Oracle ZFS Storage appliance: How to configure SMB share level ACLs via REST API?

659 views Asked by At

I am developing a script which uses the REST API for an Oracle ZFS Storage appliance ("ZS3"). The script uses the API to make a snapshot and clone of a production environment for use as a temporary test environment. So far everything is great... except I can find no way to specify the "Share Level ACL" settings for the SMB protocol.

A manual (via web ui) clone results in a default ACL of "everyone, full access". The ACL for the original share (source for the snapshot/clone) has a specific user list with specific ACLs. I assume that this information is not in the ZFS snapshot, but maintained outside of ZFS, hence it is not present in the clone (Q: Is this correct?).

I've re-read the Oracle document "E56084.pdf" ("Oracle ZFS Storage Appliance RESTful API Guide, Release 2013.1.4.0") a few times. There are vague references to the "sharesmb" property, and nothing else related to SMB or ACLs. My script correctly sets the "sharesmb" value (used to enabling SMB sharing) to "sharesmb=SHARENAME,abe=off,dfsroot=false" in the JSON payload passed to the API for creating a file system clone. However, I see no property that I can set for the actual ACL list. For NFS, this is easy, it is the value passed in the "sharenfs" property.

The result of a "GET" of the source project and share do not contain any reference to the users listed in the "SMB Share Level ACL" as seen in the web UI.

So, how do I copy over, or explicitly set if necessary, the "SMB Share Level ACLs" on a share via the REST api?

Thanks!

1

There are 1 answers

0
user121391 On

The system has two different kinds of ACLs and both are stored inside your datasets:

  1. ACLs on all files and directories (let's call them file ACLs): These are used for general Unix access and also are active when sharing the filesystem. They are stored with each file or directory (use /usr/bin/ls -V /pool/filesystem/yourFile or /usr/bin/ls -Vd /pool/filesystem/yourDir to see them).
  2. ACLs on filesystems shared via SMB/CIFS protocol (let's call them share ACLs): These are only used when sharing the filesystem and can only be set for the whole filesystem, not individual files inside. Use /usr/bin/ls -V /pool/filesystem/.zfs/shares/yourShareName to see them.

Unfortunately I do not know how to to that over the REST API, but at least you know where your ACLs should end up.