You can run a bulk update to change permissions and ownership for files and directories residing under a path on an Element Store view.
The update is done based on a template directory and/or file, from which permissions and ownership attributes (owner ID, owning group, ACL) are copied to the directories and files under the target path that you specify, overwriting the preexisted permissions and ownership attributes. If there is no template file specified, permissions for the files under the target path are updated by inheriting from the template directory.
This is useful in case you need to recursively fix permissions for a very large number of files and directories. All the processing for the bulk permission update task is done on the VAST cluster and distributed among the cluster's CNodes, eliminating the latencies that typically occur when running a similar task from a client.
Bulk permission update can be run on views with NFSv4, NFSv3, SMB and S3 storage access protocols, including VAST Database views.
Requirements and Restrictions
Only one bulk permission update task per tenant can run at a time.
If a client attempts to set permissions on directories or files being updated via a bulk permission update, the result is unpredictable.
It is strongly recommended that the target view and the template view have view policies with the same security flavor. Running a bulk permission update on a view where the security flavor does not match that of the template view may result in inaccessible or incompatible permissions set.
Permissions to be updated are determined based on the security flavor of the target view. For information, see Updated Permissions per Security Flavor and Protocol.
Read-only snapshots and VAST special directories (
.vastin S3 buckets,.trash,.snap,.remote) are excluded from bulk permission update.Bulk permission update cannot run on ABAC-tagged views.
Updated Permissions per Security Flavor and Protocol
Permissions that can be updated as a result of a bulk permission update depend on the security flavor set (via a view policy) for the template and target views:
Security Flavor | Updated Permissions |
|---|---|
NFS | Mode bits or POSIX permissions (if the view policy allows a POSIX ACL) |
SMB | Only NTFS permissions |
S3 Native | Only S3 permissions |
Mixed Last Wins | Mode bits, POSIX, NTFS or NFSv4 permissions |
The following ACE types can be updated for each access protocol:
Protocol | ACE Types | Permissions per ACE | Inheritance Flags per ACE |
|---|---|---|---|
NFSv3 |
| Read, Write, Execute Special bits: SUID, SGID, sticky bit | |
NFSv4 |
| ACE4_READ_DATA ACE4_LIST_DIRECTORY ACE4_WRITE_DATA ACE4_ADD_FILE ACE4_APPEND_DATA ACE4_ADD_SUBDIRECTORY ACE4_READ_NAMED_ATTRS ACE4_WRITE_NAMED_ATTRS ACE4_EXECUTE ACE4_DELETE_CHILD ACE4_READ_ATTRIBUTES ACE4_WRITE_ATTRIBUTES ACE4_WRITE_RETENTION ACE4_WRITE_RETENTION_HOLD ACE4_DELETE ACE4_READ_ACL ACE4_WRITE_ACL ACE4_WRITE_OWNER ACE4_SYNCHRONIZE Special bits: SUID, SGID, sticky bit | ACE4_FILE_INHERIT_ACE ACE4_DIRECTORY_INHERIT_ACE ACE4_NO_PROPAGATE_INHERIT_ACE ACE4_INHERIT_ONLY_ACE ACE4_IDENTIFIER_GROUP |
SMB |
| FILE_LIST_DIRECTORY FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_READ_EA FILE_WRITE_EA FILE_TRAVERSE FILE_DELETE_CHILD FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_EXECUTE | OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE NO_PROPAGATE_INHERIT_ACE INHERIT_ONLY_ACE |
S3 |
| READ WRITE READ_ACP WRITE_ACP |
Choosing a Template Directory or File
Choose a template directory and, optionally, a template file with permissions that you want to assign to the target directories and/or files during a bulk permission update.
If a template file is specified for a bulk permission update, VAST Cluster overwrites the permissions and ownership attributes of the target files and directories as follows:
Permissions of target files are overwritten with those of the template file.
Permissions of target directories are overwritten with those of the template directory.
If no template file is specified, VAST Cluster overwrites the permissions and ownership attributes of the top target directory (specified as the Selected path to update) with those of the template directory, and nested directories and files inherit permissions and ownership attributes from their parent.
In this case, the template directory must have a default ACL on it.
Starting Bulk Permission Update in VAST Web UI
To start a bulk permission update:
In the left navigation menu, choose Element Store and then Views to open the Views page.
In the Views page, find the view that exposes the files and directories for which you want to update permissions and in the Actions menu for that view, choose Bulk Permission Update.
In the Path to update pane of the Bulk permission update dialog, complete the fields:
Selected path to update
Specify a path to the directory where files and directories for which to update permissions reside.
In the Template pane of the Bulk permission update dialog, complete the fields:
Copy from view
Specify a view that exposes a directory and (optionally) a file from which to copy permissions and ownership attributes.
It is strongly recommended that the target view and the template view have view policies with the same security flavor. Running a bulk permission update on a view where the security flavor does not match that of the template view may result in inaccessible or incompatible permissions set.
Directory template path
Specify a path to the directory from which to copy permissions and ownership attributes to the directories under Selected path to update. For more information about choosing a template directory, see Choosing a Template Directory or File.
File template path
Specify a path to the file from which to copy permissions and ownership attributes to the files under Selected path to update.
This setting is optional. If not specified, the attributes are copied from the directory specified in Directory template path.
For more information about choosing a template file, see Choosing a Template Directory or File.
Click Approve.
Verify the details In the confirmation popup.
If the suggested replacements are correct, click Yes to start the bulk permission update.
To make changes to the setup, click No.
The bulk permission update is started.
Checking Update Progress and Status in VAST Web UI
To view progress and status of the bulk permission update per view:
In the left navigation menu, choose Element Store and then Views to open the Views page.
The Bulk Permission Update State column displays the status of the latest bulk permission update for a view.
The Bulk Permission Update Progress column shows the update percentage completion.
To view details of a particular bulk permission update task:
In the left navigation menu, choose Activities.
In the Activities page, set the date and time filter as appropriate and search for a task named
bulk_permission_update.Click a task in the list to display its details in the right pane. The details include the task steps with timing and completion status for each step.
Stopping Bulk Permission Update in VAST Web UI
When you stop a running bulk permission update, the changes that the task has already made are not rolled back.
To stop a running bulk permission update:
In the left navigation menu, choose Element Store and then Views.
In the Views page, use the filter in the Bulk Permission Update State column to find the view for which permissions are being updated.
Open the Actions menu for that view and click Stop Bulk Permission Update.