Module netapp_ontap.resources.fpolicy
Copyright © 2019 NetApp Inc. All rights reserved.
Overview
FPolicy is an infrastructure component of ONTAP that enables partner applications to connect to ONTAP in order to monitor and set file access permissions. Every time a client accesses a file from a storage system, based on the configuration of FPolicy, the partner application is notified about file access. This enables partners to set restrictions on files that are created or accessed on the storage system. FPolicy also allows you to create file policies that specify file operation permissions according to file type. For example, you can restrict certain file types, such as .jpeg and .mp3 files, from being stored on the storage system. FPolicy can monitor file access from CIFS and NFS clients. As part of FPolicy configuration, you can specify an FPolicy engine which defines the external FPolicy server, FPolicy events, which defines the protocol and file operations to monitor and the FPolicy policy that acts as a container for the FPolicy engine and FPolicy events. It provides a way for policy management functions, such as policy enabling and disabling.
Examples
Creating an FPolicy configuration
To create an FPolicy for an SVM use the following API. Note that the return_records=true query parameter is used to obtain the newly created entry in the response.
# The API:
POST /protocols/fpolicy/
#The call:
curl -X POST "https://<mgmt-ip>/api/protocols/fpolicy?return_records=tre" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"engines\": [ { \"name\": \"engine1\", \"port\": 9876, \"primary_servers\": [ \"10.132.145.22\", \"10.140.101.109\" ], \"secondary_servers\": [ \"10.132.145.20\", \"10.132.145.21\" ], \"type\": \"synchronous\" } ], \"events\": [ { \"file_operations\": { \"read\": true, \"write\": true }, \"filters\": { \"monitor_ads\": true }, \"name\": \"event_cifs\", \"protocol\": \"cifs\", \"volume_monitoring\": true } ], \"policies\": [ { \"engine\": { \"name\": \"engine1\" }, \"events\": [ \"event_cifs\" ], \"mandatory\": true, \"name\": \"pol0\", \"priority\": 1, \"scope\": { \"include_volumes\": [ \"vol1\" ] } } ], \"svm\": { \"name\": \"vs1\", \"uuid\": \"b34f5e3d-01d0-11e9-8f63-0050568ea311\" }}"
# The response:
{
"num_records": 1,
"records": [
{
"svm": {
"uuid": "b34f5e3d-01d0-11e9-8f63-0050568ea311",
"name": "vs1"
},
"engines": [
{
"name": "engine1",
"primary_servers": [
"10.132.145.22",
"10.140.101.109"
],
"secondary_servers": [
"10.132.145.20",
"10.132.145.21"
],
"type": "synchronous",
"port": 9876
}
],
"events": [
{
"name": "event_cifs",
"protocol": "cifs",
"volume_monitoring": true,
"file_operations": {
"read": true,
"write": true
},
"filters": {
"monitor_ads": true
}
}
],
"policies": [
{
"name": "pol0",
"priority": 1,
"events": [
{
"name": "event_cifs"
}
],
"engine": {
"name": "engine1"
},
"scope": {
"include_volumes": [
"vol1"
]
},
"mandatory": true
}
]
}
]
}
Retrieving the FPolicy configuration for all the SVMs in the cluster
# The API:
GET /protocols/fpolicy
# The call:
curl -X GET "https://<mgmt-ip>/api/protocols/fpolicy?fields=*&return_records=true&return_timeout=15" -H "accept: application/json"
# The response:
{
"records": [
{
"svm": {
"uuid": "b34f5e3d-01d0-11e9-8f63-0050568ea311",
"name": "vs1"
},
"engines": [
{
"name": "engine1",
"primary_servers": [
"10.132.145.22",
"10.140.101.109"
],
"secondary_servers": [
"10.132.145.20",
"10.132.145.21"
],
"type": "synchronous",
"port": 9876
}
],
"events": [
{
"name": "event_cifs",
"protocol": "cifs",
"volume_monitoring": true,
"file_operations": {
"close": false,
"create": false,
"create_dir": false,
"delete": false,
"delete_dir": false,
"getattr": false,
"link": false,
"lookup": false,
"open": false,
"read": true,
"write": true,
"rename": false,
"rename_dir": false,
"setattr": false,
"symlink": false
},
"filters": {
"monitor_ads": true,
"close_with_modification": false,
"close_without_modification": false,
"close_with_read": false,
"first_read": false,
"first_write": false,
"offline_bit": false,
"open_with_delete_intent": false,
"open_with_write_intent": false,
"write_with_size_change": false,
"setattr_with_owner_change": false,
"setattr_with_group_change": false,
"setattr_with_sacl_change": false,
"setattr_with_dacl_change": false,
"setattr_with_modify_time_change": false,
"setattr_with_access_time_change": false,
"setattr_with_creation_time_change": false,
"setattr_with_mode_change": false,
"setattr_with_size_change": false,
"setattr_with_allocation_size_change": false,
"exclude_directory": false
}
}
],
"policies": [
{
"name": "pol0",
"enabled": true,
"priority": 1,
"events": [
{
"name": "event_cifs"
}
],
"engine": {
"name": "engine1"
},
"scope": {
"include_volumes": [
"vol1"
]
},
"mandatory": true
}
]
}
],
"num_records": 1
}
Retrieving an FPolicy configuration for a particular SVM
# The API:
GET /protocols/fpolicy/{svm.uuid}
# The call:
curl -X GET "https://<mgmt-ip>/api/protocols/fpolicy/b34f5e3d-01d0-11e9-8f63-0050568ea311?fields=*&return_records=true&return_timeout=15" -H "accept: application/json"
# The response:
{
"svm": {
"uuid": "b34f5e3d-01d0-11e9-8f63-0050568ea311",
"name": "vs1"
},
"engines": [
{
"name": "engine1",
"primary_servers": [
"10.132.145.22",
"10.140.101.109"
],
"secondary_servers": [
"10.132.145.20",
"10.132.145.21"
],
"type": "synchronous",
"port": 9876
}
],
"events": [
{
"name": "event_cifs",
"protocol": "cifs",
"volume_monitoring": true,
"file_operations": {
"close": false,
"create": false,
"create_dir": false,
"delete": false,
"delete_dir": false,
"getattr": false,
"link": false,
"lookup": false,
"open": false,
"read": true,
"write": true,
"rename": false,
"rename_dir": false,
"setattr": false,
"symlink": false
},
"filters": {
"monitor_ads": true,
"close_with_modification": false,
"close_without_modification": false,
"close_with_read": false,
"first_read": false,
"first_write": false,
"offline_bit": false,
"open_with_delete_intent": false,
"open_with_write_intent": false,
"write_with_size_change": false,
"setattr_with_owner_change": false,
"setattr_with_group_change": false,
"setattr_with_sacl_change": false,
"setattr_with_dacl_change": false,
"setattr_with_modify_time_change": false,
"setattr_with_access_time_change": false,
"setattr_with_creation_time_change": false,
"setattr_with_mode_change": false,
"setattr_with_size_change": false,
"setattr_with_allocation_size_change": false,
"exclude_directory": false
}
}
],
"policies": [
{
"name": "pol0",
"enabled": true,
"priority": 1,
"events": [
{
"name": "event_cifs"
}
],
"engine": {
"name": "engine1"
},
"scope": {
"include_volumes": [
"vol1"
]
},
"mandatory": true
}
]
}
Deleting an FPolicy configuration for a particular SVM
# The API:
DELETE /protocols/fpolicy/{svm.uuid}
# The call:
curl -X DELETE "https://<mgmt-ip>/api/protocols/fpolicy/b34f5e3d-01d0-11e9-8f63-0050568ea311" -H "accept: application/json"
Classes
class Fpolicy (*args, **kwargs)
-
FPolicy is an infrastructure component of ONTAP that enables partner applications connected to your storage systems to monitor and set file access permissions. Every time a client accesses a file from a storage system, based on the configuration of FPolicy, the partner application is notified about file access.
Initialize the instance of the resource.
Any keyword arguments are set on the instance as properties. For example, if the class was named 'MyResource', then this statement would be true:
MyResource(name='foo').name == 'foo'
Args
*args
- Each positional argument represents a parent key as used in the URL of the object. That is, each value will be used to fill in a segment of the URL which refers to some parent object. The order of these arguments must match the order they are specified in the URL, from left to right.
**kwargs
- each entry will have its key set as an attribute name on the instance and its value will be the value of that attribute.
Ancestors
Static methods
def delete_collection(*args, connection: HostConnection = None, **kwargs) -> NetAppResponse
-
Deletes the FPolicy configuration for the specified SVM. Before deleting the FPolicy configuration, ensure that all policies belonging to the SVM are disabled.
Related ONTAP commands
fpolicy delete
fpolicy policy scope delete
fpolicy policy delete
fpolicy policy event delete
fpolicy policy external-engine delete
Learn more
Delete all objects in a collection which match the given query.
All records on the host which match the query will be deleted.
Args
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to delete the collection of bars for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. **kwargs
- Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def find(*args, connection: HostConnection = None, **kwargs) -> Resource
-
Retrieves an FPolicy configuration.
Related ONTAP commands
fpolicy show
fpolicy policy show
fpolicy policy scope show
fpolicy policy event show
fpolicy policy external-engine show
Learn more
Find an instance of an object on the host given a query.
The host will be queried with the provided key/value pairs to find a matching resource. If 0 are found or if more than 1 is found, an error will be raised or returned. If there is exactly 1 matching record, then it will be returned.
Args
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to find a bar for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. **kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
Resource
object containing the details of the object.Raises
NetAppRestError
: If the API call did not return exactly 1 matching resource. def get_collection(*args, connection: HostConnection = None, max_records: int = None, **kwargs) -> typing.Iterable
-
Retrieves an FPolicy configuration.
Related ONTAP commands
fpolicy show
fpolicy policy show
fpolicy policy scope show
fpolicy policy event show
fpolicy policy external-engine show
Learn more
Fetch a list of all objects of this type from the host.
Args
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to get the collection of bars for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. max_records
- The maximum number of records to return per call
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A list of
Resource
objectsRaises
NetAppRestError
: If there is no connection available to use either passed in or on the library.
Methods
def delete(self, poll: bool = True, poll_interval: typing.Union = None, poll_timeout: typing.Union = None, **kwargs) -> NetAppResponse
-
Deletes the FPolicy configuration for the specified SVM. Before deleting the FPolicy configuration, ensure that all policies belonging to the SVM are disabled.
Related ONTAP commands
fpolicy delete
fpolicy policy scope delete
fpolicy policy delete
fpolicy policy event delete
fpolicy policy external-engine delete
Learn more
Send a deletion request to the host for this object.
Args
poll
- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def get(self, **kwargs) -> NetAppResponse
-
Retrieves an FPolicy configuration of an SVM.
Related ONTAP commands
fpolicy show
fpolicy policy show
fpolicy policy scope show
fpolicy policy event show
fpolicy policy external-engine show
Learn more
Fetch the details of the object from the host.
Requires the keys to be set (if any). After returning, new or changed properties from the host will be set on the instance.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def post(self, hydrate: bool = False, poll: bool = True, poll_interval: typing.Union = None, poll_timeout: typing.Union = None, **kwargs) -> NetAppResponse
-
Creates an FPolicy configuration.
Required properties
svm.uuid
orsvm.name
- Existing SVM in which to create the FPolicy configuration.
Recommended optional properties
engines
- External server to which the notifications will be sent.events
- File operations to monitor.policies
- Policy configuration which acts as a container for FPolicy event and FPolicy engine.scope
- Scope of the policy. Can be limited to exports, volumes, shares or file extensions.
Default property values
If not specified in POST, the following default property values are assigned: *
engines.type
- synchronous *policies.engine
- native *policies.mandatory
- true *events.volume_monitoring
- false *events.file_operations.*
- false *events.filters.*
- falseRelated ONTAP commands
fpolicy policy event create
fpolicy policy external-engine create
fpolicy policy create
fpolicy policy scope create
fpolicy enable
Learn more
Send this object to the host as a creation request.
Args
hydrate
- If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400
Inherited members
class FpolicySchema (only=None, exclude=(), many=False, context=None, load_only=(), dump_only=(), partial=False, unknown=None)
-
The fields of the Fpolicy object
Ancestors
- netapp_ontap.resource.ResourceSchema
- marshmallow.schema.Schema
- marshmallow.schema.BaseSchema
- marshmallow.base.SchemaABC
Class variables
var engines
-
The engines field of the fpolicy.
var events
-
The events field of the fpolicy.
var links
-
The links field of the fpolicy.
var opts
var policies
-
The policies field of the fpolicy.
var svm
-
The svm field of the fpolicy.