Scenario
A client must be in the same network as the file system, for which a permission group needs to be configured to manage the access and read/write permissions of the client. This document describes how to do so.
Instructions
Step 1. Create a permission group
1. Log in to the File Storage Console and click on Permission Group in the left sidebar.
2. On the Permission Group page, click Create to create a new permission group. In the pop-up window, configure the permission group name and remarks.
Step 2. Add a permission group rule
Click on Permission Group Name to access the rule list. Here, you can add, edit, or delete rules. If no rules are added to the permission group, all will be allowed. The rules are explained as follows.
Parameter | Description |
Access Address | You can enter a single IP or a single network segment, such as 10.1.10.11 or 10.10.1.0/24. The default visitor address is *, which means all are allowed. Please note that you need to enter the internal IP of the CVM here. |
Read & Write Permissions | Read-only or read/write. |
User Permissions | The four options below are used for controlling the permissions of a user. all_squash: Any user will be mapped to an anonymous user or user group. no_all_squash: A user will be first matched with a local user, and if the match fails, it will be mapped to an anonymous user or user group. root_squash: A root user will be mapped to an anonymous user or user group. no_root_squash: A root user will be allowed to maintain root account permissions. Note: User permissions configuration is not supported for CIFS/SMB file systems and Turbo file system will not take effect. The default permission is 755 for each file system, and nfsnobody does not have write permission. Therefore, if there are no special needs, no_root_squash is recommended. If the root user creates a file directory and mounts the file system, when the access address is set to all_squash or root_squash, the access IP can only read files. (This is because the mount path requires root permissions, but the access IP has been mapped to an anonymous user.) |
Priority | You can configure an integer between 1 and 100 as the priority level, where 1 indicates the highest priority. If the permission of a single IP conflicts with that of an IP within a CIDR block in the same permission group, the permission with a higher priority will apply. If their priority levels are the same, the permission of the single IP will apply. If two overlapping CIDR blocks are configured with different permissions and the same priority levels, the permissions of the overlapping CIDR blocks will take effect randomly. Please avoid configuring overlapping CIDR blocks. Note: Priority configuration is not supported for CIFS/SMB file systems and will not take effect. |
Step 3. Configure a permission group for a file system
The configuration of a permission group can be modified after the file system is created. You can choose to create a permission group first and select it when creating a file system. You can also select the default permission group when creating a file system and then go to the file system details page to change the permission group.
Note
If the file system is mounted with the NFS v4 protocol, the modification to the permission group rules of the file system will take effect in 2 minutes.
Step 4. Modify the information and rules of a permission group
You can enter the permission group details page to modify the name, remarks, and rules of a permission group.
Note:
Permission group rules take effect asynchronously. Therefore, avoid adding individual IPs frequently.
We recommend you add a CIDR block or batch import using a template.