Baffled by Ontap 8 Clustered Mode NFS Export Policies

wsanderstii · ‎2017-09-22

I am baffed by the ue of export polcies. I have an NFS volume exported as follows:

netapp-clr01::> vserver export-policy rule show -policyname templates -vserver netapp-nfs01
             Policy          Rule    Access   Client                RO
Vserver      Name            Index   Protocol Match                 Rule
------------ --------------- ------  -------- --------------------- ---------
netapp-nfs01 templates       1       nfs      10.0.0.0/8            any


netapp-clr01::> vserver export-policy rule show -policyname templates -vserver netapp-nfs01  -ruleindex 1

                                    Vserver: netapp-nfs01
                                Policy Name: templates
                                 Rule Index: 1
                            Access Protocol: nfs
Client Match Hostname, IP Address, Netgroup, or Domain: 10.0.0.0/8
                             RO Access Rule: sys
                             RW Access Rule: sys
User ID To Which Anonymous Users Are Mapped: 65534
                   Superuser Security Types: any
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true

netapp-clr01::> volume show -volume templates -fields policy vserver volume policy
------------ --------- ---------
netapp-nfs01 templates templates

Yet all clients are denied:

netapp-clr01::> vserver export-policy check-access -vserver netapp-nfs01 -volume templates -authentication-method sys -protocol nfs3 -access-type read -client-ip 10.2.48.1 -policy templates
There are no entries matching your query.

netapp-clr01::> vserver export-policy check-access -vserver netapp-nfs01 -volume templates -authentication-method sys -protocol nfs3 -access-type read -client-ip 10.2.48.1
 Policy Policy Rule
Path Policy Owner Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/ default netapp_nfs01_root
 volume 0 denied

Showmount -e looks OK:

~$ showmount -e 10.2.48.102
Exports list on 10.2.48.102:
/                                   Everyone

What am I missing here?

sgrant · ‎2017-09-25

Hello, not sure you're mssing too much. From the output it looks like the templates export policy is assigned to the templates volume, however in the check-access it cannot find the templates export policy and assigns the default which gives you the permission denied.

Note sure which version of ONTAP 8 you are using, however burt 863946 entitled Wrong permissions sent when junctions have different export policy rules is not fixed until 8.2.3/8.3.2: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=863946.

The workaround is to set the same export policy for all the junctions.

Thanks,

Grant.

hadrian · ‎2017-09-25

Hi wsanderstii,

I work for NetApp supporting migration to ONTAP9.

The output you provided doesn't show the export policy you've applied to the root volume which is where you are getting the denied. Take another look at the check-access output!

You can see all volumes' policy and junction-path from the command line by running the following:

aff-01::> rows 0; vol show -vserver *nfs* -fields policy,junction-path

Security inheritence is in play. The root volume needs to be accessible if you want to let people get at the templates volume, which is junctioned under the root /. I recommend taking a look our cool new docs.netapp.com center for the NFS express guide on how to open up access to the root volume.

Personally I like locking it down a bit. A great resource for how to do this and almost all things NFS is is TR-4067 - You are looking for pg 48.

Share and enjoy!

Please hit the kudos button and mark as solved if this resolved your issue.

Hadrian