File Access Management

I have covered Block Access Management now I will discuss File Access Management covering

Data ONTAP controls access to files according to the authentication-based and file-based restrictions that you specify. With authentication-based restrictions, you can specify which client machines and which users can connect to the entire storage system or a vFiler unit. Data ONTAP supports Kerberos authentication from both UNIX and Windows servers.

With file-based restrictions, you can specify which users can access which files. When a user creates a file, Data ONTAP generates a list of access permissions for the file. While the form of the permissions list varies with each protocol, it always includes common permissions, such as reading and writing permissions. When a user tries to access a file, Data ONTAP uses the permissions list to determine whether to grant access. Data ONTAP grants or denies access according to the operation that the user is performing, such as reading or writing, and the following factors:

As part of the verification process, Data ONTAP maps host names to IP addresses using the lookup service you specify—Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), or local storage system information.

File Access using NFS

You can export and unexport file system paths on your storage system, making them available or unavailable, respectively, for mounting by NFS clients, including PC-NFS and WebNFS clients.

Export Options
actual=<path> Specifies the actual file system path corresponding to the exported file system path.
anon=<uid>|<name> Specifies the effective user ID (or name) of all anonymous or root NFS client users that access the file system path.
nosuid Disables setuid and setgid executables and mknod commands on the file system path.
ro | ro=clientid Specifies which NFS clients have read-only access to the file system path.
rw | rw=clientid Specifies which NFS clients have read-write access to the file system path.
root=clientid Specifies which NFS clients have root access to the file system path. If you specify the root= option, you must specify at least one NFS client identifier. To exclude NFS clients from the list, prepend the NFS client identifiers with a minus sign (-).
sec=sectype

Specifies the security types that an NFS client must support to access the file system path. To apply the security types to all types of access, specify the sec= option once. To apply the security types to specific types of access (anonymous, non-super user, read-only, read-write, or root), specify the sec= option at least twice, once before each access type to which it applies (anon, nosuid, ro, rw, or root, respectively).

security types could be one of the following:

none

No security. Data ONTAP treats all of the NFS client's users as anonymous users.

sys Standard UNIX (AUTH_SYS) authentication. Data ONTAP checks the NFS credentials of all of the
NFS client's users, applying the file access permissions specified for those users in the NFS server's /etc/passwd file. This is the default security type.
krb5 Kerberos(tm) Version 5 authentication. Data ONTAP uses data encryption standard (DES) key
encryption to authenticate the NFS client's users.
krb5i Kerberos(tm) Version 5 integrity. In addition to authenticating the NFS client's users, Data
ONTAP uses message authentication codes (MACs) to verify the integrity of the NFS client's remote procedure requests and responses, thus preventing "man-in-the-middle" tampering.
krb5p Kerberos(tm) Version 5 privacy. In addition to authenticating the NFS client's users and verifying data integrity, Data ONTAP encrypts NFS arguments and results to provide privacy.


Examples

rw=10.45.67.0/24
ro,root=@trusted,rw=@friendly
rw,root=192.168.0.80,nosuid

Export Commands
Displaying

exportfs
exportfs -q <path>

create

# create export in memory and write to /etc/exports (use default options)
exportfs -p /vol/nfs1

# create export in memory and write to /etc/exports (use specific options)
exportsfs -io sec=none,rw,root=192.168.0.80,nosuid /vol/nfs1

# create export in memory only using own specific options
exportsfs -io sec=none,rw,root=192.168.0.80,nosuid /vol/nfs1

remove # Memory only
exportfs -u <path>

# Memory and /etc/exportfs
exportfs -z <path>
export all exportfs -a
check access exportfs -c 192.168.0.80 /vol/nfs1
flush exportfs -f
exportfs -f <path>
reload exportfs -r
storage path exportfs -s <path>
Write export to a file exportfs -w <path/export_file>
fencing

# Suppose /vol/vol0 is exported with the following export options:
  
   -rw=pig:horse:cat:dog,ro=duck,anon=0

# The following command enables fencing of cat from /vol/vol0
exportfs -b enable save cat /vol/vol0

# cat moves to the front of the ro= list for /vol/vol0:

   -rw=pig:horse:dog,ro=cat:duck,anon=0

stats nfsstat


File Access using CIFS

Netapp supports a number of Windows versions when it comes to CIFS, it is a licenced product. before you begin you need to setup the CIFS server by running the follow command. I am not going to go into detail but here are the basic commands that you need. If you are familiar with SAMBA then you will have no troble with this.

Useful CIFS options
change the security style options wafl.default_security_style {ntfs | unix | mixed}
timeout options cifs.idle_timeout time
Performance options cifs.oplocks.enable on

Note: Under some circumstances, if a process has an exclusive oplock on a file and a second process attempts to open the file, the first process must invalidate cached data and flush writes and locks. The client must then relinquish the oplock and access to the file. If there is a network failure during this flush, cached write data might be lost.
CIFS Commands
useful files
/etc/cifsconfig_setup.cfg
/etc/usermap.cfs
/etc/passwd
/etc/cifsconfig_share.cfg


Note: use "rdfile" to read the file
CIFS setup cifs setup

Note: you will be prompted to answer a number of questions based on what requirements you need.
start cifs restart
stop cifs terminate

# terminate a specific client
cifs terminate <client_name>|<IP Address>
sessions cifs sessions
cifs sessions <user>
cifs sessions <IP Address>

# Authentication
cifs sessions -t

# Changes
cifs sessions -c

# Security Info
cifs session -s
Broadcast message cifs broadcast * "message"
cifs broadcast <client_name> "message"
permissions

cifs access <share> <user|group> <permission>

# Examples
cifs access sysadmins -g wheel Full Control
cifs access -delete releases ENGINEERING\mary

Note: rights can be Unix-style combinations of r w x - or NT-style "No Access", "Read", "Change", and "Full Control"

stats cifs stat <interval>
cifs stat <user>
cifs stat <IP Address>
create a share

# create a volume in the normal way

# then using qtrees set the style of the volume {ntfs | unix | mixed}

# Now you can create your share
cifs shares -add TEST /vol/flexvol1/TEST -comment "Test Share " -forcegroup workgroup -maxusers 100

change share characteristics cifs shares -change sharename {-browse | -nobrowse} {-comment desc | - nocomment} {-maxusers userlimit | -nomaxusers} {-forcegroup groupname | -noforcegroup} {-widelink | -nowidelink} {-symlink_strict_security | - nosymlink_strict_security} {-vscan | -novscan} {-vscanread | - novscanread} {-umask mask | -noumask {-no_caching | -manual_caching | - auto_document_caching | -auto_program_caching}

# example
cifs shares -change <sharename> -novscan
home directories # Display home directories
cifs homedir

# Add a home directory
wrfile -a /etc/cifs_homedir.cfg /vol/TEST

# check it
rdfile /etc/cifs_homedir.cfg

# Display for a Windows Server
net view \\<Filer IP Address>

# Connect
net use * \\192.168.0.75\TEST

Note: make sure the directory exists
domain controller

# add a domain controller
cifs prefdc add lab 10.10.10.10 10.10.10.11

# delete a domain controller
cifs prefdc delete lab

# List domain information
cifs domaininfo

# List the preferred controllers
cifs prefdc print

# Restablishing
cifs resetdc

change filers domain password cifs changefilerpwd
Tracing permission problems

sectrace add [-ip ip_address] [-ntuser nt_username] [-unixuser unix_username] [-path path_prefix] [-a]

#Examples
sectrace add -ip 192.168.10.23
sectrace add -unixuser foo -path /vol/vol0/home4 -a

# To remove
sectrace delete all
sectrace delete <index>

# Display tracing
sectrace show

# Display error code status
sectrace print-status <status_code>
sectrace print-status 1:51544850432:32:78

File Access using FTP

You can enable and configure the Internet File Transfer Protocol (FTP) server to let users of Windows and UNIX FTP clients access the files on your storage system. Again there is not much to say about FTP so I will keep this short and sweet.

Useful Options
Enable options ftpd.enable on
Disable options ftpd.enable off
File Locking options ftpd.locking delete
options ftpd.locking none

Note: To prevent users from modifying files while the FTP server is transferring them, you can enable FTP file locking. Otherwise, you can disable FTP file locking. By default, FTP file locking is disabled.
Authenication Style options ftpd.auth_style {unix | ntlm | mixed}
bypassing of FTP traverse checking

options ftpd.bypass_traverse_checking on
options ftpd.bypass_traverse_checking off

Note: If the ftpd.bypass_traverse_checking option is set to off, when a user attempts to access a file using FTP, Data ONTAP checks the traverse (execute) permission for all directories in the path to the file. If any of the intermediate directories does not have the "X" (traverse permission), Data ONTAP denies access to the file. If the ftpd.bypass_traverse_checking option is set to on, when a user attempts to access a file, Data ONTAP does not check the traverse permission for the intermediate directories when determining whether to grant or deny access to the file.

Restricting FTP users to a specific directory

options ftpd.dir.restriction on
options ftpd.dir.restriction off

Restricting FTP users to their home directories or a default directory options ftpd.dir.override ""
Maximum number of connections options ftpd.max_connections n
options ftpd.max_connections_threshold n
idle timeout value options ftpd.idle_timeout n s | m | h
anonymous logins options ftpd.anonymous.enable on
options ftpd.anonymous.enable off

# specify the name for the anonymous login
options ftpd.anonymous.name username

# create the directory for the anonymous login
options ftpd.anonymous.home_dir homedir
FTP Commands
Log files /etc/log/ftp.cmd
/etc/log/ftp.xfer

# specify the max number of logfiles (default is 6) and size
options ftpd.log.nfiles 10
options ftpd.log.filesize 1G

Note: use rdfile to view
Restricting access /etc/ftpusers

Note: using rdfile and wrfile to access /etc/ftpusers
stats ftp stat

# to reset
ftp stat -z

File Access using HTTP

To let HTTP clients (web browsers) access the files on your storage system, you can enable and configure Data ONTAP's built-in HyperText Transfer Protocol (HTTP) server. Alternatively, you can purchase and connect a third-party HTTP server to your storage system.

HTTP Options
enable options httpd.enable on
disable options httpd.enable off
Enabling or disabling the bypassing of HTTP traverse checking options httpd.bypass_traverse_checking on
options httpd.bypass_traverse_checking off

Note: this is similar to the FTP version
root directory options httpd.rootdir /vol0/home/users/pages
Host access options httpd.access host=Host1 AND if=e3
options httpd.admin.access host!=Host1
HTTP Commands
Log files /etc/log/httpd.log

# use the below to change the logfile format
options httpd.log.format alt1

Note: use rdfile to view
redirects redirect /cgi-bin/* http://cgi-host/*
pass rule pass /image-bin/*
fail rule fail /usr/forbidden/*
mime types /etc/httpd.mimetypes

Note: use rdfile and wrfile to edit
interface firewall ifconfig f0 untrusted
stats httpstat [-dersta]

# reset the stats
httpstat -z[derta]