You can use export policies to restrict NFS access to volumes or qtrees to clients that match specific parameters.
For information about how export policies affect Infinite Volumes, see the Clustered Data ONTAP Infinite Volumes Management Guide.
How export policies control client access to volumes or qtrees
Export policies contain one or more export rules that process each client access request. The result of the process determines whether the client is denied or granted access and what level of access. An export policy with export rules must exist on the SVM for clients to access data.
Default export policy for SVMs with FlexVol volumes
Each Storage Virtual Machine (SVM) with FlexVol volumes has a default export policy that contains no rules. An export policy with rules must exist before clients can access data on the SVM, and each FlexVol volume contained in the SVM must be associated with an export policy.
How export rules work
Export rules are the functional elements of an export policy. Export rules match client access requests to a volume or qtree against specific parameters you configure to determine how to handle the client access requests.
How to handle clients with an unlisted security type
When a client presents itself with a security type that is not listed in an access parameter of an export rule, you have the choice of either denying access to the client or mapping it to the anonymous user ID instead by using the option none in the access parameter.
How security types determine client access levels
The security type that the client authenticated with plays a special role in export rules. You must understand how the security type determines the levels of access the client gets to a volume or qtree.
How to handle superuser access requests
When you configure export policies, you need to consider what you want to happen if the storage system receives a client access request with user ID 0, meaning as a superuser, and set up your export rules accordingly.
Creating an export policy
Before creating export rules, you must create an export policy to hold them. You can use the vserver export-policy create command to create an export policy.
Adding a rule to an export policy
You can use the vserver export-policy rule create command to create an export rule for an export policy. This enables you to define client access to data.
Loading netgroups into SVMs
One of the methods you can use to match clients in export policy rules is by using hosts listed in netgroups. You can load netgroups from a uniform resource identifier (URI) into Storage Virtual Machines (SVMs) as an alternative to using netgroups stored in external name servers (vserver services name-service netgroup load).
Verifying the status of netgroup definitions
After loading netgroups into the Storage Virtual Machine (SVM), you can use the vserver services name-service netgroup status command to verify the status of netgroup definitions. This enables you to determine whether netgroup definitions are consistent on all of the nodes that back the SVM.
Setting an export rule's index number
You can use the vserver export-policy rule setindex command to manually set an existing export rule's index number. This enables you to rearrange the order in which Data ONTAP processes export rules.
Assigning an export policy to a qtree
Instead of exporting an entire volume, you can also export a specific qtree on a volume to make it directly accessible to clients. You can export a qtree by assigning an export policy to it. You can assign the export policy either when you create a new qtree or by modifying an existing qtree.
Removing an export policy from a qtree
If you decide you do not want a specific export policy assigned to a qtree any longer, you can remove the export policy by modifying the qtree to inherit the export policy of the containing volume instead. You can do this by using the volume qtree modify command with the -export-policy parameter and an empty name string ("").
Validating qtree IDs for qtree file operations
Data ONTAP can perform an optional additional validation of qtree IDs. This validation ensures that client file operation requests use a valid qtree ID and that clients can only move files within the same qtree. You can enable or disable this validation by modifying the -validate-qtree-export parameter. This parameter is enabled by default.
Checking client access to exports
When you deploy export policies to manage client access to exports, you might want to first test the export policies to ensure that they work as intended. If you have deployed export policies and clients experience access issues, you might need to test the export policies to troubleshoot the issue. You can test export policies for these purposes by using the vserver export-policy check-access command.