From the left navigation menu, select Element Store and then View Policies.
-
Click
to open the Actions menu for the view you want to edit and select Edit.
-
On the General tab, change these settings as needed:
Name
The name of the policy.
Security Flavor
The security flavor of the policy.
The security flavor determines how file and directory permissions are controlled. For a full description of the security flavors, see File and Directory Permissions in Multiprotocol Views. In brief, the possible values are:
-
NFS. NFS clients can set permission mode bits on files and directories when creating new files and directories or modifying existing files and directories. Attempts by SMB clients to set file and directory permissions are ignored. Files and directories created by SMB clients receive a configurable set of initial permission bits.
This flavor can be used with NFSv4.1 but without support for NFSv4 ACLs.
SMB. SMB clients can set permissions on files and directories. Attempts by NFS clients to set permission bits for files and directories are ignored. Files and directories created on NFS clients inherit permissions set on the parent directory by the SMB client.
-
Mixed Last Wins. This flavor is designed to act as natively as possible to whichever protocol is used to create or modify a file or directory. It allows permissions to be set and modified from all clients. As far as possible, this flavor is designed such that whenever a user changes permissions via a given protocol, the permission change that is applied in vast permissions is as the user intended.
This flavor is required for NFSv4.1 with support for NFSv4 ACLs.
Vip Pools
To limit access to specific VIP pools, select those VIP pool(s) in the VIP Pools dropdown.
If no VIP pools are selected, all VIP pools can access all views that are attached to this view policy.
Group Membership Source
Determines the source for retrieving group memberships of NFS users for the purposes of authorizing access to files and directories. Possible values:
-
Client. The GIDs declared in the RPC as the user's leading group and auxiliary groups are trusted and provider-sourced groups are not considered.
-
Providers. Group memberships retrieved from authorization providers are considered as the user's group memberships (as for SMB-only and multiprotocol views). The GIDs declared in the RPC are ignored.
Note
This option is required for views that have SMB enabled.
-
Client and Providers. Both the GIDs declared in the RPC and group memberships retrieved from authorization providers are considered.
For more information about the impact of this setting, see The VAST Cluster Authorization Flow.
Path Length Limit
Affects the maximum limit of file path component name length. Choose between:
Lowest Common Denominator (default). Imposes the lowest common denominator file length limit of all VAST Cluster-supported protocols, regardless of the specific protocol enabled on a specific view.
-
Native Protocol Limit. Imposes no limitation beyond that of the client protocol.
Caution
If you select this mode in a view policy and then in the future expose a view using this policy to a previously not exposed protocol, that view might contain files that won't be accessible by the newly added protocol, due to the limitations of that protocol.
Allowed Characters
Determines which characters are allowed in file names. Choose between:
Lowest Common Denominator (default). Allows only characters allowed by all VAST Cluster-supported protocols, regardless of the specific protocol enabled on a specific view. WIth this (default) option, the limitation on the length of a single component of the path is 255 characters.
-
Native Protocol Limit. Imposes no limitation beyond that of the client protocol.
Atime Frequency
atime is a metadata attribute of NFS files that represents the last time the file was updated. atime is updated on read operations if the difference between the current time and the file's atime value is greater than the configured atime frequency. Consider that a very low value might have a performance impact if high numbers of files are being read.
Specify ATIME_FREQUENCY as an integer followed by a unit of time (s = seconds, m= minutes, h=hours, d=days).
Posix ACL
For NFSv3 clients, this option enables full support of extended POSIX Access Control Lists (ACL). By default, VAST Cluster supports the traditional POSIX file system object permission mode bits, (minimal ACL mode) in which each file has three ACL entries defining the permissions for the owner, owning group, and others, respectively. To learn more about POSIX ACL, see https://linux.die.net/man/5/acl.
Note
The Posix ACL setting is relevant for NFSv3 only.
When applied to views that have both NFSv3 and NFSv4.1 enabled, POSIX ACLs are supported for NFSv3 clients while NFSv4.1 ACLs are not supported. Support for NFSv4.1 ACLs requires Mixed Last Wins security flavor and is not supported concurrently with POSIX ACLs for NFSv3.
Note
The Posix ACL setting is supported only with the NFS security flavor.
Note
The
setfacl
Linux command is blocked if this option is not enabled. -
-
On the NFS tab, manage which NFS hosts are allowed to access the view and the types of access you allow to different hosts.
The access types are:
Read Write
The hosts that have read/write access to the view via NFS. * is a wildcard indicating all hosts.
Read Only
The hosts that have read only access to the view via NFS. * is a wildcard indicating all hosts.
All Squash
The hosts that have all squash applied to them when accessing the view via NFS. With all squash, all client users are mapped to nobody for all file and folder management operations on the export.
No Squash
The hosts that have no squash applied to them when accessing the view via NFS. With no squash, all operations are supported. Use this option if you trust the root user not to perform operations that will corrupt data.
Root Squash
The hosts that have root squash applied to them when accessing the view via NFS. With root squash, the root user is mapped to nobody for all file and folder management operations on the export. This enables you to prevent the strongest super user from corrupting all user data on the VAST Cluster.
Trash
This option does not appear here by default. It appears only if Enable trash folder access is enabled on the Settings page. Granting this permission gives NFSv3 client users the ability to delete files by moving them into a trash folder, from which they are automatically deleted. Requires also No Squash. For more information, see Trash Folder (for Rapid Parallel File Deletion).
You can add hosts to any and all of the types, but within each category no more than one type will be applied to any given host. If a host is specified with multiple entries in mutually exclusive types, the conflict is resolved as follows:
An IP overrides a netgroup, a netgroup overrides a CIDR, and a CIDR overrides a wildcard expression.
-
If a conflict remains after the previous rule is applied, then:
Read Only overrides Read / Write.
All Squash overrides Root Squash.
Root Squash overrides No Squash.
To add entries in the access type grid to allow the exact host access that you want
-
Click the +Add new IP button for the access type you want to add hosts to.
The IPs list for the access type becomes editable.
-
Add hosts using any of the following expressions in a comma separated list:
A single IP.
A netgroup key, which starts with '@'. This is supported for NIS netgroups if NIS is configured. For information about how to use netgroups, see Using NIS Netgroups to Authorize Host Access to NFS Exports for more information.
A subnet indicated by CIDR notation. For example: 1.1.1.1/24.
A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.
-
Click Add or press the ENTER key on your keyboard.
The entries are added.
To remove an entry, hover to the right of the entry until a removal button appears and click it:
-
On the NFS 4.1 tab, change the Minimal Protection Level to the minimal level of security to allow for NFSv4.1 client RPCs:
Kerberos Auth-only. Allows client mounts with Kerberos authentication only (using the RPCSEC_GSS authentication service).
System. Allows client mounts using either the AUTH_SYS RCP security flavor (the traditional default NFS authentication scheme) or with Kerberos authentication
None. Allows client mounts with the AUTH_NONE (anonymous access), or AUTH_SYS RCP security flavors, or with Kerberos authentication.
On the SMB tab, you can change the SMB file mode permission bits and SMB directory mode permission bits. These are used specifically to apply permissions to files and directories created by SMB clients when both NFSv3 and SMB clients have access to the same view and the security flavor in the view policy is set to NFS.
Click Update to save your changes.
To modify a view via the VAST CLI, use the viewpolicy modify command.
Comments
0 comments
Article is closed for comments.