/<export path> <host/netgroup> (options),..
Exports and Netgroups Authentication for NFS
This feature adds Linux-style exports & netgroups authentication to Gluster’s NFS server. More specifically, this feature allows users to restrict access specific IPs (exports authentication) or a netgroup (netgroups authentication), or a combination of both for both Gluster volumes and subdirectories within Gluster volumes. Netgroups are used in Unix environments to control access for NFS exports, remote logins and remote shells. Each netgroup has a unique name and defines a set of hosts, users, groups and other netgroups. This information is stored in files and gluster NFS server manage permission for clients based on those file
Implications and Usage
Currently, gluster can restrict access to volumes through simple IP list. But this feature makes that capability more scalable by allowing large lists of IPs to be managed through a netgroup. Moreover it provides more granular permission handling on volumes like wildcard support, read-only permission to certain client etc.
The file /var/lib/glusterd/nfs/export contains the details of machines
which can be used as clients for that server.An typical export entry use
the following format :
Here export name can be gluster volume or subdirectory path inside that
volume. Next it contains list of host/netgroup , followed by the options
applicable to that entry.A string beginning with an `@' is treated as a
netgroup and a string beginning without an @ is a host. The options
include mount related parameters , right now options such as sec'',
ro/rw'', ``anonuid'' valid one. If * is mention as host/netgroup field
, then any client can mount that export path.
The file /var/lib/glusterd/nfs/netgroup should mention the expansion
of each netgroup which mentioned in the export file. An typical netgroup
entry will look like :
<netgroup name> ng1000\nng1000 ng999\nng999 ng1\nng1 ng2\nng2 (ip1, ip2,..)
The gluster NFS server will check the contents of these file after specific time intervals
Volume Options
-
Enabling export/netgroup feature
gluster volume set <volname> nfs.exports-auth-enable on
-
Changing the refresh interval for gluster NFS server
gluster volume set <volname> nfs.auth-refresh-interval-sec <time in seconds>
-
Changing the cache interval for an export entry
gluster volume set <volname> nfs.auth-cache-ttl-sec <time in seconds>
Testing the export/netgroup file
An user should have the ability to check the validity of the files
before applying the configuration. The `glusterfsd'' command now has
the following additional arguments that can be used to check the
configuration: - –print-netgroups: Validate the netgroups file and print
it out. For example, - `glusterfsd --print-netgroups <name of the file>
-
–print-exports: Validate the exports file and print it out. For example,
-
glusterfsd --print-export <name of the file>
-
Points to be noted.
-
This feature does not currently support all the options in the man page of exports, but we can easily add them.
-
The files
/var/lib/glusterd/nfs/exportand/var/lib/glusterd/nfs/netgroupshould be created before setting thenfs.exports-auth-enableoption in every node in Trusted Storage Pool. -
These files are handled mannually by the users. So that, their contents can be different among the gluster nfs servers across Trusted Storage Pool . i.e it is possible to have different authenticate mechanism for the gluster NFS servers in the same cluster.
-
Do not mixup this feature and authentication using
nfs.rpc-auth-allow,nfs.export-dirwhich may result in inconsistency.
Troubleshooting
After changing the contents of the file, if it is not reflected properly in the authentication mechanism , just restart the server using volume stop and start, So that gluster NFS server will forcefully read the contents of those files again.