2012-10-15 11:28 AM
I discovered that in the Create Export command WFA tests for the presence of Read-Write hosts & Read-Only hosts and if none are provided the NFS share is exported with global access to everyone. In our environment this is forbidden due to security guidelines and so I'd like to do the opposite - if no RW or RO hosts are provided the share is exported to no one. I believe I found the Powershell code in the command where this occurs:
if (!$RWhosts -and !$ROhosts)
$RWhosts = "all-hosts"
$expression += " -Root " + (Format-Array -Array $Roothosts) + " -ReadOnly " + (Format-Array -Array $ROhosts) + " -ReadWrite " + (Format-Array -Array $RWhosts)
What I don't know is the value that should replace "all-hosts" to do this. Is there a "no-hosts" option from an API perspective? I'll just create a clone of this command and call it something like "Create Export-GlobalForbidden" or something like that with this value changed to prevent global access. Alternatively, maybe I just need to rip out this if statement altogether and not set RWhosts to "all-hosts" - I'll play around with it the meantime to see if I can find the answer. Thanks!
Solved! SEE THE SOLUTION
2012-10-15 01:21 PM
Yes, this would prevent global RW to all hosts. Either removing that line or modifying it.
There is another option to take care of this I needed a solution to validate user inputs actually exist. I did this by using an isValid function as part of the enable command. I check to ensure that the user input contains a value. Let's say that the variable is named $rwHosts. I would put the following value into the enable portion of the Create Export Command -> isValid($rwHosts) ?true :false The inline function that I used was an IF THEN.. and can be used for many other purposes. In this case, if the user did not provide a value for $rwHosts, then the command would be disabled. Otherwise, I will enable the command and execute.
2012-10-15 03:07 PM
Thanks! I just finished testing 2 conditions:
1) Removing the if statement altogether. What I found is that the share still does get exported globally. So no dice there.
2) Changing the value from "all-hosts" to "no-hosts" to test if this was also a command option. It's not but I found something useful. Here's what the /etc/exports entry looks like with no changes at all (what I can't use):
This of course is globally accessible by all as read-write. But with with the code value changed to "no-hosts" this is what I got:
So, this means that if the value of this variable isn't set to a command option (like all-hosts) it'll just set the rw client to that value. It could therefore be useful to put something like "not.currently.accessed" or something equivalent so it's explanatory and at the same time preventing any access.
I haven't had a chance to test your suggestion about the isValid function but I like that too. I need to determine if we're okay with having these entries in the exports file that imply it's not currently being used.
2012-10-16 12:32 AM
After changing your code/command from all-hosts to no-hosts, this is what you you see on your exportfs (rdfile /etc/exports).
Above entry in /etc/exports does allow read-write access to client whose name is 'no-hosts'. I feel what you are looking is 'no client' should get read-write access. For that your /etc/exports should contain like this (no rw entry).
Let me check PowerShell command and get back to you.
2012-10-16 06:18 AM
NetApp Controllers have an auto-export option which is enabled by default. When a volume is created, an export will be generated by default. Since your company has strict no global export rules, it would be a good idea to disable the option. Here is the KB on the option:
This should ensure that no export is created when the volume is created
2012-10-16 07:01 AM
Please replace 'all-hosts' with 'not.currently.accessed'. This is perfectly fine. Your export entry looks like this.
Above line says host/client with name 'not.currently.accessed' can only access this storage path. But as you know there is host with host name 'not.currently.accessed' in your network.
2012-10-16 09:59 AM
Thanks all - I did do something similar to "not.currently.accessed" in that it's such an obscure phrase that no host will have that name. Also, thanks for pointing out the NFS auto-update option, we've had that turned off for some time.