API 2.0 Set dataset permission (ACL)

hanskait

Cadet
Joined
Jun 18, 2021
Messages
4
Hi, I am trying to use the api to change the acl of a dataset but I am not able to.
The error I am getting is apparently a formatting error in the parameters.

The error is: "Expecting ':' delimiter

My command is:
Code:
curl -X POST "https://xxxx/api/v2.0/pool/dataset/id/DATASET_NAME/permission" -H  "accept: */*" -H "Authorization: Bearer XXX" -k -d '{"group": "GROUP_NAME", "acl":[{"owner@:rwxpDdaARWcCos:fd-----:allow"}],"options": {"stripacl": true,"recursive": true,"traverse": true}}'


Try changing the stripacl to true or false in case it had something to do with it but it didn't work.

The version I am using is TrueNAS-12.0-U4

Does anyone know what is the correct syntax to define an owner acl with Full control as I tried to do?

Thank you!
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Hi, I am trying to use the api to change the acl of a dataset but I am not able to.
The error I am getting is apparently a formatting error in the parameters.

The error is: "Expecting ':' delimiter

My command is:
Code:
curl -X POST "https://xxxx/api/v2.0/pool/dataset/id/DATASET_NAME/permission" -H  "accept: */*" -H "Authorization: Bearer XXX" -k -d '{"group": "GROUP_NAME", "acl":[{"owner@:rwxpDdaARWcCos:fd-----:allow"}],"options": {"stripacl": true,"recursive": true,"traverse": true}}'


Try changing the stripacl to true or false in case it had something to do with it but it didn't work.

The version I am using is TrueNAS-12.0-U4

Does anyone know what is the correct syntax to define an owner acl with Full control as I tried to do?

Thank you!
Is that the full ACL that you want to apply? Only a single entry?
 

hanskait

Cadet
Joined
Jun 18, 2021
Messages
4
You can look at our API regression tests for reference about how this stuff is formatted: https://github.com/truenas/middleware/blob/master/tests/api2/test_345_acl_nfs4.py


Thank you very much anodos for the help ,
Now I put the correct format according to the documentation and I no longer have the error. But nothing changes in the permissions either.
Code:
curl -X POST "https://xxxx/api/v2.0/pool/dataset/id/DATASET_NAME/permission" -H  "accept: */*" -H "Authorization: Bearer XXX" -k -d '{"group": "GROUP_NAME", "acl":[{"tag": "owner@","type": "ALLOW","perms": {"BASIC": "FULL_CONTROL"},"flags": {"BASIC": "INHERIT"}}],"options": {"stripacl": true,"recursive": true,"traverse": true}}'

Try changing the stripacl to true or false in case it had something to do with it but it didn't work.
What I would like is that it only have owner permissions.
The permissions that remain are those that come by default when creating the dataset:
Code:
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Thank you very much anodos for the help ,
Now I put the correct format according to the documentation and I no longer have the error. But nothing changes in the permissions either.
Code:
curl -X POST "https://xxxx/api/v2.0/pool/dataset/id/DATASET_NAME/permission" -H  "accept: */*" -H "Authorization: Bearer XXX" -k -d '{"group": "GROUP_NAME", "acl":[{"tag": "owner@","type": "ALLOW","perms": {"BASIC": "FULL_CONTROL"},"flags": {"BASIC": "INHERIT"}}],"options": {"stripacl": true,"recursive": true,"traverse": true}}'

Try changing the stripacl to true or false in case it had something to do with it but it didn't work.
What I would like is that it only have owner permissions.
The permissions that remain are those that come by default when creating the dataset:
Code:
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
Since this is a long-running job (I've seen it change up to 6K files / sec, but on large datasets this can still take a significant amount of time), the API call will return a job id. You can view its status via CLI with `midclt call core.get_jobs |jq` and check for validation errors.
 

hanskait

Cadet
Joined
Jun 18, 2021
Messages
4
Since this is a long-running job (I've seen it change up to 6K files / sec, but on large datasets this can still take a significant amount of time), the API call will return a job id. You can view its status via CLI with `midclt call core.get_jobs |jq` and check for validation errors.

anodos,

I followed your instructions and I see the following error: 'Simultaneously setting and removing ACL is not permitted.'

Is there another way to do this?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
The ACL you specify replaces the one on-disk in its entirety. An inherited ACL is calculated from what is specified and applied recursively. This means that you need to set `stripacl: false`. You can make the same change in through GUI and then run core.get_jobs to see what parameters are passed to filesystem.setacl for referecne.
 

hanskait

Cadet
Joined
Jun 18, 2021
Messages
4
The ACL you specify replaces the one on-disk in its entirety. An inherited ACL is calculated from what is specified and applied recursively. This means that you need to set `stripacl: false`. You can make the same change in through GUI and then run core.get_jobs to see what parameters are passed to filesystem.setacl for referecne.

Excellent anodos, the get_jobs command helped me to complete the arguments.
Now it works perfect!
I leave the command below in case it works for someone:
Code:
curl -X POST "https://xxxx/api/v2.0/pool/dataset/id/DATASET_NAME/permission" -H  "accept: */*" -H "Authorization: Bearer XXX" -k -d '{"acl": [
{"flags": {"BASIC": "INHERIT"},"id": null,"perms": {"BASIC": "FULL_CONTROL"},"tag": "owner@","type": "ALLOW"}
],"options": {"stripacl": false,"recursive": true,"traverse": true}}'
 

barna

Cadet
Joined
Jan 4, 2022
Messages
1
Hello,

I tried the above codes various way. The goal is for sure change the permission of a dataset.
Please be so kind to let me know how to set "DATASET_NAME" in the previous example.

If the dataset located at /mnt/poolname/test location the name of the dataset is poolname/test.

When I try to call the url "https://xxxx/api/v2.0/pool/dataset/id/poolname/test/permission"
with the curl command gives a "404: Not found" error.

Tried with only the dataset name "https://xxxx/api/v2.0/pool/dataset/id/test/permission"
the curl command finished properly but no ACLs getting changed.

How to do in the proper way?
 

deamonmv

Cadet
Joined
Mar 7, 2023
Messages
8
Hello

Same question, how to be if need to update children dataset?

I have pool/dataset `virtual-15`. I can add new dataset, for ex. `test`.

Code:
{
  "id": "virtual-15",
  "name": "virtual-15",
  "pool": "virtual-15",
  "type": "FILESYSTEM",
  "mountpoint": "/mnt/virtual-15",
  "children": [
    {
      "id": "virtual-15/test",
      "name": "virtual-15/test",
      "pool": "virtual-15",
      "type": "FILESYSTEM",
      "mountpoint": "/mnt/virtual-15/test",
      "children": [],
      "encrypted": false,
      "encryption_root": null,
      "key_loaded": false,
      "comments": {
        "value": "some comments",
        "rawvalue": "some comments",
        "parsed": "some comments",
        "source": "LOCAL"
      },


If use
Code:
/api/v2.0/pool/dataset/id/virtual-15/test
API return
Code:
404: Note Found


What to do?
Or I missed some API Call, which is do such job?

Thank you.
 

deamonmv

Cadet
Joined
Mar 7, 2023
Messages
8
Generally speaking if you want to modify / set ACL on a path, it's better to use the filesystem.setacl endpoint rather than the pool.dataset.permissions endpoint. https://github.com/truenas/middlewa...ce19006c06/tests/api2/test_427_smb_acl.py#L95

Here's an example of where we use it to set an ACL in our CI for the REST API (though options to recurse / traverse are not set).
Thanks.

Yes, I saw this REST API Call. I didn't try out it yet, but, I think, I'll not have problems here.

And I wrote my question not correct:

I meant, that I can create new dataset, but I can't updated it.
For ex. why I want to update dataset...I'm stuck of what I can update in dataset.

I guess, right now I wonder how to set "inherit" for compression or checksum or read-only or exec, just to create it once and have it correct.
 

deamonmv

Cadet
Joined
Mar 7, 2023
Messages
8

Here's are some examples of dataset interface. You have to replace the `/`.
Thank you. It works

So, If you need to update dataset "my-cool-dataset" in pool the "my-big-pool", call this URI:

Code:
/api/v2.0/pool/dataset/id/my-cool-dataset%2Fmy-big-pool


That is an approximate list of parametrs which you can put into Body

Code:
{
  "comments": "some comments",
  "sync": "STANDARD",
  "recordsize": "256K",
  "compression": "LZ4",
  "atime": "OFF",
  "exec": "ON",
  "quota": 0,
  "quota_warning": 85,
  "quota_critical": 0,
  "refquota": 0,
  "refquota_warning": 0,
  "refquota_critical": 0,
  "reservation": 0,
  "refreservation": 0,
  "special_small_block_size": 0,
  "copies": 1,
  "snapdir": "VISIBLE",
  "deduplication": "OFF",
  "checksum": "ON",
  "readonly": "OFF",
  "aclmode": "RESTRICTED",
  "xattr": "ON"
}


@anodos, can you say, how set "inherit" for fields such as compression ?
 

Jfs

Dabbler
Joined
Feb 23, 2023
Messages
23
Generally speaking if you want to modify / set ACL on a path, it's better to use the filesystem.setacl endpoint rather than the pool.dataset.permissions endpoint. https://github.com/truenas/middlewa...ce19006c06/tests/api2/test_427_smb_acl.py#L95

Here's an example of where we use it to set an ACL in our CI for the REST API (though options to recurse / traverse are not set).

This is good to know, because when I setup my new CIFS dataset(s), I used the pool/dataset permission to give group write to domain admins as I started to robocopy data in from another vendor's NAS box. This seems to work, though I did run into some interesting issues where robocopy created a directory it didn't have permissions to enter on the destination. Funky.

So it would certainly be nice if the docs for the API were updated to note this issue.

Question, does this apply to the GUI as well? So if I apply a permission at the top level of a newly created dataset, is that a good idea or should I be doing something else?
 
Top