IN THIS ARTICLE
Outlines a best practice set of permissions for an environment with two NFS exports corresponding to two groups
This is intended to be an exercise only. Your permissions requirements may differ.
- Cluster running Qumulo core
- Cluster is not using Active Directory for identity management
- Environment requires two NFS exports ('projects' & 'finance') owned by two groups ('artists' & 'accounting') with the following permissions:
- 'artists' group has read/write/execute access to 'projects'
- 'accounting' group has read/execute access to 'projects'
- 'accounting' group has read/write/execute access to 'finance'
- anyone else (including the 'artists' group) has no access to 'finance'
Admin wants all files and folders created on NFS exports to be group writable
Admin wants the appropriate group ownership to be applied throughout directories and subdirectories (for example, if the accounting group owns the accounting folder, everything that is created inside of it should also be owned by accounting)
1. Two groups have been created in our Linux environment:
- ‘artists’ with GID 10000
- ‘accounting’ with GID 11000
2. Two users have been created in our Linux environment and assigned the following UIDs and GIDs:
- ‘picasso’ with UID 9000 and GID 10000
- ‘newhart’ with UID 9001 and GID 11000
Create Two Exports
- Login to your Qumulo UI
- Hover over the Sharing tab and click NFS Exports
- Click the blue ‘Create’ button in the top right corner of the screen
- Name the export ‘projects’ and fill out the fields so it matches the screenshot below.
- Notice ‘Create new directory with inherited permissions’ is checked because we want Qumulo to create the new export/directory for us since one does not exist already
- Click Save
- Repeat the above steps to create an export named ‘finance’ making sure to check the box to ‘Create new directory with inherited permissions’
Once you click save, the screen should reflect the following:
Create Two Groups
With a single user, create the two groups accounting & artists. Keep in mind that while NFS identities on Qumulo are unnecessary for the purpose of this example, they may be useful should an admin want to map exports to specific users.
- Move your cursor over the Sharing tab and select Users & Groups from the dropdown
- Click on the Create button under the Groups section
- Add the group name ‘artists’ with a NFS GID of 10000
- Click the Create button to submit the changes
- Repeat the above steps to create an accounting group with NFS GID of 11000
Add Users and assign to Groups
- Click the Create button under the Users section and fill out the information provided below for the first user:
- Username: picasso
- NFS UID: 9000
- Password: a
- Click on the Groups tab and check the box for the artists group
- Click the Create button to finish
- Repeat the steps above to add an additional user with this info:
- Username: newhart
- NFS UID: 9001
- Password: a
- Click on the Groups tab and select accounting for their primary group
- Click the Save button
Change the Permissions on the Exports
Now that exports, users, and groups are set up through the Qumulo UI, permissions on the two exports can be modified. For this example, the two groups (‘artists’ and ‘accounting’) will have different permissions for the two exports (‘projects’ and ‘finance’).
- From a client computer, mount the root export of your Qumulo cluster via NFS
- In a terminal session, change the group owner for the finance directory to accounting by running this command:
sudo chgrp accounting finance
- Now change the group owner for the finance directory to accounting with this command:
sudo chgrp artists projects
Set the correct permissions for each of the directories according to the policies below:
Note that this example uses SETGID in order to preserve group ownership throughout both of the exports. To learn more about SETGID and how it works, head here.
- accounting: full access (rwx) on the finance export, read and execute access (r-x) on the projects export
- artists: no access (---) on the finance export, full access (rwx) on the projects export
- Run the following two commands to change the permissions:
sudo chmod 2770 finance
sudo chmod 2775 projects
- The permissions for the directories will now look like this:
drwxrws--- 2 root accounting 0 Jan 6 15:52 finance
drwxrwsr-x 2 root artists 0 Jan 6 15:53 projects
- Test the directory permissions by logging into your client computer as either 'picasso' or 'newhart' to validate that the privileges are correct for each user
You should now be able to successfully setup an environment with two exports correlating to two different groups
Like what you see? Share this article with your network!