view modify

  • Updated on Jan 31, 2026
  • Published on Jan 28, 2026
  • 15 minute(s) read
Prev Next

This command modifies a view.

General Usage

 view modify --id VIEW_ID
            [--path PATH]
            [--protocols PROTOCOLS] 
            [--alias ALIAS]
            [--share SHARE]
            [--policy-id ID]
            [--cluster-id ID]
            [--create-dir]
            [--enable-live-monitoring|--disable-live-monitoring]
            [--enable-s3-unverified-lookup]|--disable-s3-unverified-lookup
            [--s3-versioning]
            [--locking]
            [--default-retention-period DEFAULT_RETENTION_PERIOD]
            [--s3-locks-retention-mode NONE|GOVERNANCE|COMPLIANCE]
            [--bucket BUCKET]
            [--bucket-owner-type USER|ROLE]
            [--bucket-owner BUCKET_OWNER]
            [--bucket-creators BUCKET_CREATORS]
            [--bucket-creators-groups BUCKET_CREATORS_GROUPS]
            [--allow-s3-anonymous-access]|[--block-s3-anonymous-access]
            [--qos-policy-id QOS_POLICY_ID]
            [--delete_qos_policy]
            [--enable-acls|--disable-acls]
            [--enable-share-acl]|[--disable-share-acl]
            [--clear-share-acl]
            [--share-ace-grantee users|groups]
            [--share-ace-permissions FULL|READ|CHANGE]
            [--share-ace-identifier IDENTIFIER]
            [--remove-share-ace-name NAME --remove-share-ace-fqdn FQDN]
            [--abe-protocols [SMB]]
            [--abe-max-depth LEVEL]
            [--max-retention-period MAX_RETENTION_PERIOD]
            [--min-retention-period MIN_RETENTION_PERIOD]
            [--auto-commit AUTO_COMMIT]
            [--bucket-logging-destination-id DESTINATION_BUCKET_ID]
            [--bucket-logging-prefix PREFIX]
            [--bucket-logging-key-format SIMPLE_PREFIX|PARTITIONED_PREFIX_EVENT_TIME|PARTITIONED_PREFIX_DELIVERY_TIME]
            [--disable-bucket-logging]
            [--enable-user-impersonation|--disable-user-impersonation]
            [--user-impersonation-identifier-type ID_TYPE]
            [--user-impersonation-identifier ID]
            [--user-impersonation-username NAME]
            [--name NAME]
            [--set-is-default-subsystem|--reset-is-default-subsystem]
            [--enable-indestructible-object|--disable-indestructible-object]
            [--indestructible-object-duration RETENTION_PERIOD]
            [--smb-encryption-state AVAILABLE|DESIRED|REQUIRED]
            [--kafka-first-join-group-timeout-sec SECONDS]
            [--kafka-rejoin-group-timeout-sec SECONDS]
            [--enable-kafka-unencrypted-conn|--disable-kafka-unencrypted-conn]
            [--kafka-unencrypted-auth-mechanism SASL_PLAIN|NONE]
            [--enable-kafka-encrypted-conn|--disable-kafka-encrypted-conn]
            [--kafka-encrypted-auth-mechanism SASL_PLAIN|NONE]
            [--require-kafka-authorization|--cancel-kafka-authorization]

Share-Level ACL Usage

To enable or disable share-level ACL on the view:

view modify --id VIEW_ID --enable-share-acl|--disable-share-acl

 To add an ACE to the view's share-level ACL:

view modify --id VIEW_ID
            --share-ace-grantee users|groups
            --share-ace-identifier IDENTIFIER
            --share-ace-permissions FULL|READ|CHANGE

To clear all ACEs from the view's share-level ACL:

view modify --id VIEW_ID
            --clear-share-acl

To remove an ACE:

view modify --id VIEW_ID
            --remove-share-ace-name NAME
            --remove-share-ace-fqdn FQDN

Required Parameters

--id VIEW_ID

Specifies the ID of the view you want to modify.

Options

--path PATH

Modifies the Element Store path to be exposed to clients. It can be a directory that was already created by a client inside an exposed parent directory, or it can be a new directory, in which case you must specify the --create_dir option to create the directory.

Example:

--path /a/b/c

If you are going to use the path to create an S3 bucket, ensure that none of the subdirectories under the path has a replication protected path defined on it.

--protocols PROTOCOLS

Specifies which protocol(s) the view will be exposed to.

Specify PROTOCOLS as a string value for a single protocol or a comma separated list of strings to enable multiple protocols. Valid string values are:

  • NFS. To expose the view as an NFS export to clients using NFS version 3.

  • NFS4. To expose the view as an NFS export to clients using NFS version 4.1 or 4.2.

  • SMB  (Not in combination with ENDPOINT).  To expose the view as an SMB share to SMB clients.

  • S3 (Not in combination with ENDPOINT). To expose the view as an S3 bucket.

  • ENDPOINT (Not in combination with SMB or S3). To create an S3 Endpoint, which is a template for creating buckets via S3 APIs. Whenever a bucket is created using this endpoint, a new view is created under the specified path. See Managing S3 Request-Initiated Bucket Creation for more information about S3 Endpoint buckets.Managing S3 Request-Initiated Bucket Creation

  • DATABASE. To expose the view as a VAST database. This option is used for each view that VAST Cluster creates when a user chooses to create a database on the cluster. For more information, see  Configuring the VAST Cluster for Database Access.Configuring the VAST Cluster for Database Access

Examples:

--protocols NFS,SMB

--protocols NFS,NFS4,ENDPOINT

--protocols NFS,S3

--protocols SMB

--protocols DATABASE

--alias ALIAS

For NFSv3 exports, specifies an alternative shorter name for the path that can be used alternatively when mounting. Optional and relevant only if the view is exposed to NFS. An alias must begin with a forward slash ("/") and must consist of only ASCII characters.

An NFS export alias must be unique within the tenant.

--share SHARE

Specifies the SMB share name. Required if the view is exposed to SMB. The name cannot include the following characters: /\:|<>*?"

An SMB share name must be unique within the tenant.

--policy-id ID

Specifies which view policy to apply. If unspecified, the default policy (ID 1) is used.

--create-dir

Creates a directory at the specified path. Include this option of the directory does not already exist.

--enable-live-monitoring

Enables live monitoring on the view. Live monitoring can be enabled for up to ten views at one time.

Analytics data for views is polled every 5 minutes by default and every 10 seconds with live monitoring.

--disable-live-monitoring

Disables live monitoring on the view. See also --enable-live-monitoring.

--s3-versioning

Enables object versioning on the bucket if S3 is specified in --protocols.

--locking

Enables  object locking on the view bucket, if S3 is specified in --protocols, or file locking in NFSv3/SMB, if they are selected in --protocols. This setting can't be disabled after the view is created.

--s3-locks-retention-mode NONE|GOVERNANCE|COMPLIANCE

Sets a default retention mode for objects in the bucket.

Possible values:

  • NONE (default).  Object versions that are placed in the bucket have no automatic protection but can be configured with a retention period or legal hold.

  • GOVERNANCE. Object versions that are placed in the bucket are automatically protected with a retention lock with retention mode set to governance.  

  • COMPLIANCE. Object versions that are placed in the bucket are automatically protected with a retention lock with retention mode set to compliance.

--bucket BUCKETNAME

Specifies the name of an S3 bucket. Required if S3 is specified in --protocols.

A bucket name must be unique across all tenants of  the cluster. For more guidelines on bucket naming, see Overview of VAST Cluster S3 Implementation.

--bucket-owner-type USER|ROLE

Specifies whether the bucket owner is a user (USER) or a IAM role (ROLE). The default is USER.

--bucket-owner BUCKET_OWNER

Specifies a user to be the bucket owner. Required if S3 is specified in --protocols.

--bucket-creators BUCKET_CREATORS

Relevant if ENDPOINT is specified in --protocols. Specifies users such that any request to create an S3 bucket that is sent by S3 API by a specified user will use this S3 Endpoint view.

Specify BUCKET_CREATORS as a comma separated list of user names.

Note

Users should not be specified as bucket creators in more than one S3 Endpoint view.

--allow-anonymous-access

If the view has S3 Bucket or S3 Endpoint enabled, include this option to allow anonymous S3 access to the view's S3 bucket.

If allowed, anonymous requests are granted provided that the object ACL grants access to the All Users group (in S3 Native security flavor) or the permission mode bits on the requested file and directory path grant access permission to "others" (in NFS security flavor). For views with SMB security flavor, anonymous requests are not granted access.

--block-anonymous-access

Blocks anonymous S3 access to the view's S3 bucket, if applicable. This is the default setting.

--qos-policy-id QOS_POLICY_ID

Associates a QoS policy with the view. Specify the QoS policy by its ID. To list QoS policy definitions, use qospolicy list .

--delete-qos-policy

If a QoS policy is associated with the view, this option removes the QoS policy from the view.  

--enable-acls

When this option is specified, access to bucket objects is controlled based on ACLs rather than on the bucket owner's permissions.

This option disables S3 Object Ownership for the bucket. S3 Object Ownership

--disable-acls

When this option is specified, the bucket owner has full control over any object in the bucket. Access to objects is controlled based on policies configured for the bucket. ACLs are not used.

Specifying this option is equivalent to setting the S3 object ownership rule of Bucket Owner Enforced.

--enable-share-acl

Enables share-level ACL on the view.

This setting enables share-level ACL on the view, which means that SMB requests to access the view will fail unless permission is granted to the requesting user by an ACE.

--disable-share-acl

Disables a share-level ACL on a view.

Share-level ACL is disabled by default.

--clear-share-acl

Removes all ACEs from a share-level ACL if enabled on the view, without disabling share-level ACL.

--share-ace-grantee users|groups

Specifies a grantee type when running the command to configure an Access Control Entry (ACE) in a share-level ACL.

See also Share-Level ACL Usage .

Possible values:

  • users. Specify this option when configuring an ACE for a user.

  • groups. Specify this option when configuring an ACE for a group.

--share-ace-permissions READ|CHANGE|FULL

Specifies the type of permission to grant to a specified grantee when running the command to configure an Access Control Entry (ACE) in a share-level ACL.

See also Share-Level ACL Usage .

Possible values:

  • FULL (default). Grants the grantee full control share-level access to the view.

  • READ. Grants the grantee read share-level access to the view.

  • CHANGE. Grants the grantee change share-level access to the view.

--share-ace-identifier IDENTIFIER

Specifies a grantee by SID, UID or GID identifier when running the command to configure an Access Control Entry (ACE) in a share-level ACL.

See also Share-Level ACL Usage .

Specify IDENTIFIER as the exact value of the user's or group's SID, UID or GID attribute value on the joined Active Directory domain.

To obtain an identifier, run a query by prefix against the Active Directory domain using one of the following commands:

--remove-share-ace-name NAME

Specifies the grantee name when running the command to remove an ACE from a share-level ACL.

See also Share-Level ACL Usage.

--remove-share-ace-fqdn FQDN

Specifies the domain when running the command to remove an ACE for a given from a share-level ACL.

See also Share-Level ACL Usage.

--abe-protocols SMB

Enables Access-Based Enumeration (ABE) for the view, if  SMB is specified in --protocols.Access-Based Enumeration (ABE)

Note

To disable ABE, specify the option without the protocol keyword: --abe-protocols.

--abe-max-depth LEVEL

Sets the maximum directory level (depth) at which ABE is enabled.

--files-retention-mode NONE|GOVERNANCE|COMPLIANCE

Sets the retention mode for files saved in the view, if locking (--locking ) is enabled.

Possible values:

  • NONE (default).  Files that are saved to the view have no automatic protection but can be manually configured with a retention period or legal hold.

  • GOVERNANCE. Files that are saved in the view are automatically protected with a retention lock with retention mode set to governance.  In this mode, the retention period can be lengthened or shortened.

  • COMPLIANCE. Files that are saved in the view are automatically protected with a retention lock with retention mode set to compliance. In this mode, the retention period can be lengthened, but not shortened.

--default-retention-period DEFAULT_RETENTION

Sets the default retention period for files that are locked in the view to DEFAULT_RETENTION. Files that are locked automatically using auto-commit will be locked for this period of time, after which they will be unlocked.

Files that are locked manually (by setting the atime for the file to a future time) do not use the default retention period.

The value DEFAULT_RETENTION must be in the range between the min-retention-period and max-retention-period.

Set it as an integer value, including units (m - minutes, h - hours, d - days, y - years).

Example: 5d (5 days).

--max-retention-period MAX_RETENTION

Sets the maximum retention period for files that are locked in the view to MAX_RETENTION. Files cannot be locked for longer than this period, whether  they are locked manually (by setting the atime) or automatically, using  auto-commit.

It must be larger than the min-retention-period.

Set it as an integer value, including units (m - minutes, h - hours, d - days, y - years).

Example:  2m (2 months).

--min-retention-period MIN_RETENTION

Sets the minimum retention period for files that are locked in the view to MIN_RETENTION. Files cannot be locked for less than this period, whether locked manually (by setting the atime) or automatically, using  auto-commit.

It must be less than the max-retention-period.

Set it as an integer value, including units (m - minutes, h - hours, d - days, y - years).

Example: 3d (3 days).

--auto-commit AUTO_COMMIT

Sets the auto-commit time to AUTO_COMMIT for files that are locked automatically. These files are locked automatically after the AUTO_COMMIT period elapses from the time the file is saved. Files locked automatically are locked for the default-retention-period, after which they are unlocked.

If set, then --default-retention-period, --min-retention-period, and --max-retention-period must also be set.

Set it as an integer value, including units (m - minutes, h - hours, d - days, y - years).

Example: 5m (5 minutes).

--smb-encryption-state AVAILABLE|DESIRED|REQUIRED

For views of a tenant that has SMB encryption enabled, you can optionally configure the view with SMB encryption protection that is equal to or stronger than that of the tenant:

  • AVAILABLE (low): Encryption is used only for SMB clients which have requested it explicitly. For clients that do not support encryption, access is allowed but no encryption is used.

  • DESIRED (medium): The cluster uses encryption for any SMB client that supports encryption. For clients that do not support encryption, access is allowed but no encryption is used.

  • REQUIRED (high): SMB clients that do not support encryption are denied access.

Block Options

Use the following options with the --protocol BLOCK to modify a block subsystem view:

--name NAME

Modifies the name of the subsystem.

--set-is-default-subsystem

Sets the view to be the default subsystem view from which to provision block volumes.  

--reset-is-default-subsystem

Resets the default status of a default subsystem view.

S3 Bucket Logging Options

The following options let you configure S3 Bucket Logging for an S3 Bucket view:

--bucket-logging-destination-id DESTINATION_BUCKET_ID

Enables S3 bucket logging for the bucket and determines the destination bucket which will be used to store the logs.

DESTINATION_BUCKET_ID is an ID of a view that exposes the destination bucket.

--bucket-logging-prefix PREFIX

Optionally, specify a prefix that will be prepended to each key of a log object uploaded to the destination bucket. This prefix can be used to categorize log objects; for example, if you use the same destination bucket for multiple source buckets.

The prefix can be up to 128 characters and must follow S3 object naming rules.

--bucket-logging-key-format SIMPLE_PREFIX| PARTITIONED_PREFIX_EVENT_TIME| PARTITIONED_PREFIX_DELIVERY_TIME

Specify the format for the log object keys:

  • SIMPLE_PREFIX adds log object keys in the following format:

    [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]

    This is the default format.

  • PARTITIONED_PREFIX_EVENT_TIME and PARTITIONED_PREFIX_DELIVERY_TIME add log object keys in the following format:

    [DestinationPrefix][SourceUsername]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]

    This format enables timestamp-based partitioning of log objects.

    • With PARTITIONED_PREFIX_EVENT_TIME, the partitioning is done based on the time when the logged events occurred.

    • With PARTITIONED_PREFIX_DELIVERY_TIME, the partitioning is done based on the time when the log object has been delivered to the destination bucket.

In the formats:

  • [DestinationPrefix] is the optional prefix that prepends keys of log objects uploaded to the destination bucket. You define this prefix with the --bucket-logging-prefix parameter.

  • [SourceUsername] is the username for the owner of the bucket being logged.

  • [SourceBucket] is the bucket being logged.

  • UTC time is used in timestamps.

  • [UniqueString] is a unique string added to prevent overwriting of objects.

--disable-bucket-logging

Disables S3 bucket logging configured for the bucket.

User Impersonation Options

The following options let you configure user impersonation for a view:User Impersonation

--enable-user-impersonation

Enables user impersonation.

--disable-user-impersonation

Disables user impersonation.

--user-impersonation-identifier-type ID_TYPE

The type of a user identifier that you are going to specify on the --user-impersonation-identifier option  to identify the impersonator (the user account to be used instead of the original user).

Valid values for ID_TYPE:

  • username for user's username in format  username@domain.

  • sid_str for user's Security ID (SID).

  • uid for user's POSIX UID attribute.

This option is required if --enable-user-impersonation is specified on the command.

--user-impersonation-identifier ID

The impersonator user ID or name. The ID or name must be of the type specified on the --user-impersonation-identifier-type option (username@domain, SID or UID).

This option is required if --enable-user-impersonation is specified on the command.

--user-impersonation-username NAME

The impersonator username.

If --user-impersonation-identifier ID and --user-impersonation-username NAME point to different users, the user specified with  --user-impersonation-identifier ID becomes the impersonator.

Event Publishing Options

The following options let you configure a view for VAST Event Broker:

--kafka-first-join-group-timeout-sec SECONDS

Specifies the amount of time to wait for more consumers to join a new group before performing the first rebalance. Valid values are 1-3600. The default value is 60 seconds.

--kafka-rejoin-group-timeout-sec SECONDS

Specifies the maximum allowed session timeout for registered consumers. Valid values are 1-3600. The default value is 60 seconds.

Event Publishing Options

The following options let you configure a view for VAST Event Broker:

--kafka-vip-pools POOL_ID

Specifies a virtual IP pool to be used to access event topics exposed by the view.

Note

Only one virtual IP pool can be used per view.

The pool must belong to the same VAST tenant as the Kafka-enabled view.

If the view is associated with a view policy that includes virtual IP pools, the pool specified as the Kafka pool must be one of the view policy pools.

--kafka-first-join-group-timeout-sec SECONDS

Specifies the amount of time to wait for more consumers to join a new group before performing the first rebalance. Valid values are 1-3600. The default value is 60 seconds.

--kafka-rejoin-group-timeout-sec SECONDS

Specifies the maximum allowed session timeout for registered consumers. Valid values are 1-3600. The default value is 60 seconds.

--enable-kafka-unencrypted-conn

Enables authentication of clients that use non-TLS connections to access a Kafka-enabled view.

When specifying this option, also include --kafka-unencrypted-auth-mechanism SASL_PLAIN to request SASL plain authentication for the connection.

--disable-kafka-unencrypted-conn

Disables authentication of clients that use non-TLS connections to access a Kafka-enabled view.

--kafka-unencrypted-auth-mechanism SASL_PLAIN|NONE

Specify SASL_PLAIN to enable SASL plain authentication on non-TLS connections to a Kafka-enabled view.

--enable-kafka-encrypted-conn

Enables  authentication of clients that use TLS connections to access a Kafka-enabled view.

This option requires a Kafka TLS certificate to be provided for the VAST cluster.

When specifying this option, also include --kafka-encrypted-auth-mechanism SASL_PLAIN to request SASL plain authentication for the connection.

--disable-kafka-encrypted-conn

Disables authentication of clients that use TLS connections to access a Kafka-enabled view.

--kafka-encrypted-auth-mechanism SASL_PLAIN|NONE

Specify SASL_PLAIN to enable SASL plain authentication on TLS connections to a Kafka-enabled view.

--require-kafka-authorization

Enables authorization for clients connecting to a Kafka-enabled view.

--cancel-kafka-authorization

Disables authorization for clients connecting to a Kafka-enabled view.

Indestructible Object Mode Options

Note

These options are not supported by default. To use these options, first enable indestructible object mode on the cluster. For full feature information, see Indestructible Object Mode.

--enable-indestructible-object

Enables indestructible object mode on the view.  

--disable-indestructible-object

Disables indestructible object mode on the view. This is only allowed when the cluster's indestructibility mechanism is unlocked.

--indestructible-object-duration RETENTION_PERIOD

Modifies the retention period for indestructible object mode. This is only allowed when the cluster's indestructibility mechanism is unlocked.

Specify RETENTION_PERIOD as an integer.

Default: 8

Supported range: 1-400

Note

If you are enabling indestructibility mode, you will not be able to change this retention period after view creation without first unlocking the cluster's indestructibility mechanism, which requires a secure authentication procedure.Managing the Indestructibility Mechanism

Example

This example changes the view policy used by the view that exposes the /dev path of the element store.

vcli: admin> view modify --id 2 --path /dev --policy-id 2

This example removes an ACE from a share-level ACL:

vcli: admin>  view modify --id 101 --remove-share-ace-name joej --remove-share-ace-fqdn ad.arandomorg.com

Related articles
  • view modify
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 CLI Command Reference > view commands
  • view modify
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 CLI Command Reference > view commands
  • view modify
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 CLI Command Reference > view commands