Solved: Volume access through different export policies

TimJMcCuen

Hello,

I have an SVM that has two volumes as assigned objects in it’s default export policy

I need to give access to just one of the two volumes to another server. The environment is red hat 8 running on tap 9.15.1 p7.

I am thinking I can grant access to just one of the volumes by adding a rule to the existing export policy but I am not sure of the command to run to do this. Is this possible? Or do I have to add the new server into the default export policy and somehow try to restrict this new server from mounting both volumes..?

TMACMD

in this case you are going to need three export policies

policy one will be a read only policy that lets everyone one, applied to the svm root

policy two is for the volume that needs two hosts

policy three is for the volume that needs one host

for the root policy

export-policy create -vserver svm -policy readonly

export-policy rule create -vserver svm -policy readonly -ro sys -rw none -super none -proto nfs -client 0.0.0.0/0

then apply the readonly policy to the svm root

the issue is that using nfs the client must have some kind of access all the way through to the path. If they do not have access to the root they can’t get through

View solution in original post

chamfer

@TimJMcCuen ,

Best to create a new export policy for your new host for the specific volume.

Here’s a practical example of how to create an NFS export policy in NetApp ONTAP using the CLI. This includes:

Creating the export policy
Adding an export rule to allow NFS clients
Applying the policy to a volume or SVM export path

🧱 Example Scenario

SVM name: vs1
Volume: vol_data
Export path: /vol/vol_data
NFS client subnet: 192.168.1.0/24
NFS version: NFSv3 and NFSv4
Access: Read-Write

✅ 1. Create Export Policy

export-policy create -vserver vs1 -policyname nfs_data_policy

✅ 2. Add Rule to Export Policy

export-policy rule create -vserver vs1 -policyname nfs_data_policy \
-ruleindex 1 \
-clientmatch 192.168.1.0/24 \
-rorule sys \
-rwrule sys \
-superuser sys \
-anon 65534 \
-protocol nfs3,nfs4

Explanation:

clientmatch = Which clients are allowed
rorule = Read-only rule (here, sys = UNIX auth)
rwrule = Read-write rule
superuser = Allows root user access (using sys)
anon = UID to map anonymous users to (65534 = nobody)
protocol = Limits to NFSv3 and NFSv4

✅ 3. Apply Export Policy to Volume or Junction

Assuming the volume is already mounted at a junction path:

volume modify -vserver vs1 -volume vol_data -policy nfs_data_policy

If not mounted yet:

volume mount -vserver vs1 -volume vol_data -junction-path /vol_data

🔍 To verify the export:

export-policy rule show -vserver vs1 -policyname nfs_data_policy

volume show -vserver vs1 -volume vol_data -fields policy,junction-path

TimJMcCuen

Thank you for the response. When i added the second export policy with just my new server in I started getting access denied to servers in the original export policy.

The original export policy has two volumes assigned. The new export I just applied to the one volume it needs access to

TMACMD