In File Storage NAS, a permission group acts as a virtual firewall that uses a whitelist to control network access to your file systems. You can configure custom permission groups with rules that grant different levels of access to specific IP addresses or CIDR blocks for various scenarios.
Background
By default, each Alibaba Cloud account has a default permission group. This group grants any IP address within the VPC full read/write access to the file system, with no restrictions on Linux user access.
The default permission group applies only within a VPC and is inaccessible from the public internet. It cannot be modified or deleted.
If the default permission group is insufficient for your needs, create custom permission groups to grant specific access levels to different IP addresses or CIDR blocks.
Limitations
-
You can create up to 20 permission groups for each Alibaba Cloud account in a region.
-
Each permission group can contain up to 300 rules.
-
Permission groups can be created only for the VPC network type.
Procedure
To maximize data security, add permission group rules cautiously. Grant access only to trusted IP addresses or CIDR blocks.
-
Create a permission group.
-
In the left-side navigation pane, choose .
-
In the top navigation bar, select a region.
-
On the Permission Group page, click the General-purpose NAS or Extreme NAS tab, and then click Create Permission Group.
-
In the Create Permission Group dialog box, configure the parameters.
The following table describes the key parameters.
Parameter
Description
Name
The name of the permission group. The name must meet the following requirements:
-
Must start with a letter.
-
Can contain letters, digits, underscores (_), and hyphens (-).
-
Chinese characters are not supported.
-
The name must be unique within the region.
Network type
Only VPC is supported.
NoteAs of November 21, 2022, you can no longer create classic network permission groups for General-purpose NAS file systems. However, existing groups of this type created before this date can still be used.
-
-
-
Add a rule to the permission group.
-
Find the permission group that you created. In the Actions column, click Manage Rules. Then, click Create Rule and configure the rule parameters.
Parameter
Description
Authorization type
The authorization type for this rule. Valid values are IPv4 access address and IPv6 access address.
NoteIPv6 access addresses are supported only for Extreme NAS.
Authorized address
The IP address or CIDR block to which access is granted. Permission groups only support access control based on IP addresses or CIDR blocks. They do not support restrictions based on device identifiers such as MAC addresses. If multiple devices in the same network share the same egress IP address, the permission group cannot distinguish access requests from different devices.
Read/write permissions
The permissions for the authorized source. Valid values are Read-only and Read/Write.
User permissions
Specifies how to map user identities from the client-side Linux system. This setting does not apply to SMB file systems and has no effect if configured.
-
No Anonymity: Allows a client's root user to access the file system with root privileges.
-
Root User Anonymity: Maps access requests from a root user on the client to the anonymous
nobodyuser. -
General Anonymity: Maps access requests from all users on the client to the anonymous
nobodyuser.
The
nobodyuser is a default Linux user with low privileges, which enhances security. This user can typically only access public content on the server.Priority
If an authorized source matches multiple rules, the one with the highest priority (lowest number) takes precedence. Enter an integer from 1 to 100, where 1 is the highest priority.
NoteIf multiple rules with the same priority but different permissions contain overlapping CIDR blocks, the rule that was created first takes effect. We recommend avoiding configurations with overlapping CIDR blocks.
-
-
Click OK.
-
Log on to the NAS console.
Other operations
On the Permission Group page, you can perform the following operations.
|
Actions |
Description |
|
View permission groups and details |
View details for permission groups in the current region, such as their type, rule count, and the number of attached file systems. |
|
Edit a permission group |
Find the target permission group and click Edit to modify its description. |
|
Delete a permission group |
Find the target permission group and click Delete to delete it. |
|
View permission group rules |
Find the target permission group and click Manage Rules to view the rules within that group. |
|
Edit a permission group rule |
Click Manage Rules, find the target rule, and then click Edit. You can modify the authorized address, read/write permissions, user permissions, and priority. |
|
Delete a permission group rule |
Click Manage Rules, find the target rule, and then click Delete to delete the rule. |
Related topics
To protect data in transit, use the encryption-in-transit feature. It secures the network link between your ECS instances and the NAS service, protecting data from theft or tampering during transmission. For detailed instructions, see Encryption-in-transit for NFS file systems or Encryption-in-transit for SMB file systems.