Create an FPolicy configuration
POST /protocols/fpolicy
Introduced In: 9.6
Creates an FPolicy configuration.
Required properties
-
svm.uuid
orsvm.name
- Existing SVM in which to create the FPolicy configuration.
Recommended optional properties
-
engines
- External server to which the notifications will be sent. -
events
- File operations to monitor. -
policies
- Policy configuration which acts as a container for FPolicy event and FPolicy engine. -
scope
- Scope of the policy. Can be limited to exports, volumes, shares or file extensions.
Default property values
If not specified in POST, the following default property values are assigned:
-
engines.type
- synchronous -
policies.engine
- native -
policies.mandatory
- true -
events.volume_monitoring
- false -
events.file_operations.*
- false -
events.filters.*
- false -
events.monitor_fileop_failure.*
- false
Related ONTAP commands
-
fpolicy policy event create
-
fpolicy policy external-engine create
-
fpolicy policy create
-
fpolicy policy scope create
-
fpolicy enable
-
fpolicy persistent-store create
Learn more
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
Name | Type | Description |
---|---|---|
_links |
||
engines |
array[fpolicy_engines] |
|
events |
array[fpolicy_events] |
|
persistent_stores |
array[fpolicy_persistent_stores] |
|
policies |
array[fpolicy_policies] |
|
svm |
SVM, applies only to SVM-scoped objects. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"engines": [
{
"certificate": {
"ca": "TASample1",
"name": "Sample1-FPolicy-Client",
"serial_number": "8DDE112A114D1FBC"
},
"format": "string",
"keep_alive_interval": "PT2M",
"max_server_requests": 500,
"name": "fp_ex_eng",
"port": 9876,
"primary_servers": [
"10.132.145.20",
"10.140.101.109"
],
"request_abort_timeout": "PT40S",
"request_cancel_timeout": "PT20S",
"resiliency": {
"directory_path": "/dir1",
"retention_duration": "PT3M"
},
"secondary_servers": [
"10.132.145.20",
"10.132.145.21"
],
"server_progress_timeout": "PT1M",
"ssl_option": "string",
"status_request_interval": "PT10S",
"type": "string"
}
],
"events": [
{
"name": "event_cifs",
"protocol": "string"
}
],
"persistent_stores": [
{
"name": "ps1",
"volume": "psvol"
}
],
"policies": [
{
"engine": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string"
},
"events": [
"event_cifs",
"event_open"
],
"name": "fp_policy_1",
"persistent_store": "ps1",
"priority": 1,
"privileged_user": "mydomain\\testuser",
"scope": {
"exclude_export_policies": [
"string"
],
"exclude_extension": [
"string"
],
"exclude_shares": [
"string"
],
"exclude_volumes": [
"vol1",
"vol_svm1",
"*"
],
"include_export_policies": [
"string"
],
"include_extension": [
"string"
],
"include_shares": [
"sh1",
"share_cifs"
],
"include_volumes": [
"vol1",
"vol_svm1"
]
}
}
],
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
}
}
Response
Status: 201, Created
Name | Type | Description |
---|---|---|
_links |
||
num_records |
integer |
Number of records |
records |
array[fpolicy] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"num_records": 1,
"records": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"engines": [
{
"certificate": {
"ca": "TASample1",
"name": "Sample1-FPolicy-Client",
"serial_number": "8DDE112A114D1FBC"
},
"format": "string",
"keep_alive_interval": "PT2M",
"max_server_requests": 500,
"name": "fp_ex_eng",
"port": 9876,
"primary_servers": [
"10.132.145.20",
"10.140.101.109"
],
"request_abort_timeout": "PT40S",
"request_cancel_timeout": "PT20S",
"resiliency": {
"directory_path": "/dir1",
"retention_duration": "PT3M"
},
"secondary_servers": [
"10.132.145.20",
"10.132.145.21"
],
"server_progress_timeout": "PT1M",
"ssl_option": "string",
"status_request_interval": "PT10S",
"type": "string"
}
],
"events": [
{
"name": "event_cifs",
"protocol": "string"
}
],
"persistent_stores": [
{
"name": "ps1",
"volume": "psvol"
}
],
"policies": [
{
"engine": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string"
},
"events": [
"event_cifs",
"event_open"
],
"name": "fp_policy_1",
"persistent_store": "ps1",
"priority": 1,
"privileged_user": "mydomain\\testuser",
"scope": {
"exclude_export_policies": [
"string"
],
"exclude_extension": [
"string"
],
"exclude_shares": [
"string"
],
"exclude_volumes": [
"vol1",
"vol_svm1",
"*"
],
"include_export_policies": [
"string"
],
"include_extension": [
"string"
],
"include_shares": [
"sh1",
"share_cifs"
],
"include_volumes": [
"vol1",
"vol_svm1"
]
}
}
],
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
}
}
]
}
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
9765032 |
The FPolicy engine, FPolicy event or FPolicy policy specified already exists |
9765031 |
If any of the FPolicy engine, FPolicy event, or FPolicy policy creation fails due to a systematic error or hardware failure, the cause of the failure is detailed in the error message |
2621706 |
The SVM UUID specified belongs to different SVM |
2621462 |
The SVM name specified does not exist |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
buffer_size
Specifies the send and receive buffer size of the connected socket for the FPolicy server.
Name | Type | Description |
---|---|---|
recv_buffer |
integer |
Specifies the receive buffer size of the connected socket for the FPolicy server. Default value is 256KB. |
send_buffer |
integer |
Specifies the send buffer size of the connected socket for the FPolicy server. Default value 1MB. |
certificate
Provides details about certificate used to authenticate the Fpolicy server.
Name | Type | Description |
---|---|---|
ca |
string |
Specifies the certificate authority (CA) name of the certificate used for authentication if SSL authentication between the SVM and the FPolicy server is configured. |
name |
string |
Specifies the certificate name as a fully qualified domain name (FQDN) or custom common name. The certificate is used if SSL authentication between the SVM and the FPolicy server is configured. |
serial_number |
string |
Specifies the serial number of the certificate used for authentication if SSL authentication between the SVM and the FPolicy server is configured. |
resiliency
If all primary and secondary servers are down, or if no response is received from the FPolicy servers, file access events are stored inside the storage controller under the specified resiliency-directory-path.
Name | Type | Description |
---|---|---|
directory_path |
string |
Specifies the directory path under the SVM namespace, where notifications are stored in the files whenever a network outage happens. |
enabled |
boolean |
Specifies whether the resiliency feature is enabled or not. Default is false. |
retention_duration |
string |
Specifies the ISO-8601 duration, for which the notifications are written to files inside the storage controller during a network outage. The value for this field must be between 0 and 600 seconds. Default is 180 seconds. |
fpolicy_engines
Defines how ONTAP makes and manages connections to external FPolicy servers.
Name | Type | Description |
---|---|---|
buffer_size |
Specifies the send and receive buffer size of the connected socket for the FPolicy server. |
|
certificate |
Provides details about certificate used to authenticate the Fpolicy server. |
|
format |
string |
The format for the notification messages sent to the FPolicy servers. The possible values are:
|
keep_alive_interval |
string |
Specifies the ISO-8601 interval time for a storage appliance to send Keep Alive message to an FPolicy server. The allowed range is between 10 to 600 seconds. |
max_server_requests |
integer |
Specifies the maximum number of outstanding requests for the FPolicy server. It is used to specify maximum outstanding requests that will be queued up for the FPolicy server. The value for this field must be between 1 and 10000. The default values are 500, 1000 or 2000 for Low-end(<64 GB memory), Mid-end(>=64 GB memory) and High-end(>=128 GB memory) Platforms respectively. |
name |
string |
Specifies the name to assign to the external server configuration. |
port |
integer |
Port number of the FPolicy server application. |
primary_servers |
array[string] |
|
request_abort_timeout |
string |
Specifies the ISO-8601 timeout duration for a screen request to be aborted by a storage appliance. The allowed range is between 0 to 200 seconds. |
request_cancel_timeout |
string |
Specifies the ISO-8601 timeout duration for a screen request to be processed by an FPolicy server. The allowed range is between 0 to 100 seconds. |
resiliency |
If all primary and secondary servers are down, or if no response is received from the FPolicy servers, file access events are stored inside the storage controller under the specified resiliency-directory-path. |
|
secondary_servers |
array[string] |
|
server_progress_timeout |
string |
Specifies the ISO-8601 timeout duration in which a throttled FPolicy server must complete at least one screen request. If no request is processed within the timeout, connection to the FPolicy server is terminated. The allowed range is between 0 to 100 seconds. |
ssl_option |
string |
Specifies the SSL option for external communication with the FPolicy server. Possible values include the following:
|
status_request_interval |
string |
Specifies the ISO-8601 interval time for a storage appliance to query a status request from an FPolicy server. The allowed range is between 0 to 50 seconds. |
type |
string |
The notification mode determines what ONTAP does after sending notifications to FPolicy servers. The possible values are:
|
file_operations
Specifies the file operations for the FPolicy event. You must specify a valid protocol in the protocol parameter. The event will check the operations specified from all client requests using the protocol.
Name | Type | Description |
---|---|---|
access |
boolean |
Access operations |
close |
boolean |
File close operations |
create |
boolean |
File create operations |
create_dir |
boolean |
Directory create operations |
delete |
boolean |
File delete operations |
delete_dir |
boolean |
Directory delete operations |
getattr |
boolean |
Get attribute operations |
link |
boolean |
Link operations |
lookup |
boolean |
Lookup operations |
open |
boolean |
File open operations |
read |
boolean |
File read operations |
rename |
boolean |
File rename operations |
rename_dir |
boolean |
Directory rename operations |
setattr |
boolean |
Set attribute operations |
symlink |
boolean |
Symbolic link operations |
write |
boolean |
File write operations |
filters
Specifies the list of filters for a given file operation for the specified protocol. When you specify the filters, you must specify the valid protocols and a valid file operations.
Name | Type | Description |
---|---|---|
close_with_modification |
boolean |
Filter the client request for close with modification. |
close_with_read |
boolean |
Filter the client request for close with read. |
close_without_modification |
boolean |
Filter the client request for close without modification. |
exclude_directory |
boolean |
Filter the client requests for directory operations. When this filter is specified directory operations are not monitored. |
first_read |
boolean |
Filter the client requests for the first-read. |
first_write |
boolean |
Filter the client requests for the first-write. |
monitor_ads |
boolean |
Filter the client request for alternate data stream. |
offline_bit |
boolean |
Filter the client request for offline bit set. FPolicy server receives notification only when offline files are accessed. |
open_with_delete_intent |
boolean |
Filter the client request for open with delete intent. |
open_with_write_intent |
boolean |
Filter the client request for open with write intent. |
setattr_with_access_time_change |
boolean |
Filter the client setattr requests for changing the access time of a file or directory. |
setattr_with_allocation_size_change |
boolean |
Filter the client setattr requests for changing the allocation size of a file. |
setattr_with_creation_time_change |
boolean |
Filter the client setattr requests for changing the creation time of a file or directory. |
setattr_with_dacl_change |
boolean |
Filter the client setattr requests for changing dacl on a file or directory. |
setattr_with_group_change |
boolean |
Filter the client setattr requests for changing group of a file or directory. |
setattr_with_mode_change |
boolean |
Filter the client setattr requests for changing the mode bits on a file or directory. |
setattr_with_modify_time_change |
boolean |
Filter the client setattr requests for changing the modification time of a file or directory. |
setattr_with_owner_change |
boolean |
Filter the client setattr requests for changing owner of a file or directory. |
setattr_with_sacl_change |
boolean |
Filter the client setattr requests for changing sacl on a file or directory. |
setattr_with_size_change |
boolean |
Filter the client setattr requests for changing the size of a file. |
write_with_size_change |
boolean |
Filter the client request for write with size change. |
fpolicy_events
The information that a FPolicy process needs to determine what file access operations to monitor and for which of the monitored events notifications should be sent to the external FPolicy server.
Name | Type | Description |
---|---|---|
file_operations |
Specifies the file operations for the FPolicy event. You must specify a valid protocol in the protocol parameter. The event will check the operations specified from all client requests using the protocol. |
|
filters |
Specifies the list of filters for a given file operation for the specified protocol. When you specify the filters, you must specify the valid protocols and a valid file operations. |
|
monitor_fileop_failure |
boolean |
Specifies whether failed file operations monitoring is required. |
name |
string |
Specifies the name of the FPolicy event. |
protocol |
string |
Protocol for which event is created. If you specify protocol, then you must also specify a valid value for the file operation parameters. The value of this parameter must be one of the following:
|
volume_monitoring |
boolean |
Specifies whether volume operation monitoring is required. |
fpolicy_persistent_stores
The information that an FPolicy process needs in order to configure a persistent store.
Name | Type | Description |
---|---|---|
name |
string |
The name specified for the FPolicy persistent store. |
volume |
string |
The specified volume to store the events for the FPolicy persistent store. |
fpolicy_engine_reference
FPolicy external engine
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the FPolicy external engine. |
fpolicy_event_reference
FPolicy events
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
scope
Name | Type | Description |
---|---|---|
check_extensions_on_directories |
boolean |
Specifies whether the file name extension checks also apply to directory objects. If this parameter is set to true, the directory objects are subjected to the same extension checks as regular files. If this parameter is set to false, the directory names are not matched for extensions and notifications are sent for directories even if their name extensions do not match. Default is false. |
exclude_export_policies |
array[string] |
|
exclude_extension |
array[string] |
|
exclude_shares |
array[string] |
|
exclude_volumes |
array[string] |
|
include_export_policies |
array[string] |
|
include_extension |
array[string] |
|
include_shares |
array[string] |
|
include_volumes |
array[string] |
|
object_monitoring_with_no_extension |
boolean |
Specifies whether the extension checks also apply to objects with no extension. If this parameter is set to true, all objects with or without extensions are monitored. Default is false. |
fpolicy_policies
Name | Type | Description |
---|---|---|
allow_privileged_access |
boolean |
Specifies whether privileged access is required for FPolicy servers. Privileged access is used when the FPolicy server requires direct access to the cluster nodes. When this parameter is set to true, FPolicy servers can access files on the cluster using a separate data channel with privileged access. |
enabled |
boolean |
Specifies if the policy is enabled on the SVM or not. If no value is mentioned for this field but priority is set, then this policy will be enabled. |
engine |
FPolicy external engine |
|
events |
array[fpolicy_event_reference] |
|
mandatory |
boolean |
Specifies what action to take on a file access event in a case when all primary and secondary servers are down or no response is received from the FPolicy servers within a given timeout period. When this parameter is set to true, file access events will be denied under these circumstances. |
name |
string |
Specifies the name of the policy. |
passthrough_read |
boolean |
Specifies whether passthrough-read should be allowed for FPolicy servers registered for the policy. Passthrough-read is a way to read data for offline files without restoring the files to primary storage. Offline files are files that have been moved to secondary storage. |
persistent_store |
string |
Specifies the persistent storage name. This can then be used to enable persistent mode for FPolicy events. |
priority |
integer |
Specifies the priority that is assigned to this policy. |
privileged_user |
string |
Specifies the privileged user name for accessing files on the cluster using a separate data channel with privileged access. The input for this field should be in "domain\username" format. |
scope |
svm
SVM, applies only to SVM-scoped objects.
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
fpolicy
FPolicy is an infrastructure component of ONTAP that enables partner applications connected to your storage systems to monitor and set file access permissions. Every time a client accesses a file from a storage system, based on the configuration of FPolicy, the partner application is notified about file access.
Name | Type | Description |
---|---|---|
_links |
||
engines |
array[fpolicy_engines] |
|
events |
array[fpolicy_events] |
|
persistent_stores |
array[fpolicy_persistent_stores] |
|
policies |
array[fpolicy_policies] |
|
svm |
SVM, applies only to SVM-scoped objects. |
_links
Name | Type | Description |
---|---|---|
next |
||
self |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |