2017-11-14 08:26 AM
We are setting up a Varonis server and found out that we need to add a rule to all export policies to allow access from that server. I wanted to confirm that the command below would add the rule we had in mind (assuming there aren't any existing rules with index 78, which there aren't) while preservinga ll other existing rules? While onthe topic of rule index, is there any issue with setting one so high or should we stick as close as we can to the highest numer of items that we have and drop that to -ruleindex 10 for instance?
export-policy rule create -policyname * -clientmatch 172.22.16.83/32 -rorule sys -rwrule sys -allow-suid true -superuser any -allow-dev true -protocol nfs -ruleindex 78
2017-11-15 03:32 PM
I tested this for you in my lab. The result was:
cluster1::> export-policy rule create -policyname * -clientmatch 172.22.16.83/32 -rorule sys -rwrule sys -allow-suid true -superuser any -allow-dev true -protocol nfs -ruleindex 78
Error: The value "*" contains one or more query characters and queries are not supported for the "-policyname" parameter. To use query characters as literals add quotes around the value.
The "create" command does not support queries.
It appears you can't use a wildcard in combination with the "export-policy rule create" command. Also is there a reason you would need to grant RW access to the export policies applied to vserver root volumes? It depends what your export-policy rules are for your vserver root volumes but generally this is usually RO and the data volumes mounted to it are RW. How is this configured in your environment? Does that host really require RW access to your vserver root volumes?
Have you considered automating the process using WFA? This would ensure any new data volumes with export policies have an export rule created (with the exception of vserver root volumes). This should give you a list of export polices that require an export rule to be added.
SELECT DISTINCT export_policy.name AS 'export_policy_name', volume.name AS 'volume_name', vserver.name AS 'vserver_name' FROM cm_storage.export_policy, cm_storage.export_rule, cm_storage.vserver, cm_storage.volume, cm_storage.cluster WHERE export_rule.clientmatch <> '172.22.16.83/32' AND export_policy.vserver_id = vserver.id AND export_rule.policy_id = export_policy.id AND volume.vserver_id = vserver.id AND volume.export_policy_id = export_policy.id AND volume.junction_path <> '/' AND vserver.cluster_id = cluster.id AND ( cluster.primary_address = 'cluster1.testlab.local' OR cluster.name = 'cluster1' )
You could then process the recordset in a repeat row for each export policy that does not have an export rule for the client match and create it.
Hope that gives you some ideas.
2017-11-16 06:00 AM
WFA is definitely something that I want to learn more about and have never had the cahnce to, but this may be the time.
We have 100 some export policies, so doing it as a batch and removing it from the root volumes seemed the easiest. Since Varonis is used for auditing permissions and file access, we definitely do not need it to access the root svm.
I'm going to hijack my own thread and ask if there is a best practice when it comes to export polciies of having one rule per server or just having one rule with a comma seperated list of servers. I guess it depends on environment, but I was curios if anyone knows of downfalls doing either method.