Table of ContentsView in Frames

Adding a rule to an export policy

You can use the vserver export-policy rule create command to create an export rule for an export policy. This enables you to define client access to data.

Before you begin

The export policy you want to add the export rules to must already exist.

Step

  1. To create an export rule, enter the following command: vserver export-policy rule create -vserver vserver_name -policyname policy_name -ruleindex integer -protocol {any|nfs3|nfs|cifs|nfs4|flexcache},... -clientmatch text -rorule {any|none|never|krb5|ntlm|sys},... -rwrule {any|none|never|krb5|ntlm|sys},... -anon user_ID -superuser {any|none|krb5|ntlm|sys},... -allow-suid {true|false} -allow-dev {true|false}

    -vserver vserver_name specifies the Storage Virtual Machine (SVM) name.

    -policyname policy_name specifies the name of the existing export policy to add the rule to.

    -ruleindex integer specifies the index number for the rule. Rules are evaluated according to their order in the list of index numbers; rules with lower index numbers are evaluated first. For example, the rule with index number 1 is evaluated before the rule with index number 2.

    -protocol {any|nfs3|nfs|cifs|nfs4|flexcache} specifies the access protocols that the export rule applies to. You can specify a comma-separated list of multiple access protocols for an export rule. If you specify the protocol as any, do not specify any other protocols in the list. If you do not specify an access protocol, the default value of any is used.

    -clientmatch text specifies the client to which the rule applies. You can specify the match in any of the following formats:
    Client match format Example
    Domain name preceded by the "." character .example.com
    Host name host1
    IPv4 address 10.1.12.24
    IPv4 address with a subnet mask expressed as a number of bits 10.1.12.10/4
    IPv4 address with a network mask 10.1.16.0/255.255.255.0
    IPv6 address in dotted format ::1.2.3.4
    IPv6 address with a subnet mask expressed as a number of bits ff::00/32
    A single netgroup with the netgroup name preceded by the @ character @netgroup1
    Note: Entering an IP address range, such as 10.1.12.10-10.1.12.70, is not allowed. Entries in this format are interpreted as a text string and treated as a host name. Entering an IPv6 address with a network mask, such as ff::12/ff::00, is not allowed.

    When specifying individual IP addresses in export rules for granular management of client access, do not specify IP addresses that are dynamically (for example, DHCP) or temporarily (for example, IPv6) assigned. Otherwise, the client loses access when its IP address changes.

    When specifying host or domain names, ensure that they can be properly resolved through DNS, both forward and reverse.

    -rorule {any|none|never|krb5|ntlm|sys|} provides read-only access to clients that authenticate with the specified security types.

    -rwrule {any|none|never|krb5|ntlm|sys|} provides read-write access to clients that authenticate with the specified security types.
    Note: A client can only get read-write access for a specific security type if the export rule allows read-only access for that security type as well. If the read-only parameter is more restrictive for a security type than the read-write parameter, the client cannot get read-write access.
    You can specify a comma-separated list of multiple security types for a rule. If you specify the security type as any or never, do not specify any other security types. Choose from the following valid security types:
    • any

      A matching client can access the data regardless of security type.

    • none

      If listed alone, clients with any security type are granted access as anonymous. If listed with other security types, clients with a specified security type are granted access and clients with any other security type are granted access as anonymous.

    • never

      A matching client cannot access the data regardless of security type.

    • krb5

      A matching client can access the data if it is authenticated by Kerberos 5.

    • ntlm

      A matching client can access the data if it is authenticated by CIFS NTLM.

    • sys

      A matching client can access the data if it is authenticated by NFS AUTH_SYS.

    -anon user_ID specifies a UNIX user ID or user name that is mapped to client requests that arrive with a user ID of 0 (zero), which is typically associated with the user name root. The default value is 65534, which is typically associated with the user name nobody.

    -superuser {any|none|krb5|ntlm|sys|} provides superuser access to clients that authenticate with the specified security types.
    Note: A client can only get superuser access for a specific security type if the export rule allows read-only access for that security type as well. If the read-only parameter is more restrictive for a security type than the superuser parameter, the client cannot get superuser access.

    -allow-suid {true|false} specifies whether to allow access to set user ID (SUID) and set group ID (SGID). If this parameter is set to true, clients can modify the SUID or SGID of files, directories, and volumes. If this parameter is set to false, clients can modify the SUID or SGID of directories and volumes but not files. The default is true.

    -allow-dev {true|false} specifies whether to allow creation of devices. The default is true.

Examples

The following command creates an export rule on the SVM named vs1 in an export policy named rs1. The rule has the index number 1. The rule matches all clients. The rule enables all NFS access. It enables read-only access by all clients and requires Kerberos authentication for read-write access. Clients with the UNIX user ID 0 (zero) are mapped to user ID 65534 (which typically maps to the user name nobody). The rule enables SUID and SGID modification but does not enable the creation of devices.

vs1::> vserver export-policy rule create -vserver vs1
-policyname rs1 -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0
-rorule any -rwrule krb5 -anon 65534 -allow-suid true -allow-dev false

The following command creates an export rule on the SVM named vs2 in an export policy named expol2. The rule has the index number 21. The rule matches clients to members of the netgroup dev_netgroup_main. The rule enables all NFS access. It enables read-only access for clients that authenticated with AUTH_SYS and requires Kerberos authentication for read-write access. Clients with the UNIX user ID 0 (zero) are mapped to user ID 65534 (which typically maps to the user name nobody). The rule enables SUID and SGID modification but does not enable the creation of devices.

vs1::> vserver export-policy rule create -vserver vs2
-policyname expol2 -ruleindex 21 -protocol nfs -clientmatch 
@dev_netgroup_main -rorule sys -rwrule krb5 -anon 65534 
-allow-suid true -allow-dev false