Changes to fix the Everyone ACL when Invalid AD user is passed

alloydsa · web-flow · commit 4f22e27036db · 2025-06-05T14:03:52.000+05:30
diff --git a/storage_drivers/ontap/api/abstraction_error.go b/storage_drivers/ontap/api/abstraction_error.go
@@ -8,6 +8,7 @@ package api
 const (
 	ENTRY_DOESNT_EXIST                         = "4"
 	DUPLICATE_ENTRY                            = "1"
+	INVALID_ENTRY                              = "655446"
 	DP_VOLUME_NOT_INITIALIZED                  = "917536"
 	SNAPMIRROR_TRANSFER_IN_PROGRESS            = "13303812"
 	SNAPMIRROR_TRANSFER_IN_PROGRESS_BROKEN_OFF = "13303808" // Transition to broken_off state failed. Reason:Another transfer is in progress
diff --git a/storage_drivers/ontap/api/ontap_rest.go b/storage_drivers/ontap/api/ontap_rest.go
@@ -6271,9 +6271,22 @@ func (c *RestClient) SMBShareAccessControlCreate(ctx context.Context, shareName
 		result, err := c.api.Nas.CifsShareACLCreate(params, c.authInfo)
 		if err != nil {
 			if restErr, extractErr := ExtractErrorResponse(ctx, err); extractErr == nil {
-				if restErr.Error != nil && restErr.Error.Code != nil && *restErr.Error.Code != DUPLICATE_ENTRY &&
-					restErr.Error.Message != nil {
+				if restErr.Error != nil && restErr.Error.Code != nil {
+					switch *restErr.Error.Code {
+					case DUPLICATE_ENTRY:
+						Logc(ctx).WithField("userOrGroup", userOrGroup).Debug("Duplicate SMB share ACL entry, ignoring.")
+					case INVALID_ENTRY:
+						Logc(ctx).WithField("userOrGroup", userOrGroup).Warn("Invalid user or group specified for SMB share access control")
+					default:
+						if restErr.Error.Message != nil {
+							return fmt.Errorf(*restErr.Error.Message)
+						}
+						return fmt.Errorf("ONTAP REST API error code %v with no message", *restErr.Error.Code)
+					}
+				} else if restErr.Error != nil && restErr.Error.Message != nil {
 					return fmt.Errorf(*restErr.Error.Message)
+				} else {
+					return fmt.Errorf("unknown ONTAP REST API error")
 				}
 			} else {
 				return err
diff --git a/storage_drivers/ontap/api/ontap_zapi.go b/storage_drivers/ontap/api/ontap_zapi.go
@@ -3369,6 +3369,9 @@ func (c Client) SMBShareAccessControlCreate(shareName string,
 			ExecuteUsing(c.zr)
 		if err != nil {
 			return nil, err
+		} else if response.Result.ResultErrnoAttr == azgo.EAPIERROR {
+			Logc(context.Background()).WithField("userOrGroup",
+				userOrGroup).Warn("Invalid user or group specified for SMB share access control")
 		} else if response.Result.ResultStatusAttr != "passed" && response.Result.ResultErrnoAttr != azgo.EDUPLICATEENTRY {
 			return nil, fmt.Errorf("failed to set SMB share ACL: %s", response.Result)
 		}
diff --git a/storage_drivers/ontap/ontap_nas.go b/storage_drivers/ontap/ontap_nas.go
@@ -1863,12 +1863,12 @@ func (d *NASStorageDriver) EnsureSMBShare(
 
 	// If secure SMB is enabled, configure access control
 	if secureSMBEnabled {
-		if err = d.API.SMBShareAccessControlCreate(ctx, shareName, smbShareACL); err != nil {
+		// Delete the Everyone Access Control created by default during share creation by ONTAP
+		if err = d.API.SMBShareAccessControlDelete(ctx, shareName, smbShareDeleteACL); err != nil {
 			return err
 		}
 
-		// Delete the Everyone Access Control created by default during share creation by ONTAP
-		if err = d.API.SMBShareAccessControlDelete(ctx, shareName, smbShareDeleteACL); err != nil {
+		if err = d.API.SMBShareAccessControlCreate(ctx, shareName, smbShareACL); err != nil {
 			return err
 		}
 	}
diff --git a/storage_drivers/ontap/ontap_nas_test.go b/storage_drivers/ontap/ontap_nas_test.go
@@ -1595,9 +1595,11 @@ func TestOntapNasStorageDriverVolumeClone_SecureSMBAccessControlCreatefail(t *te
 	mockAPI.EXPECT().VolumeSetComment(ctx, volConfig.InternalName, volConfig.InternalName, "{\"provisioning\":{\"type\":\"clone\"}}").Return(nil)
 	mockAPI.EXPECT().VolumeMount(ctx, volConfig.InternalName, "/"+volConfig.InternalName).Return(nil)
 	mockAPI.EXPECT().VolumeModifyExportPolicy(ctx, volConfig.InternalName, "").Return(nil)
-	mockAPI.EXPECT().SMBShareExists(ctx, "").Return(false, nil)
-	mockAPI.EXPECT().SMBShareCreate(ctx, "", "/").Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "", volConfig.SMBShareACL).Return(fmt.Errorf("cannot create SMB Share Access Control rule"))
+	mockAPI.EXPECT().SMBShareExists(ctx, volConfig.InternalName).Return(false, nil)
+	mockAPI.EXPECT().SMBShareCreate(ctx, volConfig.InternalName, "/"+volConfig.InternalName).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, volConfig.InternalName, smbShareDeleteACL).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, volConfig.InternalName, volConfig.SMBShareACL).
+		Return(fmt.Errorf("cannot create volume"))
 
 	result := driver.CreateClone(ctx, nil, volConfig, pool1)
 
@@ -1643,10 +1645,9 @@ func TestOntapNasStorageDriverVolumeClone_SecureSMBAccessControlDeletefail(t *te
 	mockAPI.EXPECT().VolumeMount(ctx, volConfig.InternalName, "/"+volConfig.InternalName).Return(nil)
 	mockAPI.EXPECT().VolumeModifyExportPolicy(ctx, volConfig.InternalName, "").Return(nil)
 
-	mockAPI.EXPECT().SMBShareExists(ctx, "").Return(false, nil)
-	mockAPI.EXPECT().SMBShareCreate(ctx, "", "/").Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "", volConfig.SMBShareACL).Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, "", smbShareDeleteACL).Return(fmt.Errorf("cannot delete SMB Share Access Control rule"))
+	mockAPI.EXPECT().SMBShareExists(ctx, volConfig.InternalName).Return(false, nil)
+	mockAPI.EXPECT().SMBShareCreate(ctx, volConfig.InternalName, "/"+volConfig.InternalName).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, volConfig.InternalName, smbShareDeleteACL).Return(fmt.Errorf("cannot create volume"))
 
 	result := driver.CreateClone(ctx, nil, volConfig, pool1)
 
@@ -1686,10 +1687,11 @@ func TestOntapNasStorageDriverVolumeClone_ROCloneSecureSMBAccessControlCreateFai
 	mockAPI.EXPECT().SVMName().AnyTimes().Return("SVM1")
 	mockAPI.EXPECT().VolumeInfo(ctx, volConfig.CloneSourceVolumeInternal).Return(&flexVol, nil)
 
-	mockAPI.EXPECT().SMBShareExists(ctx, "").Return(false, nil)
-	mockAPI.EXPECT().SMBShareCreate(ctx, "", "/").Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "", volConfig.SMBShareACL).
-		Return(fmt.Errorf("cannot create SMB Share Access Control rule"))
+	mockAPI.EXPECT().SMBShareExists(ctx, volConfig.InternalName).Return(false, nil)
+	mockAPI.EXPECT().SMBShareCreate(ctx, volConfig.InternalName, "/"+volConfig.InternalName).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, volConfig.InternalName, smbShareDeleteACL).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, volConfig.InternalName, volConfig.SMBShareACL).
+		Return(fmt.Errorf("cannot create volume"))
 
 	result := driver.CreateClone(ctx, nil, volConfig, pool1)
 
@@ -1728,10 +1730,9 @@ func TestOntapNasStorageDriverVolumeClone_ROCloneSecureSMBAccessControlDeleteFai
 
 	mockAPI.EXPECT().SVMName().AnyTimes().Return("SVM1")
 	mockAPI.EXPECT().VolumeInfo(ctx, volConfig.CloneSourceVolumeInternal).Return(&flexVol, nil)
-	mockAPI.EXPECT().SMBShareExists(ctx, "").Return(false, nil)
-	mockAPI.EXPECT().SMBShareCreate(ctx, "", "/").Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "", volConfig.SMBShareACL).Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, "", smbShareDeleteACL).Return(fmt.Errorf("cannot delete SMB Share Access Control rule"))
+	mockAPI.EXPECT().SMBShareExists(ctx, volConfig.InternalName).Return(false, nil)
+	mockAPI.EXPECT().SMBShareCreate(ctx, volConfig.InternalName, "/"+volConfig.InternalName).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, volConfig.InternalName, smbShareDeleteACL).Return(fmt.Errorf("cannot create volume"))
 
 	result := driver.CreateClone(ctx, nil, volConfig, pool1)
 
@@ -4666,43 +4667,22 @@ func TestOntapNasStorageDriverVolumeCreate_SecureSMBAccessControlCreatefail(t *t
 	driver.Config.NASType = sa.SMB
 	volAttrs := map[string]sa.Request{}
 
-	tests := []struct {
-		smbShare string
-	}{
-		{"vol1"},
-		{""},
-	}
-
-	for _, test := range tests {
-		t.Run(test.smbShare, func(t *testing.T) {
-			driver.Config.SMBShare = test.smbShare
-
-			mockAPI.EXPECT().ExportPolicyCreate(ctx, "test_empty").Return(nil)
-			mockAPI.EXPECT().SVMName().AnyTimes().Return("fakesvm")
-			mockAPI.EXPECT().VolumeExists(ctx, "vol1").Return(false, nil)
-			mockAPI.EXPECT().GetSVMPeers(ctx).Return([]string{"fakesvm2"}, nil)
-			mockAPI.EXPECT().TieringPolicyValue(ctx).Return("none")
-			mockAPI.EXPECT().VolumeCreate(ctx, gomock.Any()).Return(nil)
-			mockAPI.EXPECT().VolumeMount(ctx, "vol1", "/vol1").Return(nil)
-
-			if test.smbShare != "" {
-				mockAPI.EXPECT().SMBShareExists(ctx, "vol1").Return(false, nil)
-				mockAPI.EXPECT().SMBShareCreate(ctx, "vol1", "/vol1").Return(nil)
-				mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "vol1", volConfig.SMBShareACL).
-					Return(fmt.Errorf("cannot create volume"))
-
-			} else {
-				mockAPI.EXPECT().SMBShareExists(ctx, "vol1").Return(false, nil)
-				mockAPI.EXPECT().SMBShareCreate(ctx, "vol1", "/vol1").Return(nil)
-				mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "vol1", volConfig.SMBShareACL).
-					Return(fmt.Errorf("cannot create volume"))
-			}
+	mockAPI.EXPECT().ExportPolicyCreate(ctx, "test_empty").Return(nil)
+	mockAPI.EXPECT().SVMName().AnyTimes().Return("fakesvm")
+	mockAPI.EXPECT().VolumeExists(ctx, "vol1").Return(false, nil)
+	mockAPI.EXPECT().GetSVMPeers(ctx).Return([]string{"fakesvm2"}, nil)
+	mockAPI.EXPECT().TieringPolicyValue(ctx).Return("none")
+	mockAPI.EXPECT().VolumeCreate(ctx, gomock.Any()).Return(nil)
+	mockAPI.EXPECT().VolumeMount(ctx, "vol1", "/vol1").Return(nil)
+	mockAPI.EXPECT().SMBShareExists(ctx, "vol1").Return(false, nil)
+	mockAPI.EXPECT().SMBShareCreate(ctx, "vol1", "/vol1").Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, "vol1", smbShareDeleteACL).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "vol1", volConfig.SMBShareACL).
+		Return(fmt.Errorf("cannot create volume"))
 
-			result := driver.Create(ctx, volConfig, pool1, volAttrs)
+	result := driver.Create(ctx, volConfig, pool1, volAttrs)
 
-			assert.Error(t, result)
-		})
-	}
+	assert.Error(t, result)
 }
 
 func TestOntapNasStorageDriverVolumeCreate_SecureSMBAccessControlDeletefail(t *testing.T) {
@@ -4739,43 +4719,20 @@ func TestOntapNasStorageDriverVolumeCreate_SecureSMBAccessControlDeletefail(t *t
 	volAttrs := map[string]sa.Request{}
 	smbShareDeleteACL := map[string]string{"Everyone": "windows"}
 
-	tests := []struct {
-		smbShare string
-	}{
-		{"vol1"},
-		{""},
-	}
-
-	for _, test := range tests {
-		t.Run(test.smbShare, func(t *testing.T) {
-			driver.Config.SMBShare = test.smbShare
-
-			mockAPI.EXPECT().ExportPolicyCreate(ctx, "test_empty").Return(nil)
-			mockAPI.EXPECT().SVMName().AnyTimes().Return("fakesvm")
-			mockAPI.EXPECT().VolumeExists(ctx, "vol1").Return(false, nil)
-			mockAPI.EXPECT().GetSVMPeers(ctx).Return([]string{"fakesvm2"}, nil)
-			mockAPI.EXPECT().TieringPolicyValue(ctx).Return("none")
-			mockAPI.EXPECT().VolumeCreate(ctx, gomock.Any()).Return(nil)
-			mockAPI.EXPECT().VolumeMount(ctx, "vol1", "/vol1").Return(nil)
-
-			if test.smbShare != "" {
-				mockAPI.EXPECT().SMBShareExists(ctx, "vol1").Return(false, nil)
-				mockAPI.EXPECT().SMBShareCreate(ctx, "vol1", "/vol1").Return(nil)
-				mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "vol1", volConfig.SMBShareACL).Return(nil)
-				mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, "vol1", smbShareDeleteACL).Return(fmt.Errorf("cannot create volume"))
-
-			} else {
-				mockAPI.EXPECT().SMBShareExists(ctx, "vol1").Return(false, nil)
-				mockAPI.EXPECT().SMBShareCreate(ctx, "vol1", "/vol1").Return(nil)
-				mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, "vol1", volConfig.SMBShareACL).Return(nil)
-				mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, "vol1", smbShareDeleteACL).Return(fmt.Errorf("cannot create volume"))
-			}
+	mockAPI.EXPECT().ExportPolicyCreate(ctx, "test_empty").Return(nil)
+	mockAPI.EXPECT().SVMName().AnyTimes().Return("fakesvm")
+	mockAPI.EXPECT().VolumeExists(ctx, "vol1").Return(false, nil)
+	mockAPI.EXPECT().GetSVMPeers(ctx).Return([]string{"fakesvm2"}, nil)
+	mockAPI.EXPECT().TieringPolicyValue(ctx).Return("none")
+	mockAPI.EXPECT().VolumeCreate(ctx, gomock.Any()).Return(nil)
+	mockAPI.EXPECT().VolumeMount(ctx, "vol1", "/vol1").Return(nil)
+	mockAPI.EXPECT().SMBShareExists(ctx, "vol1").Return(false, nil)
+	mockAPI.EXPECT().SMBShareCreate(ctx, "vol1", "/vol1").Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, "vol1", smbShareDeleteACL).Return(fmt.Errorf("cannot create volume"))
 
-			result := driver.Create(ctx, volConfig, pool1, volAttrs)
+	result := driver.Create(ctx, volConfig, pool1, volAttrs)
 
-			assert.Error(t, result)
-		})
-	}
+	assert.Error(t, result)
 }
 
 func TestOntapNasStorageDriverVolumeImport(t *testing.T) {
@@ -5274,6 +5231,7 @@ func TestOntapNasStorageDriverVolumeImport_SecureSMBAccessControlCreatefail(t *t
 	mockAPI.EXPECT().VolumeModifyUnixPermissions(ctx, "vol2", "vol1", DefaultUnixPermissions).Return(nil)
 	mockAPI.EXPECT().SMBShareExists(ctx, volConfig.InternalName).Return(false, nil)
 	mockAPI.EXPECT().SMBShareCreate(ctx, volConfig.InternalName, flexVol.JunctionPath).Return(nil)
+	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, volConfig.InternalName, smbShareDeleteACL).Return(nil)
 	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, volConfig.InternalName,
 		volConfig.SMBShareACL).Return(fmt.Errorf("cannot create SMB Share Access Control rule"))
 	result := driver.Import(ctx, volConfig, "vol1")
@@ -5306,7 +5264,6 @@ func TestOntapNasStorageDriverVolumeImport_SecureSMBAccessControlDeletefail(t *t
 	mockAPI.EXPECT().VolumeModifyUnixPermissions(ctx, "vol2", "vol1", DefaultUnixPermissions).Return(nil)
 	mockAPI.EXPECT().SMBShareExists(ctx, volConfig.InternalName).Return(false, nil)
 	mockAPI.EXPECT().SMBShareCreate(ctx, volConfig.InternalName, flexVol.JunctionPath).Return(nil)
-	mockAPI.EXPECT().SMBShareAccessControlCreate(ctx, volConfig.InternalName, volConfig.SMBShareACL).Return(nil)
 	mockAPI.EXPECT().SMBShareAccessControlDelete(ctx, volConfig.InternalName,
 		smbShareDeleteACL).Return(fmt.Errorf("cannot delete SMB Share Access Control rule"))
 	result := driver.Import(ctx, volConfig, "vol1")

Original file line number	Diff line number	Diff line change
`@@ -1863,12 +1863,12 @@ func (d *NASStorageDriver) EnsureSMBShare(`
`1863`	`1863`
`1864`	`1864`	`// If secure SMB is enabled, configure access control`
`1865`	`1865`	`if secureSMBEnabled {`
`1866`		`- if err = d.API.SMBShareAccessControlCreate(ctx, shareName, smbShareACL); err != nil {`
	`1866`	`+ // Delete the Everyone Access Control created by default during share creation by ONTAP`
	`1867`	`+ if err = d.API.SMBShareAccessControlDelete(ctx, shareName, smbShareDeleteACL); err != nil {`
`1867`	`1868`	`return err`
`1868`	`1869`	`}`
`1869`	`1870`
`1870`		`- // Delete the Everyone Access Control created by default during share creation by ONTAP`
`1871`		`- if err = d.API.SMBShareAccessControlDelete(ctx, shareName, smbShareDeleteACL); err != nil {`
	`1871`	`+ if err = d.API.SMBShareAccessControlCreate(ctx, shareName, smbShareACL); err != nil {`
`1872`	`1872`	`return err`
`1873`	`1873`	`}`
`1874`	`1874`	`}`