New to the Isilon platform..Looking for the best way to restrict access to an NFS Export. I know this can be done from within the NFS Export details in which you can specify Clients, Always Read/Write Clients and Always Read-only clients. However, my issue is that hostnames/nodes that will be accessing this NFS Export will be constantly changing and would like avoid the massive overhead of having to add/remove each time a node needs access. Just curious to see how others have addressed this scenario. Thank you
Couple of thoughts:
At some point a decision on wether a host gets access as an NFS client must be made and communicated to the server. How has this been done in the current solution so far?
Instead of repeatedly modifying the exports configuration on a NFS server or cluster, the whitelist of allowed clients is often maintained in an external data source and made available to the NFS server via a directory service such as NIS or LDAP as a collection of so-called 'netgroups'.
NFS version 4 allows for secure user-based authentification and authorization, for example via a Kerberos service instance. In your scenario, any host could be allowed to mount from the server, but actual access to any data is granted only to specific user accounts (real persons or machine accounts) or user groups. UNIX permission bits might not suffice and ACLs can come into play here.
yes - but be aware that with NFS3 you can't trust the identity of a client user. Therefore the suggestion to use NFS4 with a secure authentification.