跳转到主内容

如何限制对 SVM 根卷的 NFS 访问

Views:
19
Visibility:
Public
Votes:
0
Category:
fas-systems
Specialty:
nas
Last Updated:

适用场景

ONTAP 9

问题描述

  • 默认 755 情况下,创建 SVM 时,根卷会配置权限。
  • 这意味着:
    • 用户 root ( 0 ) 具有 7,或的有效权限 Full Control
    • 其他 权限级别设置为 5,即 Read & Execute
  • 配置此选项后,访问 SVM 根卷的每个人都可以列出并读取装载在 SVM 根卷下的接合。
  • 此外 vserver setup ,使用 System Manager 或命令配置 SVM 时创建的默认导出策略规则允许用户访问 SVM 根。 
示例:

cluster::> vserver export-policy rule show -vserver nfs_svm -policyname default -instance
 
                   Vserver: nfs_svm 
                 Policy Name: default 
                 Rule Index: 1 
               Access Protocol: any 
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0 
               RO Access Rule: any 
               RW Access Rule: any 
User ID To Which Anonymous Users Are Mapped: 65534 
          Superuser Security Types: none 
        Honor SetUID Bits in SETATTR: true 
          Allow Creation of Devices: true 

  • 例如、如果SVM具有3个名为"nfs4"、"ntfs"和"unix"的数据卷
  • 所有这些都将挂载在"/"下、 ls 访问挂载的任何用户均可使用命令列出。 

示例:

# mount | grep /mnt 
x.x.x.e:/ on /mnt type nfs (rw,nfsvers=3,addr=x.x.x.e) 
# cd /mnt 
# ls 
nfs4  ntfs  unix 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.