Highlighted
1 Copper

Restrict Access to NFS Export

New to the Isilon platform..Looking for the best way to restrict access to an NFS Export. I know this can be done from within the NFS Export details in which you can specify Clients, Always Read/Write Clients and Always Read-only clients. However, my issue is that hostnames/nodes that will be accessing this NFS Export will be constantly changing and would like avoid the massive overhead of having to add/remove each time a node needs access. Just curious to see how others have addressed this scenario. Thank you

0 Kudos
6 Replies
Highlighted
2 Bronze

Re: Restrict Access to NFS Export

Hi,

What about if you use IP then?

0 Kudos
Highlighted
1 Copper

Re: Restrict Access to NFS Export

can't use IP because we would be in the same boat as we are with host names. also, subnet is shared with other nodes as well. 

0 Kudos
Highlighted
4 Beryllium

Re: Restrict Access to NFS Export

Couple of thoughts:

At some point a decision on wether a host gets access as an NFS client must be made and communicated to the server. How has this been done in the current solution so far?

Instead of repeatedly modifying the exports configuration on a NFS server or cluster, the whitelist of allowed clients is often maintained in an external data source and made available to the NFS server via a directory service such as NIS or LDAP as a collection of so-called 'netgroups'.

NFS version 4 allows for secure user-based authentification and authorization, for example via a Kerberos service instance. In your scenario, any host could be allowed to mount from the server, but actual access to any data is granted only to specific user accounts (real persons or machine accounts) or user groups. UNIX permission bits might not suffice and ACLs can come into play here.

Makes sense?

-- Peter

0 Kudos
Highlighted
3 Argentum

Re: Restrict Access to NFS Export

so I read this as;

leave open at host level and lock down at permission level.

is that a correct reading ?

0 Kudos
Highlighted
4 Beryllium

Re: Restrict Access to NFS Export

yes - but be aware that with NFS3 you can't trust the identity of a client user. Therefore the suggestion  to use NFS4 with a secure authentification.

0 Kudos
Highlighted
2 Iron

Re: Restrict Access to NFS Export

FYI, we support using Kerberos with NFSv3 as well as with v4 in OneFS. I know several customers using it.

Tim

0 Kudos