> Project SMB shares have export ACLs (as in "mmsmb exportacl ..")
> limiting share access to the project's member group, in addition to the
> NFSv4 ACLs.
>
> We also want to limit access to SMB shares to project subnets.
> There is no way to specify that with "mmsmb", but we have found
>
> /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>
>
> to be working, at least with some limited testing: share access is
> actually limited to the specified subnets. The additional settings
> seems to be stored in CTDB under /var/lib/ctdb/persistent.
>
> We assume that the "net conf setparm" method is not officially supported
> by IBM. Although it seems to be working, we wonder if it is a good idea
> to implement it. For instance, we are wondering if the additional
> settings will survive later ESS code upgrades, and if it will scale to
> thousands of SMB shares.
> limiting share access to the project's member group, in addition to the
> NFSv4 ACLs.
>
> We also want to limit access to SMB shares to project subnets.
> There is no way to specify that with "mmsmb", but we have found
>
> /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>
>
> to be working, at least with some limited testing: share access is
> actually limited to the specified subnets. The additional settings
> seems to be stored in CTDB under /var/lib/ctdb/persistent.
>
> We assume that the "net conf setparm" method is not officially supported
> by IBM. Although it seems to be working, we wonder if it is a good idea
> to implement it. For instance, we are wondering if the additional
> settings will survive later ESS code upgrades, and if it will scale to
> thousands of SMB shares.
Officially Scale only supports Samba options that can be set through
the GUI or the mmsmb CLI. Everything else set through 'net conf' has
not been tested and is not supported. In this specific case, this is
likely to work, and it should also be preserved across code upgrades,
but again, this is not an official support statement.
the GUI or the mmsmb CLI. Everything else set through 'net conf' has
not been tested and is not supported. In this specific case, this is
likely to work, and it should also be preserved across code upgrades,
but again, this is not an official support statement.
This is also not a new request, there is also a pending RFE to make
this an official Scale feature:
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=141534
this an official Scale feature:
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=141534
Regards,
Christof Schmitt
Software Engineer
IBM Systems, Spectrum Scale Development
+1 520 799 2469
@chsc Twitter
IBM
----- Original message -----
From: Helge Hauglin <[email protected]>
Sent by: [email protected]
To: [email protected]
Cc:
Subject: [EXTERNAL] [gpfsug-discuss] Limiting CES SMB shares to specific subnets
Date: Tue, Feb 9, 2021 9:10 AM
Hi.
We have an ESS 5.0.4.3 cluster with a CES cluster serving files with
NFSv4 ACLs to NFS and SMB clients. This system is used for
sensitive research data, and will the next years house thousands of
research projects, which will have to be strictly separated. Each
project has its own subnet for the project linux and windows hosts.
Project directories are independent filesets in file systems, each
project directory has NFSv4 ACLs giving acces to only the project group.
Project NFS shares are limited to each project's subnet.
Project SMB shares have export ACLs (as in "mmsmb exportacl ..")
limiting share access to the project's member group, in addition to the
NFSv4 ACLs.
We also want to limit access to SMB shares to project subnets.
There is no way to specify that with "mmsmb", but we have found
/usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>
to be working, at least with some limited testing: share access is
actually limited to the specified subnets. The additional settings
seems to be stored in CTDB under /var/lib/ctdb/persistent.
We assume that the "net conf setparm" method is not officially supported
by IBM. Although it seems to be working, we wonder if it is a good idea
to implement it. For instance, we are wondering if the additional
settings will survive later ESS code upgrades, and if it will scale to
thousands of SMB shares.
We are considering doing the SMB subnet limiting outside CES, but that would
add complexity and overhead, so we are not very keen on that.
What do other IBM ESS customers do, do you have any advice for us?
Yea or nay?
Regards,
Helge Hauglin
----------------------------------------------------------------
Mr. Helge Hauglin, Senior Engineer
System administrator
Center for Information Technology, University of Oslo, Norway
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
