ONTAP Discussions

Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?


Based on  https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_create_a_root_squash_export_policy_rule_in_ONTAP,



filer::> vserver export-policy rule create -vserver sv1 -policyname default -clientmatch -rorule any -rwrule any -superuser none -anon 65534
filer::> vserver export-policy rule show -vserver sv1 -policyname default -ruleindex 8 -instance

                                    Vserver: sv1
                                Policy Name: default
                                 Rule Index: 8
                            Access Protocol: any
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains:
                             RO Access Rule: any
                             RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534   <<<<
                   Superuser Security Types: none    <<<<
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true


I have two questions:


Basically, this is "root_squash" option. Is this a recommended export policy/configurations?

Any concerns?

Is there any way to assign a specified user (not root) to have "root" type of access to a NFS file system under NFSv3? How?



You may want to peruse this wonder Tech Report by @parisi 




Following Example on page 117 of this document https://www.netapp.com/us/media/tr-4067.pdf,

I am not able to touch any files on this NFS file system. Please find the screenshot on errors, and also the Example on page 117 excerpted below. Could you please point out what went wrong?






On my local Linux server, 65534 is corresponding to "nfsnobody" in /etc/passwd file. Could it be the cause, if yes, why could it be the cause?


I have done same steps as instructed in page 117, however, I (either as root or an user) could not "touch" any files or do anything on the mounted NFS file system, got "permission denied" error. 


Can experts here please help me out ?



by setting the permission to 777 on the volume, I got both Example 1 and Example 2 work on page 117. Please ignore my last two messages above. Sorry for confusing. 


However, I don't quite understand what we are trying to do here. Here, "root" is squashed to nfsnobody (65534). But, what if I also want to have the "root" to do what "root" is supposed to do on this NFS file system.


What am I missing ?


I had to set unix-permission to 777 on NetApp side, in order to touch a file with ownership of "nfsnobody nogroup", otherwise, it won't allow me to touch and got "permission denied".


Can somebody please confirm , do I have to set to 777? if yes, then anybody can do anything but root, that sounds not good.