Group membership authorization for file access: When a client user requests access to a file over NFS, the process of authorizing access (explained in full here) may lead to checking the user's group IDs. It's possible to configure VAST to use a NIS users map as the authority on group IDs in that case.
Using your NIS netgroup map to allow hosts to access exports: When mounting an export on a client host, the host needs to have permission to access the export. Host access permission is defined in the export's policy. It's possible to add hosts to a policy by adding NIS netgroups that contain the hosts rather than adding the hosts individually.
From the menu (click ), select Security and then select the NIS tab.
Click to add a new NIS configuration(you can only add one).
Complete the fields:
The NIS domain name shared by all the NIS servers and clients on your network.
Include every NIS master and slave server (limited to ten servers). You can specify each server by its IP or host name, up to 48 characters. Either type them as a comma separated list or type each one and hit ENTER and then type the next. Each entry appears below the field with its own removal button.
The NIS configuration is now displayed on the NIS tab in the Security page.
To manage NIS via the CLI, use the following commands.
For full CLI command syntax, including arguments, enter the command at the CLI prompt, followed by ?.
If you are using NIS to check user group memberships in order to authorize file access, the cached user entries are used. Therefore, in order to avoid unwanted access denials, it's good practice to refresh the cache immediately after you update any user's group memberships on NIS.
The users cache is limited to 20,480 users.
If you're using NIS netgroups to specify which hosts are allowed to access exports, refreshing the cache can avoid delays granting access: If a host requests to access an export and is not found in the netgroups that are listed in the export policy, VAST Cluster fetches the netgroup map again. Therefore, a host who was recently added to a netgroup without a refresh of the cache would be granted access after a short delay. To avoid those delays, refresh the NIS cache immediately after updating the netgroup map.
The netgroup cache is limited to 10,000 users. If the number of netgroups on the NIS server exceeds the limit, the least recently used netgroups are skipped each time the netgroups are fetched.
Netgroups are sets of users, hosts and domains that are grouped together for administration purposes.
Client host access to VAST Cluster exports is controlled by export policies. Each export is bound to a policy which allows access to whichever hosts are specified in the policy. You can add NIS netgroups to export policies in order to allow access to hosts contained in the netgroups.
NIS netgroups are defined in a NIS netgroup map on the NIS master server.
A netgroup map looks like this, for example:
users (,user1271,) (,user973,) (,user287,) (,user1185,) (,user83,) (,user860,) (,user657,) (,user447,) (,user136,) (,user1113,) moreusers (,user447,) besthosts (host84.test.org,,) otherhosts (host132.test.org,,) (host133.test.org,,) (host134.test.org,,) (host135.test.org,,) (host136.test.org,,) (host137.test.org,,) (host138.test.org,,) (host139.test.org,,) (host140.test.org,,) keygroup morehosts otherhosts besthosts morehosts (host832.test.org,,) (host833.test.org,,) (host834.test.org,,) (host835.test.org,,) (host836.test.org,,) (host837.test.org,,) (host838.test.org,,) (host839.test.org,,) (host840.test.org,,) (host841.test.org,,) (host842.test.org,,) (host843.test.org,,)
Each line represents a netgroup, starting with the name of the netgroup (the netgroup key) and then listing all the netgroup's members, which can be either:
In the triple format
([-|host], [-|user], [domain])
A blank value for any of the three parts acts as a wildcard. For example, the entry
(,user1271,)denotes the user user1271 on any host or domain.
Another netgroup key. In this case, one netgroup is nested under another netgroup.
For example, in the netgroup map above, the netgroup keygroup has the netgroups morehosts, otherhosts and besthosts nested under it.
When using NIS netgroups to allow host access to VAST Cluster exports, the following requirements apply:
Hosts should have both forward and reverse DNS entries. Netgroup hostname response from the NIS servers triggers VAST Cluster to perform hostname resolution via DNS.
The host entries inside the netgroups, in the format
([-|host], [-|user], [domain]), should have values set as follows:
domain must be the NIS domain name specified in the NIS configuration (or blank).
host must be either the hostname or the IP of the host.
user can be anything. It is ignored.
Netgroup keys may include up to 46 characters.
Up to 10,000 netgroups are supported altogether per VAST Cluster .
Nesting is supported up to a limit of ten levels.
Make sure NIS is configured.
Check which export policy each export is using:
From the menu (click ), select Configuration and then select the Exports tab.
Each export's policy is listed in the Policy column for the export:
Add the relevant netgroup key(s) to the Netgroups field of the export policy.