In NAS, the permission group acts as a whitelist that allows you to restrict file system access. You can allow specified IP addresses or CIDR blocks to access the file system, and assign different levels of access permission to different IP addresses or CIDR blocks by adding rules to the permission group.
When NAS is activated, the Default VPC Permission Group is automatically generated. It allows all IP addresses in a VPC to access the mount point with full permissions. Full permissions include Read/Write permission with no restriction on root users.
For classic network mount points, no default permission group is provided. In addition, the allowed IP address in permission group rules must be a single IP addresse rather than a CIDR block.
Note: We recommend that you add permission group rules carefully and only allow necessary IP addresses.
To create a permission group, follow these steps.
Log on to the NAS console.
From the left-side navigation pane, click Permission Groups.
Click Create Permission Group.
On the Create Permission Group page, enter a name and click OK.
Note: Up to 10 permission groups are allowed for an Alibaba Cloud account.
On the Permission Groups page, click Manage under a permission group to enter its Rules page, where you can add and manage rules.
A permission group rule is composed of the following attributes:
|Authorized Address||Single IP addresses or CDIR blocks (classic network only supports single IP addresses)||Authorized objects of the rule.|
|Read and Write Permission||Read-Only or Read/Write||Allows the authorized object read-only or read/write access on the file system.|
|User Permission||Do not restrict root users (no_squash), restrict root users (root_squash), restrict all users (all_squash)||Determines whether to restrict the permission of the authorized object’s Linux system users in the file system. When determining access permissions of a file or a directory,
|Priority||1-100, with 1 as the highest priority||When the same authorization object matches multiple rules, the rule with the highest priority overwrites the remaining rules.|