This command creates a view policy. Every view has a policy. The view policy specifies part of the view's configuration. One view policy can be applied to any number of views.
For views exposed to both SMB and NFS, usage is:
viewpolicy create --name NAME --flavor nfs|smb --auth-source PROVIDERS|RPC_AND_PROVIDERS [--path-length LCD|NPL] [--allowed-characters LCD|NPL] [--gid-inheritance linux|bsd] [--atime-frequency ATIME_FREQUENCY] [--read-write [HOSTS]] [--read-only [HOSTS]] [--nfs-no-squash [HOSTS]] [--nfs-root-squash [HOSTS]] [--nfs-all-squash [HOSTS]] [--nfs-return-open-permissions] [--disable-nfs-return-open-permissions] [--enable-nfs-posix-acl] [--disable-nfs-posix-acl] [--enable-32bit-fileid] [--disable-32bit-fileid] [--trash-access [HOSTS]] [--smb-file-mode SMB_FILE_MODE] [--smb-directory-mode SMB_DIRECTORY_MODE]
For views exposed to NFS only, usage is:
viewpolicy create --name NAME --auth-source RPC|PROVIDERS|RPC_AND_PROVIDERS [--atime-frequency ATIME_FREQUENCY] [--read-write [HOSTS]] [--read-only [HOSTS]] [--nfs-no-squash [HOSTS]] [--nfs-root-squash [HOSTS]] [--nfs-all-squash [HOSTS]] [--nfs-return-open-permissions] [--disable-nfs-return-open-permissions] [--enable-nfs-posix-acl] [--disable-nfs-posix-acl] [--enable-32bit-fileid] [--disable-32bit-fileid] [--trash-access [HOSTS]]
For views exposed to SMB only, usage is:
viewpolicy create --name NAME --auth-source PROVIDERS
Multiprotocol (NFS+ SMB) Basic Options
Sets the security flavor for a multiprotocol view policy to one of two security flavors:
To learn more about security modes, see: File and Directory Permissions in Multiprotocol Views.
For multiprotocol views, if the security flavor is NFS, specify default unix permission bits for files (--smb-file-mode) and directories (--smb-directory-mode). These are applied as initial permissions to files and directories created by SMB clients.
Specify SMB_FILE_MODE and SMB_DIRECTORY_MODE in three digit numeric notation, in which each digit represents a component of the permissions: user, group and others (in that order). Each digit is the sum of the following component bits:
Supposing you want to set the following permissions for file mode:
The user's read bit (4) and a write bit (2) total 6, the group and others each have a read bit only so that is 4 each. Therefore, you set the permission bits to 644:
SMB file mode permission bits: 644
SMB directory mode permission bits: 755
Advanced Multiprotocol (NFS + SMB) Options
NFS Host Access Options
These options set which NFS client hosts can access the view with which access types. In each access type option,
HOSTS can be specified as a comma separated series of any of the following:
A single IP.
A netgroup key, which starts with '@'. This is supported for NIS netgroups if NIS is configured. For information about how to use netgroups, see Using NIS Netgroups to Authorize Host Access to NFS Exports for more information.
Netgroups are not supported for multiprotocol views.
A subnet indicated by CIDR notation. For example: 18.104.22.168/24.
A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.
The access types comprise these categories:
Controlling read and write operations:
Read / Write. Read/write access.
Read Only. Read only access.
Controlling squash policy:
No Squash. All operations are supported. Use this option if you trust the root user not to perform operations that will corrupt data.
Root Squash. The root user is mapped to nobody for all file and folder management operations on the export. This enables you to prevent the strongest super user from corrupting all user data on the VAST Cluster.
All Squash. All client users are mapped to nobody for all file and folder management operations on the export.
Controlling access to the trash folder:
Trash Access. This option does not appear here by default. It appears only if Enable trash folder access is enabled on the Settings page. Granting this permission gives hosts the ability to delete files by moving them into a trash folder, from which they are automatically deleted. Requires also No Squash. For more information, see Trash Folder (for Rapid Parallel File Deletion).
You can add hosts to any and all of the types, but within each category no more than one type will be applied to any given host. If a host is specified with multiple entries in mutually exclusive types, the conflict is resolved as follows:
An IP overrides a netgroup, a netgroup overrides a CIDR, and a CIDR overrides a wildcard expression.
If a conflict remains after the previous rule is applied, then:
Read Only overrides Read / Write.
All Squash overrides Root Squash.
Root Squash overrides No Squash.
By default, all hosts have read-write and root squash access.
Advanced NFS Options
atime is a metadata attribute of NFS files that represents the last time the file was updated. atime is updated on read operations if the difference between the current time and the file's atime value is greater than the configured atime frequency. Consider that a very low value might have a performance impact if high numbers of files are being read.
Specify ATIME_FREQUENCY as an integer followed by a unit of time (s = seconds, m= minutes, h=hours, d=days).
Sets the NFS server to unilaterally return open (777) permission for all files and directories when responding to client side access checks.
This setting works around a permissions issue that occurs with Windows clients. Windows clients perform NFSv3 access checks before executing read/write requests. This client side check uses the UID and the primary GID of the user without taking into account secondary GIDs. If the check fails, requests are not executed. This means that some permissions may not be honored as they should be, such as those based on secondary groups.
When return open permissions is enabled, VAST Cluster returns open permissions for client side access checks, so that the Windows client allows access rights and executes read/write requests. VAST Cluster does a proper permission check when the request is executed.
Use this feature with caution if Windows client systems are shared by more than one user, since the following security breach could occur: While a user is accessing a file with correct permissions and the file is cached in memory on the Windows system, if another user tries to access the same file, access is incorrectly allowed. No proper access check is done for the second user.
Disables the NFS return open permissions setting. See
Enables full support of extended POSIX Access Control Lists (ACL). By default, VAST Cluster supports the traditional POSIX file system object permission mode bits, (minimal ACL mode) in which each file has three ACL entries defining the permissions for the owner, owning group, and others, respectively. To learn more about POSIX ACL, see https://linux.die.net/man/5/acl.
Disables support for extended POSIX ACLs, restoring default minimal ACL mode.
Sets the VAST Cluster's NFS server to use 32bit file IDs. This setting supports legacy 32-bit applications running over NFS.
In this example, we create a policy called multipro1 to attach to multiprotocol views.
In this policy, we choose to set security flavor to NFS. That enables NFS clients to set permissions on files and directories, while SMB clients will not be able to set permissions.
We will set a non default set of permission mode bits for files and directories to inherit whenever created by SMB clients.
vcli: admin> viewpolicy create --name multipro1 --flavor nfs --auth-source PROVIDERS --read-write 10.0.0.* --read-only 10.0.0.1 --nfs-all-squash 10.0.0.3 --trash-access 10.0.0.1,10.0.0.4 --smb-file-mode 664 --smb-directory-mode 775
The client 10.0.0.1 has read only access, will be root squashed and can use the trash folder.
The client 10.0.0.2 has read/write access, will be root squashed and can not use the trash folder.
The client 10.0.0.3 has read/write access, will be all squashed and cannot use the trash folder.
The client 10.0.0.4 has read/write access, will not be squashed and can use the trash folder.
The client 10.0.0.5 has read/write access, will not be squashed and cannot use the trash folder.
This example simply names a policy for SMB usage and enables auth provider, as required for SMB. No other view policy parameters are relevant for a policy used for views that are only exposed as SMB shares.
vcli: admin> viewpolicy create --name smbpolicy --auth-source PROVIDERS
In this example, a view policy intended for NFS-only views is named nfspolicy1 and gives read/write and trash folder access to one specific host while enabling read-only access for all hosts. The host given trash folder access is also not squashed, which is a necessary configuration for trash folder access to work. Remaining hosts are root squashed by default.
vcli: admin> viewpolicy create --name nfspolicy1 --auth-source RPC_AND_PROVIDERS --read-write 192.0.2.0 --read-only * --nfs-no-squash 192.0.2.0 --trash-access 192.0.2.0
Article is closed for comments.