Updating the docroot or restriction of a running Watch Folder service

If aswatchfolderadmin returns the error code "err=28672" when you try to create a Watch Folder, confirm that the user's docroot or restriction allows access to the source directory specified in the JSON configuration file. You might have specified a destination that is not permitted by the docroot or restriction of the user that runs asperawatchfolderd, or you might have no docroot that is configured at all.

These instructions describe how to retrieve the docroot or restriction configuration for the user and update the docroot or restriction, if necessary. The configuration change automatically triggers asperawatchd that is associated with the user to restart.

  1. Run the following command to retrieve the docroot or restriction setting for the user:
    $ /Library/Aspera/bin/asuserdata -u username | grep "absolute"
    $ /Library/Aspera/bin/asuserdata -u username | grep "restriction"
    • If no docroot is configured for the user, no output is returned. Proceed to the next step to set a docroot or restriction.
    • If a docroot is configured, the command returns output similar to the following:
      canonical_absolute: "/"
      absolute: "/"
    • If a restriction is configured, the command returns output similar to the following:
      file_restriction: "file:////*"

    If the user's docroot or restriction does not permit access to the source folder, proceed to the next step to update the docroot.

  2. Configure a docroot or file restriction for the user.
    Docroots and path restrictions limit the area of a file system or object storage to which the user has access. Users can create Watch Folders and Watch services on files or objects only within their docroot or restriction.
    Note: Users can have a docroot or restriction, but not both or Watch Folder creation fails.

    Docroots can be set up in the GUI or command line. In the GUI, click Configuration > Users > username > Docroot and set the permitted path as the value for Absolute Path. To set up a docroot from the command line, run the following command:

    $ asconfigurator -x "set_user_data;user_name,username;absolute,docroot"

    Restrictions must be set from the command line:

    $ asconfigurator -x "set_user_data;user_name,username;file_restriction,|path"

    The restriction path format depends on the type of storage. In the following examples, the restriction allows access to the entire storage; specify a bucket or path to limit access.

    Storage type Format example
    Local storage For Unix-like OS:
    • Specific folder: file:////folder/*
    • Drive root: file:////*
    For Windows OS:
    • Specific folder: file:///c%3A/folder/*
    • Drive root: file:///c*
    Amazon S3 and IBM Cloud Object Storage - S3 s3://*
    Azure azu://*
    Azure Files azure-files://*
    Azure Data Lake Storage adl://*
    Alibaba Cloud oss://*
    Google Cloud google-gcs://*

    With a docroot or restriction setup, the user is now an Aspera transfer user. Restart asperanoded to activate your change:

    Run the following commands to reload asperanoded:
    $ sudo launchctl unload /Library/LaunchDaemons/com.aspera.asperanoded.plist
    $ launchctl load /Library/LaunchDaemons/com.aspera.asperanoded.plist