This section explains how Cross-Protocol Permissions (XPP) work in Qumulo Core and how to enable, disable, and check the status of XPP by using the qq
CLI.
How Cross-Protocol Permissions (XPP) Work in Qumulo Core
Qumulo Core works with clients that use multiple protocols, such as SMB and NFS. While SMB and NFS permission models are interoperable at a basic level, SMB offers a complex permission definition which isn’t fully compatible with NFS. For this reason, it is necessary to “translate” between the two protocols when clients access the same files and directories over SMB and NFS.
XPP enables mixed SMB and NFS protocol workflows by preserving SMB access control lists, by maintaining permission inheritance, and by reducing application permission incompatibility.
When there are no cross-protocol interactions, Qumulo Core operates according to precise protocol specifications. When protocol conflicts arise, XPP minimizes the possibility of application incompatibility.
- XPP doesn't break compatibility with previous Qumulo Core releases.
- Enabling XPP doesn't change the rights on existing files in your file system. Changes take place only after you enable XPP.
For more information, see the following resources:
- Qumulo Core Permission Modes
- Cross-Protocol Permissions (XPP) in Common Scenarios
- Cross-Protocol Permissions Test Drive Website.
Common Workflow Scenarios for Working with Cross-Protocol Permissions (XPP)
This section gives examples of common workflow scenarios and explains how Qumulo Core functions when you enable XPP in these scenarios.
-
Single-Protocol Workflows (Only SMB or NFS): Qumulo Core operates as expected, according to original protocol specifications.
-
Mixed-Protocol Workflows (Mostly Windows or SMB): Qumulo Core operates as expected, with the following exceptions:
-
Because running the
chmod
command on a directory doesn’t affect the ACL that the directory’s children inherit, the command doesn’t break the permission inheritance. -
To preserve compatibility, the
chmod
command retains the ability to strip rights from privileged groups and to override the inherited rights for individual files.
-
-
Mixed-Protocol Workflows (Mostly NFS) Qumulo core operates as expected, with one exception: To preserve compatibility, Qumulo Core permits SMB clients to add access control entries (ACEs) to files and directories
XPP reveals permissions that Native Permissions Mode hides. This can trigger security checks from SSH and SSHD. If you use SSH to access NFS home directories, see Using SSH with Cross-Protocol Permissions for more information.
To Manage Cross-Protocol Permissions (XPP)
Qumulo Core enables and disables XPP immediately, without scanning the directory tree. Existing file and directory permissions remain unaffected unless—or until—your workflow modifies them.
-
To enable XPP, run the
qq fs_set_permissions_settings cross_protocol
command.Tip
We recommend creating a snapshot before enabling XPP in a production environment. -
To disable XPP, run the
qq fs_set_permissions_settings native
command. -
To check the current permissions mode, run the
qq fs_get_permissions_settings
command.
Troubleshooting the Permissions for a File or Directory
Explain Permissions Tools is a suite of diagnostic utilities that examines a file or directory and explains the structure of permissions for the file or directory. For more information, see the following sections in the Qumulo qq
CLI Command Guide: