IN THIS ARTICLE
- Provides a walk through of a ‘best practice’ set of permissions for an environment with two NFS exports corresponding to two groups. This is intended to be an exercise only. Your permissions requirements may differ.
- The cluster is not using Active Directory for identity management
Environment requires two NFS exports ('projects' & 'finance') owned by two groups ('artists' & 'accounting') with the following permissions:
- 'artists' group has read/write/execute access to 'projects'
- 'accounting' group has read/execute access to 'projects'
- 'accounting' group has read/write/execute access to 'finance'
- anyone else (including the 'artists' group) has no access to 'finance'
Admin wants all files and folders created on NFS exports to be group writable
Admin wants the appropriate group ownership to be applied throughout directories and subdirectories (for example, if the accounting group owns the accounting folder, everything that is created inside of it should also be owned by accounting)
1. Two groups have been created in our Linux environment:
- ‘artists’ with GID 10000
- ‘accounting’ with GID 11000
2. Two users have been created in our Linux environment and assigned the following UIDs and GIDs:
- ‘picasso’ with UID 9000 and GID 10000
- ‘newhart’ with UID 9001 and GID 11000
Let’s create our two exports first.
- Login to your Qumulo UI and hover the cursor over the Sharing tab toward the top of the screen. When the additional menu drops down, click on NFS Exports.
- Once you are in the NFS Export section, click the blue ‘Create’ button in the top right corner of the screen. Our first export is going to be named ‘projects’. Fill out the NFS export screen so it matches the screenshot below. Notice ‘Create new directory with inherited permissions’ is checked because we want Qumulo to create the new export/directory for us, since one doesn’t exist already. Click Save when you are finished.
- Now let’s repeat the steps you just took and create an export named ‘finance’. Remember to check the box to ‘Create new directory with inherited permissions’.
Once you click save, your screen should like this:
In the following steps, we’re going to create two groups ('accounting' & 'artists') each with a single user. While NFS identities on Qumulo are unnecessary for the purpose of this example, they may be useful should an admin want to map exports to specific users.
- Move your cursor over the Sharing tab and select Users & Groups from the dropdown menu. We’re going to create our two groups first, so click on the Create button under the Groups section. When the new window opens add the group name ‘artists’ with a NFS GID of 10000. Click the Create button to submit the changes.
- Once you’ve created your first group 'artists', repeat those same steps to create an ‘accounting’ group but give the accounting group an NFS GID of 11000.
For the next step, let’s set up a couple of users and assign one to each of our groups.
- Click on the Create button under the Users section and fill out the information provided below for the first user:
- Username: picasso
- NFS UID: 9000
- Password: a
The user ‘picasso’ is going to be in the ‘artists’ group, so we’ll check the box that corresponds. Once you’ve checked that box, hit the Create button to finish.
- Repeat the steps above to add an additional user with this info:
- Username: newhart
- NFS UID: 9001
- Password: a
- Click on the Groups tab and select accounting for their primary group. Click the Save button when you’ve finished.
Now that we have our exports, users, and groups set up through the Qumulo UI, lets change the permissions on the two exports. For this example we have two groups (‘artists’ and ‘accounting’) which will have different permissions for the two exports (‘projects’ and ‘finance’).
- From a client computer, mount the root export of your Qumulo cluster via NFS.
- In a terminal, change directories to the mount point of the export above. Let’s first change the group owner for the finance directory to accounting by running this command:
sudo chgrp accounting finance
- Next, we are going to change the group owner for the finance directory to accounting with this command:
sudo chgrp artists projects
Now that we have our groups ironed out, let’s set the correct permissions for each of our directories according to the policies below. We are also going to use SETGID in order to preserve group ownership throughout both of the exports. To learn more about SETGID and how it works, head here.
- accounting: full access (rwx) on the finance export, read and execute access (r-x) on the projects export
- artists: no access (---) on the finance export, full access (rwx) on the projects export
To do this, run the following two commands:
sudo chmod 2770 finance
sudo chmod 2775 projects
After running these commands, the permissions for each directory should look like this:
drwxrws--- 2 root accounting 0 Jan 6 15:52 finance
You can test these directory permissions by logging into your client computer as either 'picasso' or 'newhart' to validate that the privileges are correct for each user.
You should now be able to successfully setup an environment with two exports, correlating to two different groups with a best practice set of permissions. Utilize this walkthrough to help setup your own exports, users, and groups that fit your environment.
Like what you see? Share this article with your network!