Professional Documents
Culture Documents
Module Objectives
By the end of this module, you should be able to: List security methods for protecting data Explain and configure a security style setting for a volume and a qtree Describe methods of tracking and restricting storage usage Explain, create, and manage quotas Explain and configure FPolicy
NAS Management
After configuring NAS protocols, additional steps are needed to ensure you get the full use of NAS technologies This module examines:
Securing data Tracking and restricting storage usage
Securing Data
Multiprotocol
Volumes and qtrees can have either:
NTFS-style ACL permissions UNIX-style permissions
Having UNIX-style permissions does not prevent Windows (CIFS) users from accessing a volume or qtree if Multiprotocol is correctly configured Having NTFS-style ACL permissions does not prevent UNIX (NFS) users from accessing a volume or qtree if Multiprotocol is correctly configured
2009 NetApp. All rights reserved.
NTFS
UNIX
Domain Authenticated
Authentication
Authenticate by /etc/regist ry
Storage System
Invalid user
User accepted
No
Unauthenticated or Invalid user rejected
UNIX User
Windows User ID
UNIX
NTFS
Storage System
NOTE: Unix UID (and GID) were assigned at user login when user name and password were authenticated
2009 NetApp. All rights reserved.
Look for mapped Windows user in /etc/usermap.cfg Domain\user <= UNIX name
If mapped to
Invalid user
User accepted
Security Styles
Security Styles Security Style Hosts that can change Security/ Permissions CIFS Client Access Determined by UNIX permissions (Windows user names mapped to UNIX account) NFS Client Access Determined by
unix
NFS clients
UNIX permissions
mixed
Depends on the last client to set security settings (permissions) Windows NTFS ACLs (UNIX user names mapped to Windows account)
ntfs
CIFS clients
Changing a security resets all security permissions within a volume or qtree to default
NTFS: Everyone has read-write access UNIX: Has user/group/world having rwx
drwxrwxrwx 2 root root 4096 cifs_tree1
Data-In-Flight Encryption
Data is encrypted at some point before it traverses a communications link Data decrypted at the other end of the link
Host1
Host2
2009 NetApp. All rights reserved.
Data ONTAP provides the mechanism to track and restrict NAS usage:
1. Quotas 2. Qtree statistics 3. FPolicy
1. Quotas
Quotas are necessary to:
Limit the amount of disk space that can be used Track disk space usage Warn of excessive usage
Quota targets
Users Groups Qtrees
Create a quota
Quota Errors
Disk quota exceededResults from requests that cause a user or group to exceed an applicable quota Out of disk space Results from requests that cause the number of blocks or files in a qtree to exceed the qtree limit Root or Windows administrator account
Group quotas do not apply Tree quotas do apply
Quota Rules
New users or groups created after the default quota is in effect will have the default value Users or groups that do not have a specific quota defined will have the default value Configurable rules (/etc/quotas fields) are:
# Target Type Disk Files Thold Sdisk Sfiles
10K 9000 -
Quota Report
Quota report
system> quota report Type ID Volume Tree... ----- ---- -------- -----tree 1 NASvol nas_tree1...
K-Bytes Files ...Used Limit Used Limit Quota Specifier --------- ------- ----- ------ --------------... 14612 12288 24 2 /vol/NASvol/nas_tree1
Quota Information
Beginning with Data ONTAP 7.3, AutoSupport (ASUP) contains the following quota information:
A collection of quota statistics, including a set of new counters that collect quota statistics The quota configuration file (/etc/quotas) The user mapping file (/etc/usermap.cfg)
2. Qtree Statistics
To display the number of NFS and CIFS operations resulting from user access to files in a qtree:
system> qtree stats ... Volume -------NASvol
Tree -------nas_tree1
Triggering Operations
Possible operations controlled by policy are: Creation of a new file Opening an existing file Renaming a file
2009 NetApp. All rights reserved.
Ethernet
Client
my.docx
my.docx
Clients
Add or remove extensions and options to the file policy Set up a file policy monitor Enable the file policy:
fpolicy enable <PolicyName>
Assign FPolicy to create and rename operation over CIFS and NFS traffic:
system> fpolicy monitor set mp3blocker -p cifs,nfs create,rename
Module Summary
In this module, you should have learned to: List security methods for protecting data Explain and configure a security style setting for a volume and a qtree Describe methods of tracking and restricting storage usage Explain, create, and manage quotas Explain and configure FPolicy
Exercise
Module 9: NAS Management Estimated Time: 60 minutes
Does a security style prevent protocols from accessing the volume or qtree?
No, they only define which rules to apply