This topic describes how to manage permission groups in the Apsara File Storage NAS console. You can create and delete permission groups and rules. You can also view a list of permission groups and a list of rules.
In NAS, each permission group represents a whitelist. You can add rules to a permission group to allow access to a file system from specific IP addresses or CIDR blocks. You can also grant different access permissions to different IP addresses or CIDR blocks.
After you activate NAS, a permission group named VPC default permission group (all allowed) is created. The default permission group allows read/write access to a file system from all IP addresses in a VPC. No limits are specified for root users.
- We recommend that you add rules only for required IP addresses and CIDR blocks to ensure data security.
- You cannot delete or modify the default permission group and its rules.
- You can create up to 10 permission groups for an Alibaba Cloud account.
Create a permission group and add rules
- Log on to the NAS console.
- Create a permission group.
- In the left-side navigation pane, choose Create Permission Group. . On the page that appears, click
- In the Create a New Permission Group dialog box, set the required parameters.
The following table describes the required parameters.
Parameter Description Name The name of the permission group. Network type The network type. Valid values: VPC and Classic Network.
- Add rules to the permission group.
- Find the permission group and click Management Rules in the Operations column.
- On the List of Rules page, click Add Rules.
- Set the required parameters.
Parameter Description Authorized Address Specifies the authorized object to which the rule is applied.Note If you add a rule to a permission group of the classic network type, you can specify an IP address rather than a CIDR block for the parameter. Read/Write Permission Specifies whether to allow read-only or read/write access to the file system from the authorized object. Valid values: Read-only and Read and write. User Permission Specifies whether to limit the access to the file system from a Linux server.
- All Users Are Not Anonymous (No_Squash): allows the root user to access the file system.
- Root User anonymity (root_squash): denies access to the file system from the root user. The root user is treated as a nobody user.
- All Users Anonymous (All_Squash): denies access from all users. All users are treated as nobody users.
A nobody user has the least permissions. To ensure high security, the nobody user can access only the open content of the server.
Priority Specifies the priority of the rule. When multiple rules are applied to an authorized object, the rule with the highest priority takes effect.
Valid values: 1 to 100 (1 indicates the highest priority).
- Click OK.
What to do next?
On the Access Group page, you can perform the following operations.
|View a list of permission groups and the details of a permission group.||View the list of permission groups in a region and the details of a permission group. The details include the network type, number of rules, and number of associated file systems.|
|Modify a permission group.||Find the permission group and click Edit in the Operations column to edit the description of the permission group.|
|Delete a permission group.||Find the permission group and click Delete in the Operations column to delete the permission group.|
|View a list of rules.||Find the permission group and click Management Rules in the Operations column to view the list of rules in the permission group.|
|Modify a rule.||Click Management Rules. On the page that appears, find the rule, and click Edit in the Operations column to edit the Authorized Address, Read And Write Permissions, User Permissions, and Priority fields.|
|Delete a rule.||Click Management Rules. On the page that appears, find the rule, and click Delete in the Operations column to delete the rule.|