as far as I remember the minimum "NTFS-Right" ABE recognizes is READ. Read includes List Folder, Read Attributes, Read Extended Attributes and Read Permissions.
sluetze is correct on his answer. I would just like to give a little more information around why.
The permissions required to make folders visible in 7.1.1 and later have changed to more closely match Microsoft's own implementation of the same. While not directly impactful, this can cause confusion on upgrade. Users should still be able to access the required data if they type in the entire path manually.
This has specifically been noted to cause issues with Traverse permissions, which are no longer sufficient to display a folder, and can cause hyperlinks to files stored on the cluster to fail when opened via Microsoft Outlook.
Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system
In prior releases, it was only required to have "List" to make folders visible which is not consistent with Microsoft's implementation.
As of 7.1.1, the following are required, basically equivalent to "Read", but we do not require "Read Attributes":
List Folder / Read Data
Read Extended Attributes
Read Permissions (the ability to read the security descriptor and permissions)
Compared to Microsoft's own requirements, which are equivalent to "Read":
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions
There has been a documentation bug, filed to make sure this information gets into the 7.1.1.x MR documentation.
The permissions required to make folders visible in 7.1.1 and later have changed to more closely match Microsoft's own implementation of the same. While not directly impactful, this can cause confusion on upgrade. Users should still be able to access the required data if they type in the entire path manually.
define "not directly impactful" ? When i have hundreds of users who are no longer be able to get to their data that IS impactful.
stdekart wrote:
There has been a documentation bug, filed to make sure this information gets into the 7.1.1.x MR documentation.
When was this filed ? I am getting so sick and tired of Isilon changing functionality without proper documentation and leaving the customer scrambling after upgrades.
The directly impact, is related to the fact that the user is not denied access to the directory and the data is unaffected. Users are just unable to see the directory as there are now insufficient permissions due to the change.
Users can still access the data via manually entering the full path.
Request for a change in the documentation was made on, May 26th.
There was also a KB article written (April 26th) on this, unfortunately it is currently set to internal only. Working to make this customer facing as well. (This is what was copied and pasted in my previous response.)
May not be able to open the link at this time. Just want it in the discussion for future reference. As this should soon be customer facing.
I agree with Dynamox. My production has 2.9 billion files and over 56 million folders, it would take over two weeks to push out different NTFS permissions. A spot check shows I likely dodged this issue, I consider myself lucky.
The directly impact, is related to the fact that the user is not denied access to the directory and the data is unaffected. Users are just unable to see the directory as there are now insufficient permissions due to the change.
Users can still access the data via manually entering the full path.
ok so this is not data loss, this is data unavailable. End-users could care less, as far as they are concerned it's an outage as they cannot get to the data. You can't be serious when you mention the "full path", how many users remember the full path when they need to traverse top level directory and there could be multiple sub directories where some they have access to and to some they don't. Sounds like a bunch of excuses.
Question is when Isilon is going to get with the program and act like an enterprise organization. It's so elementary, if you are going to introduce changes that are visible to end-users, document them in release notes. Ridiculous.
so sorry for the documentation issues and end-user outage issues. We have escalated the documentation questions to our Info Dev team and hope to get some more insights. In the meantime, is anyone still impacted by this change, have any SR's opened that we need to escalate?
Without making excuses, gathering source information for release notes is an ... imprecise science.
Laurel,
honestly i can't believe i am hearing this. A company that has been in the industry for so long struggles to get information of what's changing in the code, what could be impacting its customers ? How can I trust this company with my data then ?
Something is seriously broken and I hope you have a plan to address it. Yesterday i had an outage, next time it might be catastrophic data loss. Bugs are one thing, but disregard for proper documentation is unacceptable.
The ABE functionality change is included the latest 7.1.1 release notes (page 3): https://support.emc.com/docu54294_OneFS-7.1.1-Release-Notes.pdf. A KB article about this procedure is being evaluated as well. I'll comment on this thread will additional documentation updates about this issue.
Kirsten, this is fine for this specific issues. I am more interested going forward, what's going to change in how documentation is published ? Why an army of technical writers cannot publish customer impacting changes before they cause an outage ?
We’re taking this issue very seriously, and have escalated it to initiate a review of why and how this breakdown occurred so we can prevent it from happening again. Your feedback is extremely important to us. We’re in the process of planning an Ask the Expert (ATE) session about our documentation in July, so we can collect more feedback from customers about the information experience we’re providing. I’ll provide more details about the ATE session in the next two weeks.
sluetze
2 Intern
•
300 Posts
0
June 16th, 2015 01:00
Hi dynamox,
as far as I remember the minimum "NTFS-Right" ABE recognizes is READ. Read includes List Folder, Read Attributes, Read Extended Attributes and Read Permissions.
so I guess it's a bugfix.
Stdekart
104 Posts
1
June 16th, 2015 06:00
Hello Dynamox,
sluetze is correct on his answer. I would just like to give a little more information around why.
The permissions required to make folders visible in 7.1.1 and later have changed to more closely match Microsoft's own implementation of the same. While not directly impactful, this can cause confusion on upgrade. Users should still be able to access the required data if they type in the entire path manually.
This has specifically been noted to cause issues with Traverse permissions, which are no longer sufficient to display a folder, and can cause hyperlinks to files stored on the cluster to fail when opened via Microsoft Outlook.
Per Microsoft's commentary on Access Based Enumeration (from https://technet.microsoft.com/en-us/library/dd772681(v=ws.10).aspx):
Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system
In prior releases, it was only required to have "List" to make folders visible which is not consistent with Microsoft's implementation.
As of 7.1.1, the following are required, basically equivalent to "Read", but we do not require "Read Attributes":
Compared to Microsoft's own requirements, which are equivalent to "Read":
There has been a documentation bug, filed to make sure this information gets into the 7.1.1.x MR documentation.
dynamox
9 Legend
•
20.4K Posts
0
June 16th, 2015 07:00
define "not directly impactful" ? When i have hundreds of users who are no longer be able to get to their data that IS impactful.
When was this filed ? I am getting so sick and tired of Isilon changing functionality without proper documentation and leaving the customer scrambling after upgrades.
Stdekart
104 Posts
0
June 16th, 2015 10:00
dynamox,
The directly impact, is related to the fact that the user is not denied access to the directory and the data is unaffected. Users are just unable to see the directory as there are now insufficient permissions due to the change.
Users can still access the data via manually entering the full path.
Request for a change in the documentation was made on, May 26th.
There was also a KB article written (April 26th) on this, unfortunately it is currently set to internal only. Working to make this customer facing as well. (This is what was copied and pasted in my previous response.)
May not be able to open the link at this time. Just want it in the discussion for future reference. As this should soon be customer facing.
https://support.emc.com/kb/201646
T_Koopman
17 Posts
0
June 16th, 2015 11:00
I agree with Dynamox. My production has 2.9 billion files and over 56 million folders, it would take over two weeks to push out different NTFS permissions. A spot check shows I likely dodged this issue, I consider myself lucky.
dynamox
9 Legend
•
20.4K Posts
0
June 16th, 2015 11:00
ok so this is not data loss, this is data unavailable. End-users could care less, as far as they are concerned it's an outage as they cannot get to the data. You can't be serious when you mention the "full path", how many users remember the full path when they need to traverse top level directory and there could be multiple sub directories where some they have access to and to some they don't. Sounds like a bunch of excuses.
Question is when Isilon is going to get with the program and act like an enterprise organization. It's so elementary, if you are going to introduce changes that are visible to end-users, document them in release notes. Ridiculous.
Stdekart
104 Posts
0
June 16th, 2015 11:00
dynamox,
Not attempting to make excuses, just clarifying the angle I was coming from in regards to the statement.
I completely understand that this causes a DU (data unavailable) event and it is currently not documented anywhere customer facing.
This is currently being addressed, as we speak. To get the KB customer facing and documented in release notes.
I reached out to the team working on the documentation change and it is scheduled for release on 6/24 to be in the 7.1.1.5 release notes.
I regards to the last question I am working to get involvement from the correct people who can speak to this.
Nikschen
179 Posts
0
June 16th, 2015 11:00
Hi guys,
so sorry for the documentation issues and end-user outage issues. We have escalated the documentation questions to our Info Dev team and hope to get some more insights. In the meantime, is anyone still impacted by this change, have any SR's opened that we need to escalate?
Thanks,
Niki
dynamox
9 Legend
•
20.4K Posts
0
June 16th, 2015 13:00
Hi Niki,
At this time everything has been addressed but issues like this make Isilon look so incompetent.
Peter_Sero
4 Operator
•
1.2K Posts
0
June 16th, 2015 20:00
Laurel,
how about publishing to code of the regression tests that are currently used,
and accepting contributions to those test from the community?
Cheers
-- Peter
dynamox
9 Legend
•
20.4K Posts
1
June 16th, 2015 21:00
Laurel,
honestly i can't believe i am hearing this. A company that has been in the industry for so long struggles to get information of what's changing in the code, what could be impacting its customers ? How can I trust this company with my data then ?
Something is seriously broken and I hope you have a plan to address it. Yesterday i had an outage, next time it might be catastrophic data loss. Bugs are one thing, but disregard for proper documentation is unacceptable.
dynamox
9 Legend
•
20.4K Posts
0
June 24th, 2015 05:00
so is there an action plan from EMC, what do i tell my customer ?
kirsten_gantenb
24 Posts
0
June 24th, 2015 15:00
Hi dynamox,
The ABE functionality change is included the latest 7.1.1 release notes (page 3): https://support.emc.com/docu54294_OneFS-7.1.1-Release-Notes.pdf. A KB article about this procedure is being evaluated as well. I'll comment on this thread will additional documentation updates about this issue.
Thanks,
Kirsten
dynamox
9 Legend
•
20.4K Posts
0
June 24th, 2015 20:00
Kirsten, this is fine for this specific issues. I am more interested going forward, what's going to change in how documentation is published ? Why an army of technical writers cannot publish customer impacting changes before they cause an outage ?
kirsten_gantenb
24 Posts
1
June 26th, 2015 09:00
We’re taking this issue very seriously, and have escalated it to initiate a review of why and how this breakdown occurred so we can prevent it from happening again. Your feedback is extremely important to us. We’re in the process of planning an Ask the Expert (ATE) session about our documentation in July, so we can collect more feedback from customers about the information experience we’re providing. I’ll provide more details about the ATE session in the next two weeks.