NFS Access Control Scenarios
Learn different ways to control NFS access by reviewing these scenarios:
- Scenario A: Provides a managed environment for two clients. The clients share a mount target, but each has their own file system, and cannot access each other's data.
- Scenario B: Provides data to clients for consumption, but doesn't allow them to update the data.
- Scenario C: Increases security by limiting the root user's privileges when connecting to a file system.
Scenario A: Control Host Based Access
Provide a managed hosted environment for two clients. The clients share a mount target, but each has their own file system, and cannot access each other's data. For example:
-
Client A is assigned to CIDR block 10.0.0.0/24, and requires read/write access to file system A, but not file system B.
-
Client B is assigned to CIDR block 10.1.1.0/24, and requires read/write access to file system B, but not file system A.
-
Client C is assigned to CIDR block 10.2.2.0/24, and has no access of any kind to file system A or file system B.
-
Both file systems A and B are associated to a single mount target, MT1. Each file system has an export contained in the export set of MT1.
Because Client A and Client B access the mount target from different CIDR blocks, you can set the client options for both file system exports to allow access to only a single CIDR block. Client C is denied access by not including its IP address or CIDR block in the NFS export options for any export of either file system.
Web UI Example
Set the export options for file system A to allow read/write access only to Client A, who is assigned to CIDR block 10.0.0.0/24. Client B and Client C are not included in this CIDR block, and cannot access the file system.
Note:
To learn how to access the NFS export options in the Compute Web UI refer the section titled Setting NFS Export Options in the File System Storage chapter of the Oracle Private Cloud Appliance User Guide.
| Source | Ports | Access | Squash | Squash UID/GID |
|---|---|---|---|---|
| 10.0.0.0/24 | Any | Read/Write | None | (not used) |
Set the export options for file system B to allow read/write access only to Client B, who is assigned to CIDR block 10.1.1.0/24. Client A and Client C are not included in this CIDR block, and cannot access the file system.
| Source | Ports | Access | Squash | Squash UID/GID |
|---|---|---|---|---|
| 10.1.1.0/24 | Any | Read/Write | None | (not used) |
CLI Example
Note:
To learn how to access the NFS export options in the OCI CLI, refer the section titled Setting NFS Export Options in the File System Storage chapter of the Oracle Private Cloud Appliance User Guide.
Set the export options for file system A to allow Read_Write access only
to Client A, who is assigned to CIDR block 10.0.0.0/24. Client B and Client C are not
included in this CIDR block, and cannot access the file system.
oci fs export update --export-id File_system_A_export_ID --export-options \
'[{"source":"10.0.0.0/24","require-privileged-source-port":"false","access":"READ_WRITE","identity-squash":"NONE","anonymous-uid":"65534","anonymous-gid":"65534"}]'
Set the export options for file system B to allow Read_Write access only
to Client B, who is assigned to CIDR block 10.1.1.0/24. Client A and Client C are not
included in this CIDR block, and cannot access the file system.
oci fs export update --export-id File_system_B_export_ID --export-options \
'[{"source":"10.1.1.0/24 ","require-privileged-source-port":"false","access":"READ_WRITE","identity-squash":"NONE","anonymous-uid":"65534","anonymous-gid":"65534"}]'
Scenario B: Limit the Ability to Write Data
Provide data to customers for consumption, but don't allow them to update the data.
For example, you'd like to publish a set of resources in file system A for an application to consume, but not change. The application connects from IP address 10.0.0.8.
Web UI Example
Set the source IP address 10.0.0.8 to read-only in the export for file system A.
Note:
To learn how to access the NFS export options in the Compute Web UI refer the section titled Setting NFS Export Options in the File System Storage chapter of the Oracle Private Cloud Appliance User Guide.
| Source | Ports | Access | Squash | Squash UID/GID |
|---|---|---|---|---|
| 10.0.0.8 | Any | Read-only | None | (not used) |
CLI Example
Note:
To learn how to access the NFS export options in the OCI CLI, refer the section titled Setting NFS Export Options in the File System Storage chapter of the Oracle Private Cloud Appliance User Guide.
Set the source IP address 10.0.0.8 to READ_ONLY in the export for file
system A.
oci fs export update --export-id File_System_A_export_OCID --export-options \
'[{"source":"10.0.0.8","require-privileged-source-port":"false","access":"READ_ONLY","identitysquash":"NONE","anonymousuid":"65534","anonymousgid":"65534"}]'
Scenario C: Improve File System Security
To increase security, you'd like to limit the root user's privileges when connecting to File System A. Use Identity Squash to remap root users to UID/GID 65534.
In UNIX-like systems, this UID/GID combination is reserved for 'nobody', a user with no system privileges.
Web UI Example
Set the source IP address 10.0.0.8 to read-only in the export for file system A.
Note:
To learn how to access the NFS export options in the Compute Web UI refer the section titled Setting NFS Export Options in the File System Storage chapter of the Oracle Private Cloud Appliance User Guide.
| Source | Ports | Access | Squash | Squash UID/GID |
|---|---|---|---|---|
| 0.0.0.0/0 | Any | Read/Write | Root | 65534 |
CLI Example
Note:
To learn how to access the NFS export options in the OCI CLI, refer the section titled Setting NFS Export Options in the File System Storage chapter of the Oracle Private Cloud Appliance User Guide.
oci fs export update --export-id File_System_A_export_OCID --export-options \
'[{"source":"0.0.0.0/0","require-privileged-source-port":"false","access":"READ_WRITE","identitysquash":"ROOT","anonymousuid":"65534","anonymousgid":"65534"}]'