Skip to main content
Start a Conversation

Unsolved

N

NormalGuy99

2 Posts

2167

January 7th, 2020 12:00

Restrict Access to NFS Export

New to the Isilon platform..Looking for the best way to restrict access to an NFS Export. I know this can be done from within the NFS Export details in which you can specify Clients, Always Read/Write Clients and Always Read-only clients. However, my issue is that hostnames/nodes that will be accessing this NFS Export will be constantly changing and would like avoid the massive overhead of having to add/remove each time a node needs access. Just curious to see how others have addressed this scenario. Thank you

rm-rf

7 Posts

January 9th, 2020 06:00

Hi,

What about if you use IP then?

NormalGuy99

2 Posts

January 14th, 2020 11:00

can't use IP because we would be in the same boat as we are with host names. also, subnet is shared with other nodes as well. 

Peter_Sero

1.2K Posts

January 15th, 2020 09:00

Couple of thoughts:

At some point a decision on wether a host gets access as an NFS client must be made and communicated to the server. How has this been done in the current solution so far?

Instead of repeatedly modifying the exports configuration on a NFS server or cluster, the whitelist of allowed clients is often maintained in an external data source and made available to the NFS server via a directory service such as NIS or LDAP as a collection of so-called 'netgroups'.

NFS version 4 allows for secure user-based authentification and authorization, for example via a Kerberos service instance. In your scenario, any host could be allowed to mount from the server, but actual access to any data is granted only to specific user accounts (real persons or machine accounts) or user groups. UNIX permission bits might not suffice and ACLs can come into play here.

Makes sense?

-- Peter

cadencep45

1 Rookie

 • 

299 Posts

February 19th, 2020 02:00

so I read this as;

leave open at host level and lock down at permission level.

is that a correct reading ?

Peter_Sero

1.2K Posts

February 19th, 2020 08:00

yes - but be aware that with NFS3 you can't trust the identity of a client user. Therefore the suggestion  to use NFS4 with a secure authentification.

tenortim

36 Posts

February 19th, 2020 09:00

FYI, we support using Kerberos with NFSv3 as well as with v4 in OneFS. I know several customers using it.

Tim

View More

View All

No Events found!

Top