| Title: | VAX and Alpha VMS |
| Notice: | This is a new VMSnotes, please read note 2.1 |
| Moderator: | VAXAXP::BERNARDO |
| Created: | Wed Jan 22 1997 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 703 |
| Total number of notes: | 3722 |
In VMSNotes_v12, someone asked the following question:
I am currently working with a customer to move the users on a
vax to an Alpha system that already has a large number of users. So
one of my more monotonous tasks is to change the UICs of the user
accounts on the VAX so there is no conflict when we merge the UAFs.
Nice, Neat, Clean, Simple, I worte a command script that will search
for all files across user disk and change the ownership of the files to
the owners new UIC. Here's where it gets ugly.
Many of the users use ACL to allow access to their files using the
account identifier to grant access. When the UIC changes, the ACE's
now hold an identifier that no longer corresponds to the correct user.
Is there any way of going through and doing a bulk change of these
ACEs to change just the identifier of the ACE, and leave the ACE
options and accesses intact.
The answers were:
I've had some success with munging the output from DIRECTORY/ACL into a
command procedure to SET ACL (which would be generated before you
change any UICs and executed after you have changed the UICs). You can
use DIR/SEL=ACL to select only files that have an ACL. You need to
watch out for wrapped ACLs in the DIRECTORY output.
and
A contractor working for one of my customers wrote some code that did
this.
What he did was to mount the disk privately, read the index file, parse
the ACLs and replace every instance of the old ID with the new one.
It worked reliably and took less than 30 minutes per drive!
It took him about two days to code and another week of testing.
We have the same problem, but DCL munging seems a little slow, and we can't take
the disk offline because people are using it.
Are there any better solutions?
PJDM
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 360.1 | Use a program, parse and replace ACE ID values... | XDELTA::HOFFMAN | Steve, OpenVMS Engineering | Fri Mar 21 1997 09:28 | 36 |
: Is there any way of going through and doing a bulk change of these : ACEs to change just the identifier of the ACE, and leave the ACE : options and accesses intact. One can write a program to access the ACEs via the XQP and/or the ACL system services (which really just call through to the XQP routines), and search for and mung the binary values of the old ACE identifiers to the new values. This operation can be wrapped inside a loop that uses lib$find_file with a wild-card specification. (I'd suspect a program is the only way to go here...) You'll want to perform at least a cursory search for queue ACLs, and you'll want to check the other objects where a security ACL can be attached... There may be code available to do this task now -- I certainly have various pieces of code similar to various components of this task that I've written up over the years. (Check the toolshed, COMET, and similar, and run a few internal AltaVista www searches...) : What he did was to mount the disk privately, read the index file, parse : the ACLs and replace every instance of the old ID with the new one. : : It worked reliably and took less than 30 minutes per drive! : It took him about two days to code and another week of testing. : :We have the same problem, but DCL munging seems a little slow, and we can't :take the disk offline because people are using it. You're going to have to do a shutdown and a reboot, to restart all user logins and all application servers, and to make sure that the policies are replaced consistently -- I'd not try to overhaul the security policy on-line. | |||||
| 360.2 | AUSS::GARSON | DECcharity Program Office | Sun Mar 23 1997 17:08 | 20 | |
re .0
> I've had some success with munging the output from DIRECTORY/ACL into a
> command procedure to SET ACL (which would be generated before you
> change any UICs and executed after you have changed the UICs). You can
> use DIR/SEL=ACL to select only files that have an ACL. You need to
> watch out for wrapped ACLs in the DIRECTORY output.
I recognise that text...
If DCL is too slow, just do the "same" in a program. All the necessary
interfaces exist and are documented.
(It would be helpful if each user were getting a new UIC that does not
currently exist on the system. This avoids issues of restarting the
conversion if it is interrupted for some reason.)
> What he did was to mount the disk privately, read the index file, parse
This sounds as if it would be unsupported.
| |||||
| 360.3 | Sounds like something DFU should be modified to do | UNIFIX::HARRIS | Juggling has its ups and downs | Sun Mar 23 1997 17:39 | 8 |
Sounds like a job for DFU. Maybe if you ask the DFU author, maybe he
would add such a feature for you. You are not the first to need this
type of service and this is just the kind of hack that DFU specializes
in.
See NOTED::HACKERS note 1533 to get the name of the author.
Bob Harris
| |||||