File Access Management
I have covered Block Access Management now I will discuss File Access Management covering
Data ONTAP controls access to files according to the authentication-based and file-based restrictions that you specify. With authentication-based restrictions, you can specify which client machines and which users can connect to the entire storage system or a vFiler unit. Data ONTAP supports Kerberos authentication from both UNIX and Windows servers.
With file-based restrictions, you can specify which users can access which files. When a user creates a file, Data ONTAP generates a list of access permissions for the file. While the form of the permissions list varies with each protocol, it always includes common permissions, such as reading and writing permissions. When a user tries to access a file, Data ONTAP uses the permissions list to determine whether to grant access. Data ONTAP grants or denies access according to the operation that the user is performing, such as reading or writing, and the following factors:
As part of the verification process, Data ONTAP maps host names to IP addresses using the lookup service you specify—Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), or local storage system information.
You can export and unexport file system paths on your storage system, making them available or unavailable, respectively, for mounting by NFS clients, including PC-NFS and WebNFS clients.
Export Options |
|||||||||||
actual=<path> | Specifies the actual file system path corresponding to the exported file system path. | ||||||||||
anon=<uid>|<name> | Specifies the effective user ID (or name) of all anonymous or root NFS client users that access the file system path. | ||||||||||
nosuid | Disables setuid and setgid executables and mknod commands on the file system path. | ||||||||||
ro | ro=clientid | Specifies which NFS clients have read-only access to the file system path. | ||||||||||
rw | rw=clientid | Specifies which NFS clients have read-write access to the file system path. | ||||||||||
root=clientid | Specifies which NFS clients have root access to the file system path. If you specify the root= option, you must specify at least one NFS client identifier. To exclude NFS clients from the list, prepend the NFS client identifiers with a minus sign (-). | ||||||||||
sec=sectype | Specifies the security types that an NFS client must support to access the file system path. To apply the security types to all types of access, specify the sec= option once. To apply the security types to specific types of access (anonymous, non-super user, read-only, read-write, or root), specify the sec= option at least twice, once before each access type to which it applies (anon, nosuid, ro, rw, or root, respectively). security types could be one of the following:
|
||||||||||
Examples | rw=10.45.67.0/24 |
||||||||||
Export Commands |
|||||||||||
Displaying | exportfs |
||||||||||
create | # create export in memory and write to /etc/exports (use default options) # create export in memory and write to /etc/exports (use specific options) |
||||||||||
remove | # Memory only exportfs -u <path> # Memory and /etc/exportfs exportfs -z <path> |
||||||||||
export all | exportfs -a | ||||||||||
check access | exportfs -c 192.168.0.80 /vol/nfs1 | ||||||||||
flush | exportfs -f exportfs -f <path> |
||||||||||
reload | exportfs -r | ||||||||||
storage path | exportfs -s <path> | ||||||||||
Write export to a file | exportfs -w <path/export_file> | ||||||||||
fencing | # Suppose /vol/vol0 is exported with the following export options: |
||||||||||
stats | nfsstat |
File Access using CIFS
Netapp supports a number of Windows versions when it comes to CIFS, it is a licenced product. before you begin you need to setup the CIFS server by running the follow command. I am not going to go into detail but here are the basic commands that you need. If you are familiar with SAMBA then you will have no troble with this.
Useful CIFS options |
|
change the security style | options wafl.default_security_style {ntfs | unix | mixed} |
timeout | options cifs.idle_timeout time |
Performance | options cifs.oplocks.enable on Note: Under some circumstances, if a process has an exclusive oplock on a file and a second process attempts to open the file, the first process must invalidate cached data and flush writes and locks. The client must then relinquish the oplock and access to the file. If there is a network failure during this flush, cached write data might be lost. |
CIFS Commands |
|
useful files | /etc/cifsconfig_setup.cfg
/etc/usermap.cfs
/etc/passwd
/etc/cifsconfig_share.cfg
Note: use "rdfile" to read the file |
CIFS setup | cifs setup Note: you will be prompted to answer a number of questions based on what requirements you need. |
start | cifs restart |
stop | cifs terminate # terminate a specific client cifs terminate <client_name>|<IP Address> |
sessions | cifs sessions cifs sessions <user> cifs sessions <IP Address> # Authentication cifs sessions -t # Changes cifs sessions -c # Security Info cifs session -s |
Broadcast message | cifs broadcast * "message" cifs broadcast <client_name> "message" |
permissions | cifs access <share> <user|group> <permission> Note: rights can be Unix-style combinations of r w x - or NT-style "No Access", "Read", "Change", and "Full Control" |
stats | cifs stat <interval> cifs stat <user> cifs stat <IP Address> |
create a share | # create a volume in the normal way # then using qtrees set the style of the volume {ntfs | unix | mixed} # Now you can create your share |
change share characteristics | cifs shares -change sharename {-browse | -nobrowse} {-comment desc | - nocomment} {-maxusers userlimit | -nomaxusers} {-forcegroup groupname | -noforcegroup} {-widelink | -nowidelink} {-symlink_strict_security | - nosymlink_strict_security} {-vscan | -novscan} {-vscanread | - novscanread} {-umask mask | -noumask {-no_caching | -manual_caching | - auto_document_caching | -auto_program_caching} # example cifs shares -change <sharename> -novscan |
home directories | # Display home directories cifs homedir # Add a home directory wrfile -a /etc/cifs_homedir.cfg /vol/TEST # check it rdfile /etc/cifs_homedir.cfg # Display for a Windows Server net view \\<Filer IP Address> # Connect net use * \\192.168.0.75\TEST Note: make sure the directory exists |
domain controller | # add a domain controller # delete a domain controller # List the preferred controllers |
change filers domain password | cifs changefilerpwd |
Tracing permission problems | sectrace add [-ip ip_address] [-ntuser nt_username] [-unixuser unix_username] [-path path_prefix] [-a] #Examples # To remove |
File Access using FTP
You can enable and configure the Internet File Transfer Protocol (FTP) server to let users of Windows and UNIX FTP clients access the files on your storage system. Again there is not much to say about FTP so I will keep this short and sweet.
Useful Options |
|
Enable | options ftpd.enable on |
Disable | options ftpd.enable off |
File Locking | options ftpd.locking delete options ftpd.locking none Note: To prevent users from modifying files while the FTP server is transferring them, you can enable FTP file locking. Otherwise, you can disable FTP file locking. By default, FTP file locking is disabled. |
Authenication Style | options ftpd.auth_style {unix | ntlm | mixed} |
bypassing of FTP traverse checking | options ftpd.bypass_traverse_checking on |
Restricting FTP users to a specific directory | options ftpd.dir.restriction on |
Restricting FTP users to their home directories or a default directory | options ftpd.dir.override "" |
Maximum number of connections | options ftpd.max_connections n options ftpd.max_connections_threshold n |
idle timeout value | options ftpd.idle_timeout n s | m | h |
anonymous logins | options ftpd.anonymous.enable on options ftpd.anonymous.enable off # specify the name for the anonymous login options ftpd.anonymous.name username # create the directory for the anonymous login options ftpd.anonymous.home_dir homedir |
FTP Commands |
|
Log files | /etc/log/ftp.cmd /etc/log/ftp.xfer # specify the max number of logfiles (default is 6) and size options ftpd.log.nfiles 10 options ftpd.log.filesize 1G Note: use rdfile to view |
Restricting access | /etc/ftpusers Note: using rdfile and wrfile to access /etc/ftpusers |
stats | ftp stat # to reset ftp stat -z |
File Access using HTTP
To let HTTP clients (web browsers) access the files on your storage system, you can enable and configure Data ONTAP's built-in HyperText Transfer Protocol (HTTP) server. Alternatively, you can purchase and connect a third-party HTTP server to your storage system.
HTTP Options |
|
enable | options httpd.enable on |
disable | options httpd.enable off |
Enabling or disabling the bypassing of HTTP traverse checking | options httpd.bypass_traverse_checking on options httpd.bypass_traverse_checking off Note: this is similar to the FTP version |
root directory | options httpd.rootdir /vol0/home/users/pages |
Host access | options httpd.access host=Host1 AND if=e3 options httpd.admin.access host!=Host1 |
HTTP Commands |
|
Log files | /etc/log/httpd.log # use the below to change the logfile format options httpd.log.format alt1 Note: use rdfile to view |
redirects | redirect /cgi-bin/* http://cgi-host/* |
pass rule | pass /image-bin/* |
fail rule | fail /usr/forbidden/* |
mime types | /etc/httpd.mimetypes Note: use rdfile and wrfile to edit |
interface firewall | ifconfig f0 untrusted |
stats | httpstat [-dersta] # reset the stats httpstat -z[derta] |