Updating the docroot or restriction of a running Watch Folder service

If aswatchfolderadmin returns the error code "err=28672" when you try to create a Watch Folder, confirm that the user's docroot or restriction allows access to the source directory specified in the JSON configuration file. You might have specified a destination that is not permitted by the docroot or restriction of the user that runs asperawatchfolderd, or you might have no docroot that is configured at all.

About this task

These instructions describe how to retrieve the docroot or restriction configuration for the user and update the docroot or restriction, if necessary. The configuration change automatically triggers asperawatchd that is associated with the user to restart.

Procedure

  1. Run the following command to retrieve the docroot or restriction setting for the user: 
    $ /Library/Aspera/bin/asuserdata -u username | grep "absolute"
    $ /Library/Aspera/bin/asuserdata -u username | grep "restriction"
    • If no docroot is configured for the user, no output is returned. Proceed to the next step to set a docroot or restriction.
    • If a docroot is configured, the command returns output similar to the following:
      canonical_absolute: "/"
absolute: "/"
    • If a restriction is configured, the command returns output similar to the following:
      file_restriction: "file:////*"

    If the user's docroot or restriction does not permit access to the source folder, proceed to the next step to update the docroot.

  2. Set the docroot for the user that runs asperawatchfolderd.
    The docroot is a security feature that allows to restrict the area of the file system that a user, and services that are run by that user such as the Aspera® Watch Service, can access. If a user needs access to the entire file system, set the docroot path as /, but you cannot leave it empty.

    Set the user's docroot by running the following command:

    $ asconfigurator -x "set_user_data;user_name,username;absolute,docroot"

    Restart asperanoded to activate your change:

    Run the following commands to reload asperanoded:
    $ sudo launchctl unload /Library/LaunchDaemons/com.aspera.asperanoded.plist
$ launchctl load /Library/LaunchDaemons/com.aspera.asperanoded.plist
  3. Configure a docroot or file restriction for the user.
    Docroots and path restrictions limit the area of a file system or object storage to which the user has access. Users can create Watch Folders and Watch services on files or objects only within their docroot or restriction.
    Note: Users can have a docroot or restriction, but not both or Watch Folder creation fails.

    Docroots can be set up in the GUI or command line. In the GUI, click Configuration > Users > username > Docroot and set the permitted path as the value for Absolute Path. To set up a docroot from the command line, run the following command:

    $ asconfigurator -x "set_user_data;user_name,username;absolute,docroot"

    Restrictions must be set from the command line:

    $ asconfigurator -x "set_user_data;user_name,username;file_restriction,|path"

    The restriction path format depends on the type of storage. In the following examples, the restriction allows access to the entire storage; specify a bucket or path to limit access.

    Storage Type Format Example
    local storage For Unix-like OS:
    • specific folder: file:////folder/*
    • drive root: file:////*
    For Windows OS:
    • specific folder: file:///c%3A/folder/*
    • drive root: file:///c*
    Amazon S3 and IBM Cloud Object Storage - S3 s3://*
    Azure azu://*
    Azure Files azure-files://*
    Alibaba Cloud oss://*
    Google Cloud gs://*

    With a docroot or restriction setup, the user is now an Aspera transfer user. Restart asperanoded to activate your change:

    Run the following commands to reload asperanoded:
    $ sudo launchctl unload /Library/LaunchDaemons/com.aspera.asperanoded.plist
$ launchctl load /Library/LaunchDaemons/com.aspera.asperanoded.plist