Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jenny_lam

1 Rookie

 • 

57 Posts

2354

January 14th, 2014 12:00

Cannot create directory from a RAN user with modify ACL on a namespace access point

Hello,

Could anyone please help me with getting the right accesstype required for a RAN user? I am attempting to set up a RAN user with  proper access point ACL with permissions to create directory, file operations (create/modify/delete) and set the files to WORM.

I set ACL to modify, which should at least grants add_subdir and add_file permissions according to the RAN API reference (page 53).

{

   "acl": [

    {

    "accessrights": [

    "modify"

    ],

    "accesstype": "allow",

    "inherit_flags": [],

    "trustee": {

    "id": "UID:2002",

    "name": "mytestuser",

    "type": "user"

    }

    }

   ],

   "authoritative": "acl",

   "group": {

    "id": "GID:0",

    "name": "wheel",

    "type": "group"

   },

   "mode": "0020",

   "owner": {

    "id": "UID:0",

    "name": "root",

    "type": "user"

   }

}

Then when I create a directory using that user (mytestuser), I get permission denied error:

PUT /namespace/mytest/testfolder?recursive=true?overwrite=false

Status Code: 403 Forbidden

Body:

{

   "errors": [

    {

    "code": "AEC_FORBIDDEN",

    "message": "Unable to open the store 'mytest' -- permission denied."

    }

   ]

}

jenny_lam

1 Rookie

 • 

57 Posts

January 14th, 2014 16:00

Hi Chris,

Thanks for the response. I now have added this role and assign the RAN user with the role. But I still get the access denied error when I create a directory.

I noticed this paragraph in the RAN API reference:

Configuring user accounts for RAN

User access privileges (such as read, write, or read-write) to files and directories under

an access point are governed by the OneFS system ACLs and permissions. Users

privileges to an access point can be modified, however, the read privilege must be

given to a user, or the user will be unable to access the access point.

So I went to OneFS WebUI and changed UNIX permission of the access point path to USER=mytestuser, but it doesn't seem to help either.

ChrisBrai

4 Posts

January 14th, 2014 16:00

Hello,

Have you assigned your RAN user the necessary role-based privileges? For a user to access the RAN namespace, they must be assigned the privilege ISI_PRIV_NS_IFS_ACCESS.

You could do this with:

# isi auth roles create RAN-Users

# isi auth roles modify --add-priv=ISI_PRIV_NS_IFS_ACCESS RAN-Users

# isi auth roles modify --add-user=mytestuser RAN-Users

-Chris

jenny_lam

1 Rookie

 • 

57 Posts

January 24th, 2014 11:00

I now have a RAN user configured properly that can create/read directory and files.

There are two things I did:

  1. Instead of accessrights "modify", grant "file_gen_all" to mytestuser
  2. make sure mytestuser has file_gen_all access to the directory as well (the directory was created by root and hence mytestuser has no write permission to the directory)

Perhaps the permissions model are not the same between REST and file share, (2) is not necessary when I share the directory as SMB/NFS for mytestuser.

There also no need to grant any of the ISI_PRIV_* roles to mytestuser.  When I create a user using "isi auth users create", is this user granted with some roles by default?

Without granting these rights to mytestuser, I was able to do what was described as "user right" of the roles.  Can someone help me understand what these roles are really about, and in what situations are they validated?

  • ISI_PRIV_NS_IFS_ACCESS - Access the /ifs directory tree through the namespace REST service
  • ISI_PRIV_NS_TRAVERSE - Traverse and view directory metadata

Was this post helpful?

View All

No Events found!

Top