File access can be authorized through an authorization provider. See File Permissions Authorization for NFS Exports for more information.
To configure an auth provider and/or local users, see these topics:
Every view receives part of its configuration from a view policy. You can either modify the default view policy or create a new view policy.
-
In the VAST Web UI, select Element Store from the left navigation menu and then select View Policies.
The View Policies tab displays at least one view policy, the default view policy.
-
To edit a view policy, click
to open the Actions menu for the policy and select Edit. Alternatively, to create a new view policy, click Create Policy at the top right of the grid.
The Add Policy or Update Policy dialog opens with the General area expanded.
In the Name field, enter a unique name for the policy.
From the Security Flavor dropdown, select NFS.
-
Optionally enable Use Auth Provider. This is disabled by default. If you enable this setting, it activates the role of an authorization provider (LDAP or NIS) in file access authorization. See File Permissions Authorization for NFS Exports to learn about these options. In brief:
Leave Use Auth Provider disabled to trust NFS RPCs for users' group memberships when authorizing access to files and directories.
-
Enable Use Auth Provider to look up client users' GIDs in the cluster's user database in the event that an access check seeks a match between group mode bits and the user's GIDs. The UDB itself will fetch GIDs from the configured auth provider (LDAP or NIS) based on the incoming UID, except for users configured as local which are not updated from the auth provider.
If the cluster is connected to NIS, this setting also enables you to use netgroups when defining client host access (see the next step).
-
Expand the NFS section. Here you can manage which hosts are allowed to access the view and the types of access you allow to different hosts.
Two wildcard entries initially appear in the Read/Write and Root Squash rows of the grid:
These wildcards represent all IPs of all hosts. This default configuration gives all hosts read/write access and root squashing.
-
Add and remove entries in the access type grid to allow the exact host access that you want.
-
Click the
button for the access type you want to add hosts to.
The IPs and Netgroups list for the access type becomes editable.
-
Add hosts using any of the following expressions in a comma separated list:
A single IP.
A netgroup key, which starts with '@'. This is supported for NIS netgroups if NIS is configured. For information about how to use netgroups, see Using NIS Netgroups to Authorize Host Access to NFS Exports for more information.
A subnet indicated by CIDR notation. For example: 1.1.1.1/24.
A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.
The access types comprise these categories:
-
Controlling read and write operations:
Read / Write. Read/write access.
Read Only. Read only access.
-
Controlling squash policy:
No Squash. All operations are supported. Use this option if you trust the root user not to perform operations that will corrupt data.
Root Squash. The root user is mapped to nobody for all file and folder management operations on the export. This enables you to prevent the strongest super user from corrupting all user data on the VAST Cluster.
All Squash. All client users are mapped to nobody for all file and folder management operations on the export.
-
Controlling access to the trash folder:
Trash Access. This option does not appear here by default. It appears only if Enable trash folder access is enabled on the Settings page. Granting this permission gives hosts the ability to delete files by moving them into a trash folder, from which they are automatically deleted. Requires also No Squash. For more information, see Trash Folder (for Rapid Parallel File Deletion).
You can add hosts to any and all of the types, but within each category no more than one type will be applied to any given host. If a host is specified with multiple entries in mutually exclusive types, the conflict is resolved as follows:
An IP overrides a netgroup, a netgroup overrides a CIDR, and a CIDR overrides a wildcard expression.
-
If a conflict remains after the previous rule is applied, then:
Read Only overrides Read / Write.
All Squash overrides Root Squash.
Root Squash overrides No Squash.
-
Press the ENTER key on your keyboard.
The entries are added.
To remove an entry, click its removal button (the little 'x').
-
-
Optionally expand the Advanced section and change the following settings:
-
Atime frequency. atime is a metadata attribute of NFS files that represents the last time the file was updated. atime is updated on read operations if the difference between the current time and the file's atime value is greater than the configured atime frequency. Consider that a very low value might have a performance impact if high numbers of files are being read.
Specify ATIME_FREQUENCY as an integer followed by a unit of time (s = seconds, m= minutes, h=hours, d=days).
-
Posix ACL. Enables full support of extended POSIX Access Control Lists (ACL). By default, VAST Cluster supports the traditional POSIX file system object permission mode bits, (minimal ACL mode) in which each file has three ACL entries defining the permissions for the owner, owning group, and others, respectively. To learn more about POSIX ACL, see https://linux.die.net/man/5/acl.
Note
The
setfacl
Linux command is blocked if this option is not enabled. (From VAST Cluster 3.2.0) Use 32-bit File IDs (disabled by default). Sets the VAST Cluster's NFS server to use 32bit file IDs. This setting supports legacy 32-bit applications running over NFS.
-
-
Click Create.
The policy is created and added to the list.
Use the viewpolicy create command to create a new view policy or the viewpolicy modify command to modify the default view policy. For command syntax, follow NFS Usage.
-
In the VAST Web UI, select Element Store from the left navigation menu and then select Views.
-
Click Create View to add a new view.
The Add View dialog appears.
In the Filesystem Path field, enter the full path from the top level of the storage system on the cluster to the location that you want to expose. The directory may exist already, such as if it was created by a client inside a mounted parent directory. It could also be a path to a new directory which you'll create now (see step 7).
Open the Protocols dropdown, select NFS to expose the view to NFS clients.
In the NFS Alias field, you can optionally specify an alias for the mount path of the NFS export. An alias must begin with a forward slash ("/") and must consist of only ASCII characters.
From the Policy dropdown, select the view policy that is configured as described in the previous step. It might be the default policy or one you created for this purpose.
If the directory does not already exist in the file system, enable the Create Directory setting to create the directory.
-
Click Create.
The view is now created. You can see it displayed in the Views tab.
Use the view create command.
Comments
0 comments
Please sign in to leave a comment.