Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1580145.1
Update Date:2013-09-13
Keywords:
Solution Type  Problem Resolution Sure

Solution  1580145.1 :   Sun Storage 7000 Unified Storage System: Setting Root Directory ACLs Via CLI, not only from BUI  

Related Items 
    

  • Sun ZFS Storage 7320
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Sun ZFS Storage 7420
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
    •  






In this Document


Symptoms


Cause


Solution



Created from <SR 3-7085192869>


Applies to:  

Sun Storage 7410 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7120 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7320 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
Sun Storage 7110 Unified Storage System - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)



Symptoms


Problem Description: Unable to set Root Directory ACL for a share via the CLI


System: Sun ZFS Storage 7x20 Systems and Sun Storage 7x10 Unified Storage Systems


Symptoms:
-> In BUI, when creating a new share (under the menu Shares -> create Filesystem), there is an option for the "Permissions" field to set Windows default permissions.


If "Use Windows default permissions" is selected, the Permissions section is greyed out and the permissions are automatically set to:
  RWX (Read, Write, Execute) for user
  RX (Read, Execute) for group
  RX (Read, Execute) for others
  #### See the attachment Share_BUI_Windows_default.jpg


  Windows Default Permissions can be checked in BUI, under the menu Shares -> select share -> Access Tab -> Root Directory ACL
  #### See the attachment Share_BUI_Root_Directory_ACL.jpg



-> In CLI, when creating a new share, there is no "Windows default permissions" option. However, there is an option that can grant the same privileges, this is root_permissions. 
  The equivalent of the "Windows Default Permissions" is 755 - RWX (Read, Write, Execute) for user, RX (Read, Execute) for group and RX (Read, Execute) for others


                            appliance:shares Test> filesystem test_share
                            appliance:shares Test/test_share (uncommitted)> set root_permissions=755
                                     root_permissions = 755 (uncommitted)
                            appliance:shares Test/test_share (uncommitted)> commit



-> The problem is that there are different Root Directory ACLs when setting the "Windows default permissions" from BUI and when setting the 755 for root_permissions in CLI. 
  So setting 755 privileges from CLI does not provide the same access rights as "Windows default permissions" does, so this option should be included in the CLI also

-> As an example, a share that is created under BUI, with "Windows Default Permissions", gets the following privileges:

Share created under BUI:


A. Root Directory Access: 
  - Permissions: 
  RWX (Read, Write, Execute) for user
  RX (Read, Execute) for group
  RX (Read, Execute) for others


 


B. Root Directory ACL:
  Owner: Access: Full Control , Permissions Inheritance: rwxpdDaARWcCo:fd--
  Group: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:fd--
  Everyone: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:fd--
  #### See the attachment Share_BUI_Root_Directory_ACL.jpg



Share created under CLI:

  If a share that is created under CLI, using root_permissions 755, it gets the following privileges:
 


 A. Root Directory Access: 
  - Permissions: 
  RWX (Read, Write, Execute) for user
  RX (Read, Execute) for group
  RX (Read, Execute) for others


 


  B. Root Directory ACL:
  Owner: Access: - , Permissions Inheritance: rwxp-DaARWcCo:----
  Group: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:----
  Everyone: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:----
  #### See the attachment Share_CLI_Root_Directory_ACL.jpg


 



TEST CASES

TEST 1 - Create filesystem "test" from CLI using the root_permissions 755


            appliance:shares Test> filesystem test_share
            appliance:shares Test/test_share (uncommitted)> set root_permissions=755
                   root_permissions = 755 (uncommitted)
            appliance:shares Test/test_share (uncommitted)> commit



I got the following Root Directory Access:


- user: nobody
- group: other
- permissions: RWX for user, RX for group and others



The following Root Directory ACL:


Owner: none
Group: Read&Execute
Everyone: Read&Execute



The following ACL Behavior:


ACL behavior on mode change: Do not change ACL 
ACL inheritance behavior: Inherit all entries



TEST 2 - Create filesystem "test2" from BUI

Root Directory Access:


- user: nobody
- group: other
- permissions: RWX for user, RX for group and others


The following Root Directory ACL:


Owner: Full Control                   ----------- !!
Group: Read&Execute
Everyone: Read&Execute



The following ACL Behavior:


ACL behavior on mode change: Discard ACL           ----------- !!
ACL inheritance behavior: Inherit all entries



So we have a difference between the BUI creation and the root_permissions 755 from CLI:


The fact that the owner has different access privileges and the ACL behavior on mode change


Cause


The "Windows default permissions" option is not available in the CLI, and it can only be used from BUI.


By selecting "Use Windows Default Permissions" in the BUI, a different set of permission bits is granted than the 755 option used in CLI.


The root directory ACL displayed in the BUI can be a little confusing.


In the "Access" column, it can only be seen a text description of the ACL if it's an exact match for one of the Windows named permission sets: "Full Control", "Modify", "Read & Execute" or "Read".


In the case of an owner with RWX (7) permissions, we are one bit away from the Windows full control set, so no description is displayed.


Despite the minor difference, the ACL for the owner is effectively almost identical to full control.


The following example of a full control ACL and a "RWX" ACL can be found below:
  -> RWX ACL:


  Owner: Access: - , Permissions Inheritance: rwxp-DaARWcCo:----
  Group: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:----
  Everyone: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:----


  -> Full Control ACL:


  Owner: Access: Full Control , Permissions Inheritance: rwxpdDaARWcCo:fd--
  Group: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:fd--
  Everyone: Access: Read& Execute, Permissions Inheritance: r-x---a-R-c--:fd--






Solution


At this moment, there is no solution to this problem, but there has been raised an Enhancement Request for this issue:


BUG 15547207 - SUNBT6814333 want ability to modify ACLs from the CLI


 


To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - Disk Storage ZFS Storage Appliance Community


 
 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback