introduced in: 9.11

  • Max value: 7895160

  • Min value: 0

engines.buffer_size.send_buffer

integer

query

False

Filter by engines.buffer_size.send_buffer

  • Introduced in: 9.11

  • Max value: 7895160

  • Min value: 0

engines.certificate.name

string

query

False

Filter by engines.certificate.name

  • Introduced in: 9.11

engines.certificate.ca

string

query

False

Filter by engines.certificate.ca

  • Introduced in: 9.11

engines.certificate.serial_number

string

query

False

Filter by engines.certificate.serial_number

  • Introduced in: 9.11

events.filters.open_with_delete_intent

boolean

query

False

Filter by events.filters.open_with_delete_intent

events.filters.monitor_ads

boolean

query

False

Filter by events.filters.monitor_ads

events.filters.close_with_read

boolean

query

False

Filter by events.filters.close_with_read

events.filters.open_with_write_intent

boolean

query

False

Filter by events.filters.open_with_write_intent

events.filters.setattr_with_size_change

boolean

query

False

Filter by events.filters.setattr_with_size_change

events.filters.setattr_with_sacl_change

boolean

query

False

Filter by events.filters.setattr_with_sacl_change

events.filters.first_write

boolean

query

False

Filter by events.filters.first_write

events.filters.setattr_with_owner_change

boolean

query

False

Filter by events.filters.setattr_with_owner_change

events.filters.setattr_with_group_change

boolean

query

False

Filter by events.filters.setattr_with_group_change

events.filters.setattr_with_mode_change

boolean

query

False

Filter by events.filters.setattr_with_mode_change

events.filters.first_read

boolean

query

False

Filter by events.filters.first_read

events.filters.setattr_with_access_time_change

boolean

query

False

Filter by events.filters.setattr_with_access_time_change

events.filters.setattr_with_creation_time_change

boolean

query

False

Filter by events.filters.setattr_with_creation_time_change

events.filters.setattr_with_dacl_change

boolean

query

False

Filter by events.filters.setattr_with_dacl_change

events.filters.exclude_directory

boolean

query

False

Filter by events.filters.exclude_directory

events.filters.setattr_with_modify_time_change

boolean

query

False

Filter by events.filters.setattr_with_modify_time_change

events.filters.close_with_modification

boolean

query

False

Filter by events.filters.close_with_modification

events.filters.offline_bit

boolean

query

False

Filter by events.filters.offline_bit

events.filters.write_with_size_change

boolean

query

False

Filter by events.filters.write_with_size_change

events.filters.setattr_with_allocation_size_change

boolean

query

False

Filter by events.filters.setattr_with_allocation_size_change

events.filters.close_without_modification

boolean

query

False

Filter by events.filters.close_without_modification

events.file_operations.rename_dir

boolean

query

False

Filter by events.file_operations.rename_dir

events.file_operations.lookup

boolean

query

False

Filter by events.file_operations.lookup

events.file_operations.create_dir

boolean

query

False

Filter by events.file_operations.create_dir

events.file_operations.read

boolean

query

False

Filter by events.file_operations.read

events.file_operations.open

boolean

query

False

Filter by events.file_operations.open

events.file_operations.getattr

boolean

query

False

Filter by events.file_operations.getattr

events.file_operations.delete_dir

boolean

query

False

Filter by events.file_operations.delete_dir

events.file_operations.setattr

boolean

query

False

Filter by events.file_operations.setattr

events.file_operations.close

boolean

query

False

Filter by events.file_operations.close

events.file_operations.rename

boolean

query

False

Filter by events.file_operations.rename

events.file_operations.delete

boolean

query

False

Filter by events.file_operations.delete

events.file_operations.write

boolean

query

False

Filter by events.file_operations.write

events.file_operations.symlink

boolean

query

False

Filter by events.file_operations.symlink

events.file_operations.link

boolean

query

False

Filter by events.file_operations.link

events.file_operations.create

boolean

query

False

Filter by events.file_operations.create

events.name

string

query

False

Filter by events.name

events.protocol

string

query

False

Filter by events.protocol

events.volume_monitoring

boolean

query

False

Filter by events.volume_monitoring

policies.mandatory

boolean

query

False

Filter by policies.mandatory

policies.scope.include_shares

string

query

False

Filter by policies.scope.include_shares

policies.scope.exclude_export_policies

string

query

False

Filter by policies.scope.exclude_export_policies

policies.scope.include_export_policies

string

query

False

Filter by policies.scope.include_export_policies

policies.scope.include_volumes

string

query

False

Filter by policies.scope.include_volumes

policies.scope.object_monitoring_with_no_extension

boolean

query

False

Filter by policies.scope.object_monitoring_with_no_extension

  • Introduced in: 9.11

policies.scope.exclude_extension

string

query

False

Filter by policies.scope.exclude_extension

policies.scope.exclude_shares

string

query

False

Filter by policies.scope.exclude_shares

policies.scope.include_extension

string

query

False

Filter by policies.scope.include_extension

policies.scope.exclude_volumes

string

query

False

Filter by policies.scope.exclude_volumes

policies.scope.check_extensions_on_directories

boolean

query

False

Filter by policies.scope.check_extensions_on_directories

  • Introduced in: 9.11

policies.name

string

query

False

Filter by policies.name

policies.passthrough_read

boolean

query

False

Filter by policies.passthrough_read

  • Introduced in: 9.11

policies.enabled

boolean

query

False

Filter by policies.enabled

policies.priority

integer

query

False

Filter by policies.priority

  • Max value: 10

  • Min value: 1

policies.engine.name

string

query

False

Filter by policies.engine.name

policies.privileged_user

string

query

False

Filter by policies.privileged_user

  • Introduced in: 9.11

policies.events.name

string

query

False

Filter by policies.events.name

fields

array[string]

query

False

Specify the fields to return.

max_records

integer

query

False

Limit the number of records returned.

return_records

boolean

query

False

The default is true for GET calls. When set to false, only the number of records is returned.

  • Default value: 1

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When iterating over a collection, the default is 15 seconds. ONTAP returns earlier if either max records or the end of the collection is reached.

  • Max value: 120

  • Min value: 0

  • Default value: 1

order_by

array[string]

query

False

Order results by specified fields and optional [asc

Response

Status: 200, Ok
Name Type Description

_links

_links

num_records

integer

Number of records

records

array[fpolicy]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "engines": [
        {
          "certificate": {
            "ca": "TASample1",
            "name": "Sample1-FPolicy-Client",
            "serial_number": "8DDE112A114D1FBC"
          },
          "format": "string",
          "max_server_requests": 500,
          "name": "fp_ex_eng",
          "port": 9876,
          "primary_servers": [
            "10.132.145.20",
            "10.140.101.109"
          ],
          "request_abort_timeout": "PT40S",
          "request_cancel_timeout": "PT20S",
          "resiliency": {
            "directory_path": "/dir1",
            "retention_duration": "PT3M"
          },
          "secondary_servers": [
            "10.132.145.20",
            "10.132.145.21"
          ],
          "server_progress_timeout": "PT1M",
          "ssl_option": "string",
          "status_request_interval": "PT10S",
          "type": "string"
        }
      ],
      "events": [
        {
          "name": "event_nfs_close",
          "protocol": "string"
        }
      ],
      "policies": [
        {
          "engine": {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "name": "string"
          },
          "events": [
            "event_nfs_close",
            "event_open"
          ],
          "name": "fp_policy_1",
          "privileged_user": "mydomain\\testuser",
          "scope": {
            "exclude_export_policies": [
              "string"
            ],
            "exclude_extension": [
              "string"
            ],
            "exclude_shares": [
              "string"
            ],
            "exclude_volumes": [
              "vol1",
              "vol_svm1",
              "*"
            ],
            "include_export_policies": [
              "string"
            ],
            "include_extension": [
              "string"
            ],
            "include_shares": [
              "sh1",
              "share_cifs"
            ],
            "include_volumes": [
              "vol1",
              "vol_svm1"
            ]
          }
        }
      ],
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      }
    }
  ]
}

Error

Status: Default, Error
Name Type Description

error

error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

next

href

self

href

Name Type Description

self

href

buffer_size

Specifies the send and recieve buffer size of the connected socket for the FPolicy server.

Name Type Description

recv_buffer

integer

Specifies the receive buffer size of the connected socket for the FPolicy server. Default value is 256KB.

send_buffer

integer

Specifies the send buffer size of the connected socket for the FPolicy server. Default value 1MB.

certificate

Provides details about certificate used to authenticate the Fpolicy server.

Name Type Description

ca

string

Specifies the certificate authority (CA) name of the certificate used for authentication if SSL authentication between the SVM and the FPolicy server is configured.

name

string

Specifies the certificate name as a fully qualified domain name (FQDN) or custom common name. The certificate is used if SSL authentication between the SVM and the FPolicy server is configured.

serial_number

string

Specifies the serial number of the certificate used for authentication if SSL authentication between the SVM and the FPolicy server is configured.

resiliency

If all primary and secondary servers are down, or if no response is received from the FPolicy servers, file access events are stored inside the storage controller under the specified resiliency-directory-path.

Name Type Description

directory_path

string

Specifies the directory path under the SVM namespace, where notifications are stored in the files whenever a network outage happens.

enabled

boolean

Specifies whether the resiliency feature is enabled or not. Default is false.

retention_duration

string

Specifies the ISO-8601 duration, for which the notifications are written to files inside the storage controller during a network outage. The value for this field must be between 0 and 600 seconds. Default is 180 seconds.

fpolicy_engines

Defines how ONTAP makes and manages connections to external FPolicy servers.

Name Type Description

buffer_size

buffer_size

Specifies the send and recieve buffer size of the connected socket for the FPolicy server.

certificate

certificate

Provides details about certificate used to authenticate the Fpolicy server.

format

string

The format for the notification messages sent to the FPolicy servers. The possible values are:

  • xml - Notifications sent to the FPolicy server will be formatted using the XML schema.

  • protobuf - Notifications sent to the FPolicy server will be formatted using Protobuf schema, which is a binary form.

max_server_requests

integer

Specifies the maximum number of outstanding requests for the FPolicy server. It is used to specify maximum outstanding requests that will be queued up for the FPolicy server. The value for this field must be between 1 and 10000. The default values are 500, 1000 or 2000 for Low-end(<64 GB memory), Mid-end(>=64 GB memory) and High-end(>=128 GB memory) Platforms respectively.

name

string

Specifies the name to assign to the external server configuration.

port

integer

Port number of the FPolicy server application.

primary_servers

array[string]

request_abort_timeout

string

Specifies the ISO-8601 timeout duration for a screen request to be aborted by a storage appliance. The allowed range is between 0 to 200 seconds.

request_cancel_timeout

string

Specifies the ISO-8601 timeout duration for a screen request to be processed by an FPolicy server. The allowed range is between 0 to 100 seconds.

resiliency

resiliency

If all primary and secondary servers are down, or if no response is received from the FPolicy servers, file access events are stored inside the storage controller under the specified resiliency-directory-path.

secondary_servers

array[string]

server_progress_timeout

string

Specifies the ISO-8601 timeout duration in which a throttled FPolicy server must complete at least one screen request. If no request is processed within the timeout, connection to the FPolicy server is terminated. The allowed range is between 0 to 100 seconds.

ssl_option

string

Specifies the SSL option for external communication with the FPolicy server. Possible values include the following:

  • no_auth When set to "no_auth", no authentication takes place.

  • server_auth When set to "server_auth", only the FPolicy server is authenticated by the SVM. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.

  • mutual_auth When set to "mutual_auth", mutual authentication takes place between the SVM and the FPolicy server. This means authentication of the FPolicy server by the SVM along with authentication of the SVM by the FPolicy server. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate along with the public certificate and key file for authentication of the SVM.

status_request_interval

string

Specifies the ISO-8601 interval time for a storage appliance to query a status request from an FPolicy server. The allowed range is between 0 to 50 seconds.

type

string

The notification mode determines what ONTAP does after sending notifications to FPolicy servers. The possible values are:

  • synchronous - After sending a notification, wait for a response from the FPolicy server.

  • asynchronous - After sending a notification, file request processing continues.

    • Default value: 1

    • enum: ["synchronous", "asynchronous"]

    • Introduced in: 9.10

file_operations

Specifies the file operations for the FPolicy event. You must specify a valid protocol in the protocol parameter. The event will check the operations specified from all client requests using the protocol.

Name Type Description

close

boolean

File close operations

create

boolean

File create operations

create_dir

boolean

Directory create operations

delete

boolean

File delete operations

delete_dir

boolean

Directory delete operations

getattr

boolean

Get attribute operations

link

boolean

Link operations

lookup

boolean

Lookup operations

open

boolean

File open operations

read

boolean

File read operations

rename

boolean

File rename operations

rename_dir

boolean

Directory rename operations

setattr

boolean

Set attribute operations

symlink

boolean

Symbolic link operations

write

boolean

File write operations

filters

Specifies the list of filters for a given file operation for the specified protocol. When you specify the filters, you must specify the valid protocols and a valid file operations.

Name Type Description

close_with_modification

boolean

Filter the client request for close with modification.

close_with_read

boolean

Filter the client request for close with read.

close_without_modification

boolean

Filter the client request for close without modification.

exclude_directory

boolean

Filter the client requests for directory operations. When this filter is specified directory operations are not monitored.

first_read

boolean

Filter the client requests for the first-read.

first_write

boolean

Filter the client requests for the first-write.

monitor_ads

boolean

Filter the client request for alternate data stream.

offline_bit

boolean

Filter the client request for offline bit set. FPolicy server receives notification only when offline files are accessed.

open_with_delete_intent

boolean

Filter the client request for open with delete intent.

open_with_write_intent

boolean

Filter the client request for open with write intent.

setattr_with_access_time_change

boolean

Filter the client setattr requests for changing the access time of a file or directory.

setattr_with_allocation_size_change

boolean

Filter the client setattr requests for changing the allocation size of a file.

setattr_with_creation_time_change

boolean

Filter the client setattr requests for changing the creation time of a file or directory.

setattr_with_dacl_change

boolean

Filter the client setattr requests for changing dacl on a file or directory.

setattr_with_group_change

boolean

Filter the client setattr requests for changing group of a file or directory.

setattr_with_mode_change

boolean

Filter the client setattr requests for changing the mode bits on a file or directory.

setattr_with_modify_time_change

boolean

Filter the client setattr requests for changing the modification time of a file or directory.

setattr_with_owner_change

boolean

Filter the client setattr requests for changing owner of a file or directory.

setattr_with_sacl_change

boolean

Filter the client setattr requests for changing sacl on a file or directory.

setattr_with_size_change

boolean

Filter the client setattr requests for changing the size of a file.

write_with_size_change

boolean

Filter the client request for write with size change.

fpolicy_events

The information that a FPolicy process needs to determine what file access operations to monitor and for which of the monitored events notifications should be sent to the external FPolicy server.

Name Type Description

file_operations

file_operations

Specifies the file operations for the FPolicy event. You must specify a valid protocol in the protocol parameter. The event will check the operations specified from all client requests using the protocol.

filters

filters

Specifies the list of filters for a given file operation for the specified protocol. When you specify the filters, you must specify the valid protocols and a valid file operations.

name

string

Specifies the name of the FPolicy event.

protocol

string

Protocol for which event is created. If you specify protocol, then you must also specify a valid value for the file operation parameters. The value of this parameter must be one of the following:

  • cifs - for the CIFS protocol.

  • nfsv3 - for the NFSv3 protocol.

  • nfsv4 - for the NFSv4 protocol.

volume_monitoring

boolean

Specifies whether volume operation monitoring is required.

fpolicy_engine_reference

FPolicy external engine

Name Type Description

_links

_links

name

string

The name of the FPolicy external engine.

fpolicy_event_reference

FPolicy events

Name Type Description

_links

_links

name

string

scope

Name Type Description

check_extensions_on_directories

boolean

Specifies whether the file name extension checks also apply to directory objects. If this parameter is set to true, the directory objects are subjected to the same extension checks as regular files. If this parameter is set to false, the directory names are not matched for extensions and notifications are sent for directories even if their name extensions do not match. Default is false.

exclude_export_policies

array[string]

exclude_extension

array[string]

exclude_shares

array[string]

exclude_volumes

array[string]

include_export_policies

array[string]

include_extension

array[string]

include_shares

array[string]

include_volumes

array[string]

object_monitoring_with_no_extension

boolean

Specifies whether the extension checks also apply to objects with no extension. If this parameter is set to true, all objects with or without extensions are monitored. Default is false.

fpolicy_policies

Name Type Description

enabled

boolean

Specifies if the policy is enabled on the SVM or not. If no value is mentioned for this field but priority is set, then this policy will be enabled.

engine

fpolicy_engine_reference

FPolicy external engine

events

array[fpolicy_event_reference]

mandatory

boolean

Specifies what action to take on a file access event in a case when all primary and secondary servers are down or no response is received from the FPolicy servers within a given timeout period. When this parameter is set to true, file access events will be denied under these circumstances.

name

string

Specifies the name of the policy.

passthrough_read

boolean

Specifies whether passthrough-read should be allowed for FPolicy servers registered for the policy. Passthrough-read is a way to read data for offline files without restoring the files to primary storage. Offline files are files that have been moved to secondary storage.

priority

integer

Specifies the priority that is assigned to this policy.

privileged_user

string

Specifies the privileged user name for accessing files on the cluster using a separate data channel with privileged access. The input for this field should be in "domain\username" format.

scope

scope

svm

Name Type Description

_links

_links

name

string

The name of the SVM.

uuid

string

The unique identifier of the SVM.

fpolicy

FPolicy is an infrastructure component of ONTAP that enables partner applications connected to your storage systems to monitor and set file access permissions. Every time a client accesses a file from a storage system, based on the configuration of FPolicy, the partner application is notified about file access.

Name Type Description

_links

_links

engines

array[fpolicy_engines]

events

array[fpolicy_events]

policies

array[fpolicy_policies]

svm

svm

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.