Solved: Add NFS export permissions

james_willing · ‎2011-03-23

Hi,

Can anyone tell me if I am doing something wrong?

I am trying to add some more IPs to root & Read-write access on the NFS export (For a VMware datastore).

The command I am using is

Set-NaNfsExport -Path /vol/my_test -ReadWrite "192.168.0.1" -Root "192.168.0.1" -persistent -Controller (Connect-NaController -name mynetapp -Transient)

And everytime it overwrites the values in the readWrite and Root it nevver appends or adds to the list.

Is there anyway to do this?

Or am I just doing it workng?

timothyn · ‎2011-03-24

Unfortunately, Set-NaNfsExport will replace the permissions, and there is nothing to add permisions built in to the toolkit. It's also not trivial because the input to Set-NaNfsExport & Add-NaNfsExport can't handle all of the permutations that Get-NaNfsExport can return (allow vs. deny, sys vs. user, multiple levels, etc). But if you are creating all of your NFS exports with powershell (or you are using very simple one rule exports) then we can get pretty close.

*WARNING* this example could break existing exports if they are not configured by the toolkit.

Here's a very ugly function that will get the rules in a format that can be used by Set-NaNfsExport and eliminate rules that are not compatible:

#Expects the NFS Export info returned by Get-NaNfsExport
#Returns output that can be passed directly to Set-NaNfsExport
function getSimpleNfsExport ($export) {
    $exportParams = @{
        Path = $export.Pathname;
        ActualPath = $export.ActualPathname;
        Persistent = $false;
        ReadOnly = @($export.SecurityRules[0].ReadOnly |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        ReadWrite = @($export.SecurityRules[0].ReadWrite |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        Root = @($export.SecurityRules[0].Root | ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        NoSuid = $export.SecurityRules[0].NoSuid -eq $true;
        Anon = $export.SecurityRules[0].Anon;
        SecurityFlavors = $export.SecurityRules[0].SecFlavor[0].Flavor;
    }
    return $exportParams
}

Once you have that loaded or in your script you can do something like this:

PS C:\> $params = getSimpleNfsExport (Get-NaNfsExport /vol/testvol)
PS C:\> $params.ReadOnly += "10.61.169.80"
PS C:\> Set-NaNfsExport @params
PS C:\> getSimpleNfsExport (Get-NaNfsExport /vol/testvol)

Name                           Value                                                                                                     
----                           -----                                                                                                     
ReadWrite                      {all-hosts}                                                                                               
ReadOnly                       {10.61.169.3, 10.16.169.4, 10.61.169.80}                                                                                
Path                           /vol/testvol                                                                                              
NoSuid                         False                                                                                                     
Anon                                                                                                                                     
Persistent                     False                                                                                                     
ActualPath                                                                                                                               
Root                           {10.61.169.76}                                                                                            
SecurityFlavors                sys

View solution in original post

timothyn · ‎2011-03-24

Unfortunately, Set-NaNfsExport will replace the permissions, and there is nothing to add permisions built in to the toolkit. It's also not trivial because the input to Set-NaNfsExport & Add-NaNfsExport can't handle all of the permutations that Get-NaNfsExport can return (allow vs. deny, sys vs. user, multiple levels, etc). But if you are creating all of your NFS exports with powershell (or you are using very simple one rule exports) then we can get pretty close.

*WARNING* this example could break existing exports if they are not configured by the toolkit.

Here's a very ugly function that will get the rules in a format that can be used by Set-NaNfsExport and eliminate rules that are not compatible:

#Expects the NFS Export info returned by Get-NaNfsExport
#Returns output that can be passed directly to Set-NaNfsExport
function getSimpleNfsExport ($export) {
    $exportParams = @{
        Path = $export.Pathname;
        ActualPath = $export.ActualPathname;
        Persistent = $false;
        ReadOnly = @($export.SecurityRules[0].ReadOnly |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        ReadWrite = @($export.SecurityRules[0].ReadWrite |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        Root = @($export.SecurityRules[0].Root | ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        NoSuid = $export.SecurityRules[0].NoSuid -eq $true;
        Anon = $export.SecurityRules[0].Anon;
        SecurityFlavors = $export.SecurityRules[0].SecFlavor[0].Flavor;
    }
    return $exportParams
}

Once you have that loaded or in your script you can do something like this:

PS C:\> $params = getSimpleNfsExport (Get-NaNfsExport /vol/testvol)
PS C:\> $params.ReadOnly += "10.61.169.80"
PS C:\> Set-NaNfsExport @params
PS C:\> getSimpleNfsExport (Get-NaNfsExport /vol/testvol)

Name                           Value                                                                                                     
----                           -----                                                                                                     
ReadWrite                      {all-hosts}                                                                                               
ReadOnly                       {10.61.169.3, 10.16.169.4, 10.61.169.80}                                                                                
Path                           /vol/testvol                                                                                              
NoSuid                         False                                                                                                     
Anon                                                                                                                                     
Persistent                     False                                                                                                     
ActualPath                                                                                                                               
Root                           {10.61.169.76}                                                                                            
SecurityFlavors                sys

james_willing · ‎2011-03-24

Thanks for that. Is there any plan to make the Set-NaNfsExport anymore friendly?

As it would a really great feature if you could add security rules using powershell, without overwriting the current settings..

It would work really well with ESX configuration scripts, being able to add new hosts to the NFS share and then mount it as part of a scripted setup.

skiser · ‎2012-02-24

I updated my volume creation script. It has an NFS export function in it. Check it out at https://communities.netapp.com/docs/DOC-23751