Articles in this section

Using Netgroups to Authorize Hosts

Sara Levy
  • Updated
Follow

Netgroups are sets of users, hosts and domains that are grouped together for administration purposes. On VAST Cluster, netgroups defined on a NIS or LDAP authorization provider can be used to authorize NFSv3 or NFSv4.1 client hosts' access.

Overview of Netgroups

VAST Cluster supports netgroups defined in a netgroup map on a NIS or LDAP server. A netgroup map looks like this, for example:

users (,user1271,) (,user973,) (,user287,) (,user1185,)
moreusers (,user447,)
besthosts (host84.test.org,,)
otherhosts (host132.test.org,,) (host133.test.org,,) (host134.test.org,,) 
keygroup morehosts otherhosts besthosts (host463.test.org,,) 
morehosts (host832.test.org,,) (host833.test.org,,)

Each line represents a netgroup. It starts with the netgroup name and then lists netgroup members. A netgroup member can be either of the following:

  • A triple: (host,user,domain). A blank value for any of the three elements acts as a wildcard. For example, the entry (host132,,) denotes host host132 with any user on any domain. The triple (,,) denotes all clients.

  • A nested netgroup. In the example above, netgroup keygroup includes nested netgroups morehosts, otherhosts and besthosts.

Requirements and Restrictions

  • Netgroups are only used to allow or deny clients' access via NFS. VAST Cluster does not accept netgroup entries in host-based access rules for other access protocols.

  • Hosts should have both forward and reverse DNS entries. When VAST Cluster gets the netgroup hostname response from a NIS or LDAP server, it resolves the hostname via DNS.

  • Netgroup names can be up to 46 characters.

  • A netgroup triple should be specified in format (host,user,domain), where:

    • host is a DNS name or an IP address (IPv4 or IPv6) of the host. If no host is specified, the netgroup is considered invalid.

    • user is ignored.

    • domain is ignored.

  • Netgroup nesting is supported up to a limit of 10 levels.

  • Up to 10,000 netgroups are supported altogether per VAST Cluster .

Setting a Netgroup Provider for a Tenant

Netgroups can be retrieved from a NIS or LDAP provider configured for a tenant on VAST Cluster.

Enabling LDAP Reverse Lookup for Netgroups

When using LDAP netgroups, you can optionally enable netgroup reverse lookup for the LDAP provider.

If reverse lookup is enabled, netgroup processing does not translate all hostnames to IP addresses. Instead, reverse lookup on the client IP is performed to locate the netgroup. This reduces the number of DNS queries involved but requires reverse pointers to be set up on the DNS server.

If reverse lookup is disabled, netgroup processing translates all hostnames to IP addresses and compares the client IP address to the resolved addresses. This ensures faster access checks, but may cause a higher load on the DNS server.

You can enable or disable reverse lookup in the LDAP configuration settings in VAST Web UI (User Management -> LDAP -> choose to create or update an LDAP provider), or by running the VAST CLI ldap create or ldap modify command with the --reverse-lookup option specified.

Configuring Host-Based Access Rules with Netgroups

Netgroups are specified in host-based access rules of a view policy.

To determine which type of access is to be allowed for a netgroup:

  • In VAST Web UI, go to Element Store -> View Policies, choose to create or edit a view policy and open the Host-Based Access tab. Under NFS, click + Add New Rule for the type of access you want to provide and enter the netgroup name (prefixed with @) in the Enter IPs popup.

  • In VAST CLI, run the viewpolicy create or viewpolicy modify command and specify the netgroup name (prefixed with @) on one of the following options:

    • --nfs-read-write

    • --nfs-read-only

    • --nfs-no-squash

    • --nfs-root-squash

    • --nfs-all-squash

    • --nfs-trash-access

Refreshing Netgroups per View Policy

You can refresh NIS and LDAP netgroups configured for a view policy at the same time.

To refresh netgroups:

  • In VAST Web UI, choose Element Store -> View Policies, find the view policy for which you want to refresh netgroups and click ViewPolicies_RefreshNetgroups.png in the Actions menu for that view policy.

  • In VAST CLI, run the viewpolicy refresh-netgroups command.

See also Refreshing the NIS Cache for information about NIS user and netgroup cache and the procedure to refresh it.

Related articles

Comments

0 comments

Article is closed for comments.