简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

使用 ONTAP REST API 管理 DACL 和 SACL 文件权限

ONTAP 使用系统访问控制列表( SACL )和随机访问控制列表( DACL )为文件对象分配权限。从 ONTAP 9.1.1 开始, ONTAP REST API 包括用于为文件分配 SACL 和 DACL 权限以及自动执行文件安全权限的端点。(您可以了解有关在 ONTAP 9.9.1 之前自动执行 SACL 和 DACL 权限的选项的更多信息 "此处")。

从 ONTAP 9.1.1 开始,您可以使用单个 REST API 调用来代替多个 CLI 命令或 ONTAPI 调用。以下示例显示了如何使用 ONTAP REST API 处理文件权限。在每个示例中,请务必在所示位置用方括号 <> 提供信息值。

您也可以引用示例 "Python 脚本" 该演示了如何自动执行许多与 SACL 和 DACL 相关的活动。

查看有效权限

使用 get /protocols/file-security/effective-permissions/ API 调用,您可以检索特定文件或目录的当前权限。

请求示例:
curl -X GET -u admin:<PASSWORD> -k 'https://<IP_ADDRESS>/api/protocols/file-security/effective-permissions/cf5f271a-1beb-11ea-8fad-005056bb645e/administrator/windows/%2F?share.name=sh1&return_records=true'
响应示例
{
  "svm": {
    "uuid": "cf5f271a-1beb-11ea-8fad-005056bb645e",
    "name": "vs1"
  },
  "user": "administrator",
  "type": "windows",
  "path": "/",
  "share": {
    "path": "/"
  },
  "file_permission": [
    "read",
    "write",
    "append",
    "read_ea",
    "write_ea",
    "execute",
    "delete_child",
    "read_attributes",
    "write_attributes",
    "delete",
    "read_control",
    "write_dac",
    "write_owner",
    "synchronize",
    "system_security"
  ],
  "share_permission": [
    "read",
    "read_ea",
    "execute",
    "read_attributes",
    "read_control",
    "synchronize"
  ]
}

查看所有审核信息

使用 get /protocols/file-security/permissions/ API 调用,您可以检索特定文件或目录的所有审核信息。

请求示例:
curl -X GET -u admin:<PASSWORD> -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent'
响应示例
{
  "svm": {
    "uuid": "9479099d-5b9f-11eb-9c4e-0050568e8682",
    "name": "vs1"
  },
  "path": "/parent",
  "owner": "BUILTIN\\Administrators",
  "group": "BUILTIN\\Administrators",
  "control_flags": "0x8014",
  "acls": [
    {
      "user": "BUILTIN\\Administrators",
      "access": "access_allow",
      "apply_to": {
        "files": true,
        "sub_folders": true,
        "this_folder": true
      },
      "advanced_rights": {
        "append_data": true,
        "delete": true,
        "delete_child": true,
        "execute_file": true,
        "full_control": true,
        "read_attr": true,
        "read_data": true,
        "read_ea": true,
        "read_perm": true,
        "write_attr": true,
        "write_data": true,
        "write_ea": true,
        "write_owner": true,
        "synchronize": true,
        "write_perm": true
      },
      "access_control": "file_directory"
    },
    {
      "user": "BUILTIN\\Users",
      "access": "access_allow",
      "apply_to": {
        "files": true,
        "sub_folders": true,
        "this_folder": true
      },
      "advanced_rights": {
        "append_data": true,
        "delete": true,
        "delete_child": true,
        "execute_file": true,
        "full_control": true,
        "read_attr": true,
        "read_data": true,
        "read_ea": true,
        "read_perm": true,
        "write_attr": true,
        "write_data": true,
        "write_ea": true,
        "write_owner": true,
        "synchronize": true,
        "write_perm": true
      },
      "access_control": "file_directory"
    }
  ],
  "inode": 64,
  "security_style": "mixed",
  "effective_style": "ntfs",
  "dos_attributes": "10",
  "text_dos_attr": "----D---",
  "user_id": "0",
  "group_id": "0",
  "mode_bits": 777,
  "text_mode_bits": "rwxrwxrwx"
}

应用新权限

使用 POST /protocols/file-security/permissions/ API 调用,您可以将新的安全描述符应用于文件或目录。

请求示例
curl -u admin:<PASSWORD> -X POST -d '{ \"acls\": [ { \"access\": \"access_allow\", \"advanced_rights\": { \"append_data\": true, \"delete\": true, \"delete_child\": true, \"execute_file\": true, \"full_control\": true, \"read_attr\": true, \"read_data\": true, \"read_ea\": true, \"read_perm\": true, \"write_attr\": true, \"write_data\": true, \"write_ea\": true, \"write_owner\": true, \"write_perm\": true }, \"apply_to\": { \"files\": true, \"sub_folders\": true, \"this_folder\": true }, \"user\": \"administrator\" } ], \"control_flags\": \"32788\", \"group\": \"S-1-5-21-2233347455-2266964949-1780268902-69700\", \"ignore_paths\": [ \"/parent/child2\" ], \"owner\": \"S-1-5-21-2233347455-2266964949-1780268902-69304\", \"propagation_mode\": \"propagate\"}' -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent?return_timeout=0'
响应示例
{
  "job": {
    "uuid": "3015c294-5bbc-11eb-9c4e-0050568e8682",
    "_links": {
      "self": {
        "href": "/api/cluster/jobs/3015c294-5bbc-11eb-9c4e-0050568e8682"
      }
    }
  }
}

更新安全描述符信息

使用 patch /protocols/file-security/permissions/ API 调用,您可以更新文件或目录的特定安全描述符信息,例如主所有者,组或控制标志。

请求示例
curl -u admin:<PASSWORD> -X PATCH -d '{ \"control_flags\": \"32788\", \"group\": \"everyone\", \"owner\": \"user1\"}' -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent?return_timeout=0'
响应示例
{
  "job": {
    "uuid": "6f89e612-5bbd-11eb-9c4e-0050568e8682",
    "_links": {
      "self": {
        "href": "/api/cluster/jobs/6f89e612-5bbd-11eb-9c4e-0050568e8682"
      }
    }
  }
}

删除现有 SACL/DACL 访问控制条目( ACE )

使用 Delete /protocols/file-security/permissions/ API 调用,您可以从目录的文件中删除现有 ACE 。此示例将此更改传播到任何子对象。

请求示例
curl -u admin:<PASSWORD> -X DELETE -d '{ \"access\": \"access_allow\", \"apply_to\": { \"files\": true, \"sub_folders\": true, \"this_folder\": true }, \"ignore_paths\": [ \"/parent/child2\" ], \"propagation_mode\": \"propagate\"}' -k 'https://<IP_ADDRESS>/api/protocols/file-security/permissions/9479099d-5b9f-11eb-9c4e-0050568e8682/%2Fparent/acl/himanshu?return_timeout=0'
响应示例
{
  "job": {
    "uuid": "e5683b61-5bbf-11eb-9c4e-0050568e8682",
    "_links": {
      "self": {
        "href": "/api/cluster/jobs/e5683b61-5bbf-11eb-9c4e-0050568e8682"
      }
    }
  }
}

ONTAP REST API 与 ONTAP 命令行界面命令

与 ONTAP 命令行界面相比, ONTAP REST API 可以使用更少的命令自动执行许多任务。例如,您可以使用一种 POST API 方法来修改文件的安全描述符,而不是使用多个 CLI 命令。下表显示了完成常见文件系统权限任务与相应的 REST API 调用所需的命令行界面命令:

ONTAP REST API ONTAP 命令行界面

get /protocols/file-security/effective-permissions/

vserver security file-directory show-effective-permissions

POST /protocols/file-security/permissions/

  1. vserver security file-directory ntfs create

  2. vserver security file-directory ntfs dacl add

  3. vserver security file-directory ntfs sacl add

  4. vserver security file-directory policy create

  5. vserver security file-directory policy task add

  6. Vserver security file-directory apply

patch /protocols/file-security/permissions/

vserver security file-directory ntfs modify

delete /protocols/file-security/permissions/

  1. vserver security file-directory ntfs dacl remove

  2. vserver security file-directory ntfs sacl remove