请求文档变更
在 GitHub 上编辑
提供者指南
可用的 PDF
使用 ONTAP REST API 管理 DACL 和 SACL 文件权限
ONTAP 使用系统访问控制列表( SACL )和随机访问控制列表( DACL )为文件对象分配权限。从 ONTAP 9.1.1 开始, ONTAP REST API 包括用于为文件分配 SACL 和 DACL 权限以及自动执行文件安全权限的端点。(您可以了解有关在 ONTAP 9.9.1 之前自动执行 SACL 和 DACL 权限的选项的更多信息 "此处")。
从 ONTAP 9.1.1 开始,您可以使用单个 REST API 调用来代替多个 CLI 命令或 ONTAPI 调用。以下示例显示了如何使用 ONTAP REST API 处理文件权限。在每个示例中,请务必在所示位置用方括号 <> 提供信息值。
您也可以引用示例 "Python 脚本" 该演示了如何自动执行许多与 SACL 和 DACL 相关的活动。
查看有效权限
使用 get /protocols/file-security/effective-permissions/ API 调用,您可以检索特定文件或目录的当前权限。
curl -X GET -u admin:<PASSWORD> -k 'https://<IP_ADDRESS>/api/protocols/file-security/effective-permissions/cf5f271a-1beb-11ea-8fad-005056bb645e/administrator/windows/%2F?share.name=sh1&return_records=true'{
"svm": {
"uuid": "cf5f271a-1beb-11ea-8fad-005056bb645e",
"name": "vs1"
},
"user": "administrator",
"type": "windows",
"path": "/",
"share": {
"path": "/"
},
"file_permission": [
"read",
"write",
"append",
"read_ea",
"write_ea",
"execute",
"delete_child",
"read_attributes",
"write_attributes",
"delete",
"read_control",
"write_dac",
"write_owner",
"synchronize",
"system_security"
],
"share_permission": [
"read",
"read_ea",
"execute",
"read_attributes",
"read_control",
"synchronize"
]
}查看所有审核信息
使用 get /protocols/file-security/permissions/ API 调用,您可以检索特定文件或目录的所有审核信息。
curl -X GET -u admin:<PASSWORD> -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent'{
"svm": {
"uuid": "9479099d-5b9f-11eb-9c4e-0050568e8682",
"name": "vs1"
},
"path": "/parent",
"owner": "BUILTIN\\Administrators",
"group": "BUILTIN\\Administrators",
"control_flags": "0x8014",
"acls": [
{
"user": "BUILTIN\\Administrators",
"access": "access_allow",
"apply_to": {
"files": true,
"sub_folders": true,
"this_folder": true
},
"advanced_rights": {
"append_data": true,
"delete": true,
"delete_child": true,
"execute_file": true,
"full_control": true,
"read_attr": true,
"read_data": true,
"read_ea": true,
"read_perm": true,
"write_attr": true,
"write_data": true,
"write_ea": true,
"write_owner": true,
"synchronize": true,
"write_perm": true
},
"access_control": "file_directory"
},
{
"user": "BUILTIN\\Users",
"access": "access_allow",
"apply_to": {
"files": true,
"sub_folders": true,
"this_folder": true
},
"advanced_rights": {
"append_data": true,
"delete": true,
"delete_child": true,
"execute_file": true,
"full_control": true,
"read_attr": true,
"read_data": true,
"read_ea": true,
"read_perm": true,
"write_attr": true,
"write_data": true,
"write_ea": true,
"write_owner": true,
"synchronize": true,
"write_perm": true
},
"access_control": "file_directory"
}
],
"inode": 64,
"security_style": "mixed",
"effective_style": "ntfs",
"dos_attributes": "10",
"text_dos_attr": "----D---",
"user_id": "0",
"group_id": "0",
"mode_bits": 777,
"text_mode_bits": "rwxrwxrwx"
}应用新权限
使用 POST /protocols/file-security/permissions/ API 调用,您可以将新的安全描述符应用于文件或目录。
curl -u admin:<PASSWORD> -X POST -d '{ \"acls\": [ { \"access\": \"access_allow\", \"advanced_rights\": { \"append_data\": true, \"delete\": true, \"delete_child\": true, \"execute_file\": true, \"full_control\": true, \"read_attr\": true, \"read_data\": true, \"read_ea\": true, \"read_perm\": true, \"write_attr\": true, \"write_data\": true, \"write_ea\": true, \"write_owner\": true, \"write_perm\": true }, \"apply_to\": { \"files\": true, \"sub_folders\": true, \"this_folder\": true }, \"user\": \"administrator\" } ], \"control_flags\": \"32788\", \"group\": \"S-1-5-21-2233347455-2266964949-1780268902-69700\", \"ignore_paths\": [ \"/parent/child2\" ], \"owner\": \"S-1-5-21-2233347455-2266964949-1780268902-69304\", \"propagation_mode\": \"propagate\"}' -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent?return_timeout=0'{
"job": {
"uuid": "3015c294-5bbc-11eb-9c4e-0050568e8682",
"_links": {
"self": {
"href": "/api/cluster/jobs/3015c294-5bbc-11eb-9c4e-0050568e8682"
}
}
}
}更新安全描述符信息
使用 patch /protocols/file-security/permissions/ API 调用,您可以更新文件或目录的特定安全描述符信息,例如主所有者,组或控制标志。
curl -u admin:<PASSWORD> -X PATCH -d '{ \"control_flags\": \"32788\", \"group\": \"everyone\", \"owner\": \"user1\"}' -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent?return_timeout=0'{
"job": {
"uuid": "6f89e612-5bbd-11eb-9c4e-0050568e8682",
"_links": {
"self": {
"href": "/api/cluster/jobs/6f89e612-5bbd-11eb-9c4e-0050568e8682"
}
}
}
}删除现有 SACL/DACL 访问控制条目( ACE )
使用 Delete /protocols/file-security/permissions/ API 调用,您可以从目录的文件中删除现有 ACE 。此示例将此更改传播到任何子对象。
curl -u admin:<PASSWORD> -X DELETE -d '{ \"access\": \"access_allow\", \"apply_to\": { \"files\": true, \"sub_folders\": true, \"this_folder\": true }, \"ignore_paths\": [ \"/parent/child2\" ], \"propagation_mode\": \"propagate\"}' -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent/acl/himanshu?return_timeout=0'{
"job": {
"uuid": "e5683b61-5bbf-11eb-9c4e-0050568e8682",
"_links": {
"self": {
"href": "/api/cluster/jobs/e5683b61-5bbf-11eb-9c4e-0050568e8682"
}
}
}
}ONTAP REST API 与 ONTAP 命令行界面命令
与 ONTAP 命令行界面相比, ONTAP REST API 可以使用更少的命令自动执行许多任务。例如,您可以使用一种 POST API 方法来修改文件的安全描述符,而不是使用多个 CLI 命令。下表显示了完成常见文件系统权限任务与相应的 REST API 调用所需的命令行界面命令:
| ONTAP REST API | ONTAP 命令行界面 |
|---|---|
|
|
|
|
|
|
|
|