Print Email PDF

Configure NFS Permissions without Active Directory

IN THIS ARTICLE 

Outlines a best practice set of permissions for an environment with two NFS exports corresponding to two groups

This is intended to be an exercise only. Your permissions requirements may differ.

REQUIREMENTS

  • Cluster running Qumulo core
  • Cluster is not using Active Directory for identity management
  • Environment requires two NFS exports (projects & finance) owned by two groups (artists & accounting) with the following permissions:
    • artists group has read/write/execute access to projects
    • accounting group has read/execute access to projects
    • accounting group has read/write/execute access to finance
    • anyone else (including the artists group) has no access to finance
  • Admin wants all files and folders created on NFS exports to be group writable

  • Admin wants the appropriate group ownership to be applied throughout directories and subdirectories (for example, if the accounting group owns the accounting folder, everything that is created inside of it should also be owned by accounting)

Prerequisites

  1. Two groups have been created in our Linux environment:
    • artists with GID 10000
    • accounting with GID 11000
  2. Two users have been created in our Linux environment and assigned the following UIDs and GIDs:
    • picasso with UID 9000 and GID 10000
    • newhart with UID 9001 and GID 11000

DETAILS

Create Two NFS Exports

  • Login to your Qumulo UI
  • Hover over the Sharing tab and click NFS Exports

    NFS_menu.png
  • Click the blue Create button in the top right corner of the screen
  • Name the export projects and fill out the fields 

    nfs_export-define.png
    • Notice Create new directory if it doesn't exist is checked because we want Qumulo to create the new export/directory for us.
  • Click Save
  • Repeat the above steps to create an export named finance making sure to check the box to Create new directory if it doesn't exist

Once you click save, the NFS Exports page will include newly added /finance and /projects exports.

Create Two Groups

With a single user, create the two groups accounting and artists. Keep in mind that while NFS identities on Qumulo are unnecessary for the purpose of this example, but may be useful should an admin want to map exports to specific users.

  • Move your cursor over the Cluster tab and select Local Users & Groups from the dropdown

    usergroups_menu.png

  • Click on the Create button under the Groups section
  • Add the group name artists with a NFS GID of 10000

    create-group.png

  • Click the Create button to submit the changes
  • Repeat the above steps to create an accounting group with NFS GID of 11000

Add Users and assign to Groups

  • Click the Create button under the Users section and fill out the information provided below for the first user:

    create-user.png
    • Username: picasso
    • NFS UID: 9000
    • Password: a
  • Click on the Groups tab and check the Primary box for the artists group
  • Click the Create button to finish
  • Repeat the steps above to add an additional user with this info:
    • Username: newhart
    • NFS UID: 9001
    • Password: a
  • Click on the Groups tab and select accounting for their primary group
  • Click the Create button to finish

Change the Permissions on the Exports

Now that exports, users, and groups are set up through the Qumulo UI, permissions on the two exports can be modified. For this example, the two groups (artists and accounting) will have different permissions for the two exports (projects and finance).

  • From a client computer, mount the root export of your Qumulo cluster via NFS
  • In a terminal session, change the group owner for the finance directory to accounting by running this command:
sudo chgrp accounting finance
  • Now change the group owner for the finance directory to accounting with this command:
sudo chgrp artists projects

Set the correct permissions for each of the directories according to the policies below:

Note that this example uses SETGID in order to preserve group ownership throughout both of the exports. To learn more about SETGID and how it works, see the setuid article on Wikipedia.

  • accounting: full access (rwx) on the finance export, read and execute access (r-x) on the projects export
  • artists: no access (---) on the finance export, full access (rwx) on the projects export
  • Run the following two commands to change the permissions: 
sudo chmod 2770 finance
sudo chmod 2775 projects
  • The permissions for the directories will now look like this:
drwxrws--- 2 root accounting 0 Jan 6 15:52 finance
drwxrwsr-x 2 root artists 0 Jan 6 15:53 projects
  • Test the directory permissions by logging into your client computer as either picasso or newhart to validate that the privileges are correct for each user

RESOLUTION

You should now be able to successfully setup an environment with two exports correlating to two different groups

ADDITIONAL RESOURCES

QQ CLI: NFS Exports

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.