Articles in this section

See more

Running a Bulk Permission Update on a View

Sara Levy
  • Updated
Follow

You can run a bulk update to change permissions and ownership for files and directories residing under a path on an Element Store view.

The update is done based on a template directory and/or file, from which permissions and ownership attributes (owner ID, owning group, ACL) are copied to the directories and files under the target path that you specify, overwriting the preexisted permissions and ownership attributes. If there is no template file specified, permissions for the files under the target path are updated by inheriting from the template directory.

This is useful in case you need to recursively fix permissions for a very large number of files and directories. All the processing for the bulk permission update task is done on the VAST cluster and distributed among the cluster's CNodes, eliminating the latencies that typically occur when running a similar task from a client.

Bulk permission update can be run on views with NFSv4.1, NFSv3, SMB and S3 storage access protocols, including VAST Database views.

Requirements and Restrictions

  • Only one bulk permission update task per tenant can run at a time.

  • If a client attempts to set permissions on directories or files being updated via a bulk permission update, the result is unpredictable.

  • A bulk permission update can run only when the target view (the view exposing the files and directories for which you want to update permissions) is on the same tenant as the template view.

  • It is strongly recommended that the target view and the template view have view policies with the same security flavor. Running a bulk permission update on a view where the security flavor does not match that of the template view may result in inaccessible or incompatible permissions set.

  • Permissions to be updated are determined based on the security flavor of the target view. For information, see Updated Permissions per Security Flavor and Protocol.

  • Read-only snapshots and VAST special directories (.vast in S3 buckets, .trash, .snap, .remote) are excluded from bulk permissions update.

Updated Permissions per Security Flavor and Protocol

Permissions that can be updated as a result of a bulk permission update depend on the security flavor set (via a view policy) for the template and target views:

Security Flavor

Updated Permissions

NFS

Mode bits or POSIX permissions (if the view policy allows a POSIX ACL)

SMB

Only NTFS permissions

S3 Native

Only S3 permissions

Mixed Last Wins

Mode bits, POSIX, NTFS or NFSv4 permissions

The following ACE types can be updated for each access protocol:

Protocol

ACE Types

Permissions per ACE

Inheritance Flags per ACE

NFSv3

  • Non-POSIX:

    • owner

    • owning group

    • others

  • POSIX:

    • owner

    • owning group

    • named user

    • named group

    • mask

    • others

Read, Write, Execute

Special bits: SUID, SGID, sticky bit

NFSv4

  • owner

  • owning group

  • named user

  • named group

  • everyone

 
ACE4_READ_DATA
ACE4_LIST_DIRECTORY
ACE4_WRITE_DATA
ACE4_ADD_FILE
ACE4_APPEND_DATA
ACE4_ADD_SUBDIRECTORY
ACE4_READ_NAMED_ATTRS
ACE4_WRITE_NAMED_ATTRS
ACE4_EXECUTE
ACE4_DELETE_CHILD
ACE4_READ_ATTRIBUTES
ACE4_WRITE_ATTRIBUTES
ACE4_WRITE_RETENTION
ACE4_WRITE_RETENTION_HOLD
ACE4_DELETE
ACE4_READ_ACL
ACE4_WRITE_ACL
ACE4_WRITE_OWNER
ACE4_SYNCHRONIZE

Special bits: SUID, SGID, sticky bit

 
ACE4_FILE_INHERIT_ACE
ACE4_DIRECTORY_INHERIT_ACE
ACE4_NO_PROPAGATE_INHERIT_ACE
ACE4_INHERIT_ONLY_ACE
ACE4_IDENTIFIER_GROUP

SMB

  • creator-owner

  • creator-group

  • named entity

 
FILE_LIST_DIRECTORY
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
FILE_READ_EA
FILE_WRITE_EA
FILE_TRAVERSE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA 
FILE_EXECUTE
 
OBJECT_INHERIT_ACE
CONTAINER_INHERIT_ACE
NO_PROPAGATE_INHERIT_ACE
INHERIT_ONLY_ACE

S3

  • users

  • all users

  • authenticated users

 
READ
WRITE
READ_ACP
WRITE_ACP

Choosing a Template Directory or File

Choose a template directory and, optionally, a template file with permissions that you want to assign to the target directories and/or files during a bulk permission update.

  • If a template file is specified for a bulk permission update, VAST Cluster overwrites the permissions and ownership attributes of the target files and directories as follows:

    • Permissions of target files are overwritten with those of the template file.

    • Permissions of target directories are overwritten with those of the template directory.

  • If no template file is specified, VAST Cluster overwrites the permissions and ownership attributes of the top target directory (specified as the Selected path to update) with those of the template directory, and nested directories and files inherit permissions and ownership attributes from their parent.

    In this case, the template directory must have a default ACL on it.

Tip

Ensure that the view that exposes the template directory or file is on the same tenant as the target view and has a view policy with the same security flavor as that of the target view.

Starting Bulk Permission Update via VAST Web UI

To start a bulk permission update:

  1. In the left navigation menu, choose Element Store and then Views to open the Views page.

  2. In the Views page, find the view that exposes the files and directories for which you want to update permissions and in the Actions menu for that view, choose Bulk Permission Update.

  3. In the Path to update pane of the Bulk permission update dialog, complete the fields:

    Selected path to update

    Specify a path to the directory where files and directories for which to update permissions reside.

  4. In the Template pane of the Bulk permission update dialog, complete the fields:

    Copy from view

    Specify a view that exposes a directory and (optionally) a file from which to copy permissions and ownership attributes.

    This view should be on the same tenant as the view specified in Selected path to update.

    It is strongly recommended that the target view and the template view have view policies with the same security flavor. Running a bulk permission update on a view where the security flavor does not match that of the template view may result in inaccessible or incompatible permissions set.

    Directory template path

    Specify a path to the directory from which to copy permissions and ownership attributes to the directories under Selected path to update. For more information about choosing a template directory, see Choosing a Template Directory or File.

    File template path

    Specify a path to the file from which to copy permissions and ownership attributes to the files under Selected path to update.

    This setting is optional. If not specified, the attributes are copied from the directory specified in Directory template path.

    For more information about choosing a template file, see Choosing a Template Directory or File.

  5. Click Approve.

  6. Verify the details In the confirmation popup.

    • If the suggested replacements are correct, click Yes to start the bulk permission update.

    • To make changes to the setup, click No.

The bulk permission update is started.

Starting Bulk Permission Update via VAST CLI

Run the view bulk-permission-update command.

Checking Update Progress and Status via VAST Web UI

To view progress and status of the bulk permission update per view:

  • In the left navigation menu, choose Element Store and then Views to open the Views page.

    • The Bulk Permission Update State column displays the status of the latest bulk permission update for a view.

    • The Bulk Permission Update Progress column shows the update percentage completion.

To view details of a particular bulk permission update task:

  1. In the left navigation menu, choose Activities.

  2. In the Activities page, set the date and time filter as appropriate and search for a task named bulk_permission_update.

  3. Click a task in the list to display its details in the right pane. The details include the task steps with timing and completion status for each step.

Checking Update Progress and Status via VAST CLI

To view bulk permission update progress and status per view, run the view list or view show command. In the command output, the Bulk-permission-update-state field shows the task status, and the Bulk-permission-update-progress field shows the task progress.

To view details of a particular bulk permission update task, run the vtask list command. Set the date and time and task name filters as appropriate. Bulk permission update tasks are named bulk_permission_update.

Stopping Bulk Permission Update via VAST Web UI

When you stop a running bulk permission update, the changes that the task has already made are not rolled back.

To stop a running bulk permission update:

  1. In the left navigation menu, choose Element Store and then Views.

  2. In the Views page, use the filter in the Bulk Permission Update State column to find the view for which permissions are being updated.

  3. Open the Actions menu for that view and click Stop Bulk Permission Update.

Stopping Bulk Permission Update via VAST CLI

When you stop a running bulk permission update, the changes that the task has already made are not rolled back.

Run the view stop-bulk-permission-update command.

Related articles

Comments

0 comments

Article is closed for comments.