跳转到主内容

如何限制 NFS 对 SVM 根卷的访问

  1. 最后更新
  2. 另存为PDF
Views:
52
Visibility:
Public
Votes:
0
Category:
fas-systems
Specialty:
nas
Last Updated:

适用场景

ONTAP 9

描述

  • 默认情况下,创建 SVM 时,根卷配置为755权限。
  • 这意味着:
    • 用户root (0)具有以下有效权限7, 或者Full Control
    • 其他权限级别设置为5,即Read & Execute
  • 配置此项后,所有访问 SVM 根卷的用户都可以列出并读取挂载在 SVM 根卷下的连接点。
  • 此外,使用System Managervserver setup命令允许用户访问 SVM 根目录。 
示例:

cluster::> vserver export-policy rule show -vserver nfs_svm -policyname default -instance
 
                   Vserver: nfs_svm 
                 Policy Name: default 
                 Rule Index: 1 
               Access Protocol: any 
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0 
               RO Access Rule: any 
               RW Access Rule: any 
User ID To Which Anonymous Users Are Mapped: 65534 
          Superuser Security Types: none 
        Honor SetUID Bits in SETATTR: true 
          Allow Creation of Devices: true 

  • 例如,如果 SVM 有 3 个数据卷,分别名为“nfs4”、“ntfs”和“unix”,
  • 则所有卷都将挂载在“/”下,并可以使用ls任何访问该挂载的用户都可以执行该命令。 

示例:

# mount | grep /mnt 
x.x.x.e:/ on /mnt type nfs (rw,nfsvers=3,addr=x.x.x.e) 
# cd /mnt 
# ls 
nfs4  ntfs  unix 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.