ONTAP Discussions

Export policy assigned to / junction path

TimJMcCuen
1,889 Views

I want to make sure I am setting up my junction path correctly.    I have two volumes under my SVM.  Both clients / servers have the same exact permissions so therefore I create a single export policy which includes both server IPs.     On the junction path I applied this export policy to both the the volumes I created.    My question is I believe I should change Path "/" export policy  from the default to the same one that is applied to the two volumes?    Is this correct or should the path "/" export policy be left at default?   Thank you.

1 ACCEPTED SOLUTION

TMACMD
1,879 Views

Two thoughts on this

 1. allow the default police to be wide open but read only. Put a rule in that says: ro=any (or sys), rw=none, superuser =none with a client match of 0.0.0.0/0. The thought is to allow everyone to read and when a new volume is created and a policy not immediately applied would at least be read only

 2. More secure: apply your secured policy to the root svm volume

 

 a client must go through the root and if it does not have access to / it will not have access to any junction paths in the namespace

View solution in original post

2 REPLIES 2

TMACMD
1,880 Views

Two thoughts on this

 1. allow the default police to be wide open but read only. Put a rule in that says: ro=any (or sys), rw=none, superuser =none with a client match of 0.0.0.0/0. The thought is to allow everyone to read and when a new volume is created and a policy not immediately applied would at least be read only

 2. More secure: apply your secured policy to the root svm volume

 

 a client must go through the root and if it does not have access to / it will not have access to any junction paths in the namespace

TimJMcCuen
1,877 Views

Makes sense.  Thank you very much

 

Public