In Data ONTAP 7-Mode we had a command “cifs terminate
-v” to terminate CIFS access to a volume. There never was an “nfs terminate -v”.
Image: Thou (NFS) shall not pass!
Q: In Clustered
ONTAP, if you want to terminate all NFS access to just one NFS volume, how do
you do it?
Intuitively you might think running the “volume
unmount” command will do the trick, but no. This is explained by this NetApp KB:
Symptom
Users
might notice that after removing a volume from the SVM namespace on the
cluster, existing NFS
sessions will continue to be able to read and write to the unmounted volume.
However, other clients will be unable to start new sessions accessing the
volume.
Cause
NFS
clients obtain a FileHandle for each export root, directory, and file that the
client is currently accessing. Due to the FH referencing the data volume's MSID
(Master Data Set ID), any existing FH that is obtained from the NFS server
continues to be able to read and write to the data volume after it is removed
from the SVM namespace.
The answer is to add an export-policy rule with index 1
(the lowest index number, the first rule read) for 0.0.0.0/0 and do not allow
any ro/rw access, for all the exports of the volume. And remember to update
your root Loading Sharing mirrors too if you have them.
export-policy rule create -policyname exp_vol01
-vserver svm1 -clientmatch 0.0.0.0/0
-ruleindex 1
-protocol any -rorule never
-rwrule never
snapmirror update-ls-set -source-path
//vs1.example.com/svm_root
Note: In the above I’ve gone for ‘-protocol any’
because I don’t think many people will be using export-policies with cifs - if
you are and don’t want to terminate cifs access too, then use ‘-protocol nfs’.
Explanation of never
from the man pages
-rorule
never - For an incoming request from a client matching
the clientmatch criteria, do
not allow any access to the volume regardless of the security type of
that incoming request.
-rwrule
never - For an incoming request from a client matching
the clientmatch criteria, do
not allow write access to the volume regardless of the effective
security type (determined from rorule) of that incoming request.
BONUS: cifs
terminate -v in Clustered ONTAP
Yes ‘cifs terminate -v’ does not exist in ONTAP, but what
you can do - if you want to terminate CIFS access to just one volume -
is add everyone no_access on all the shares ACLs of that volume. For example:
cluster1::> cifs share access-control create/modify -vserver svm4
-share finance -user-or-group Everyone -permission No_access
cluster1::> cifs share access-control
show -vserver svm4 -share finance -user-or-group Everyone
Share User/Group User/Group
Access
Vserver
Name Name Type Permission
----------- ----------- ------------
----------- -----------
svm4
finance Everyone
windows No_access
Note: If you already have an Everyone share ACL, then
the command is ‘modify’,
otherwise it is ‘create’.
Credit:
My colleague Ejos Zida (this is an anagram)
Comments
Post a Comment