This topic describes how to manage a permission group in the Apsara File Storage NAS console. You can create and delete a permission group and rules. You can also view the list of permission groups and the list of rules.

Background information

In NAS, each permission group represents a whitelist. You can add rules to a permission group to allow access from specific IP addresses or CIDR blocks to a file system. You can also grant different access permissions to different IP addresses or CIDR blocks.

After you activate NAS, a permission group named "CLASSIC default permission group (all allowed)" or a permission group named "VPC default permission group (all allowed)" is created. The default permission group allows read and write access from all IP addresses to a file system in the classic network or in a virtual private cloud (VPC). No limits are specified for root users.

Note
  • We recommend that you add rules for only the required IP addresses and CIDR blocks to ensure data security.
  • You cannot delete or modify the default permission group and its rules.
  • You can create a maximum of 10 permission groups for each Alibaba Cloud account.

Create a permission group and add rules for the permission group

  1. Log on to the NAS console.
  2. Create a permission group.
    1. In the left-side navigation pane, choose File System > Access Group.
    2. On the Access Group page, click the General Purpose NAS tab or the Extreme NAS tab, and click Create Permission Group.
    3. In the Create a permission group dialog box, set the required parameters.
      Create a permission group

      The following table describes the required parameters.

      Parameter Description
      Name The name of the permission group.
      Note The name must be unique within the Alibaba Cloud account.
      Network Type Valid values: Classic Network and VPC.
      Note Only a permission group that resides in a VPC can be attached to the mount target of an Extreme NAS file system.
  3. Add rules to the permission group.
    1. Find the permission group and click Management Rules in the Operations column.
    2. On the List of rules page of the permission group, click Add Rules. In the dialog box that appears, set the required parameters.
      Parameter Description
      Authorization Type Specifies the type of the IP addresses or CIDR blocks to be authorized. Valid values: IPv4 access addresses and IPv6 access addresses. This parameter is valid only in the China (Hohhot) region.
      Authorized Address Specifies the authorized object to which the rule is applied.
      Note If the permission group resides in the classic network, you can specify a single IP address rather than a CIDR block for this parameter.
      Read And Write Permissions Specifies whether to allow read-only or read and write access from the authorized object to the file system. Valid values: Read-only and Read and write.
      User Permission Specifies whether to limit access from Linux to the file system. This parameter is invalid for Server Message Block (SMB) file systems.
      • All Users Are Not Anonymous (No_Squash): allows access from the root user to the file system.
      • Root User anonymity (root_squash): grants root users the least permissions as the nobody user.
      • All Users Anonymous (All_Squash): grants all users the least permissions as the nobody user.

      The nobody user has the least permissions in Linux and can access only the open content of the file system. This ensures the security of the file system.

      Priority Specifies the priority of the rule. If multiple rules are applied to an authorized object, the rule with the highest priority takes effect. Valid values: 1 to 100. The value 1 indicates the highest priority.
      Note If multiple rules have overlapping CIDR blocks, different permissions, and the same priority, the first rule takes effect. We recommend that you do not add rules that have overlapping CIDR blocks.
    3. Click OK.

What to do next

On the Access Group page, you can perform the following operations.

Operation Procedure
View the list of permission groups and the details of the permission group View the list of permission groups in a region and the details of the permission group. The details include the network type, number of rules, and number of attached file systems.
Modify the permission group Find the permission group and click Edit in the Operations column to modify the description of the permission group.
Delete the permission group Find the permission group and click Delete in the Operations column to delete the permission group.
View the list of rules Find the permission group and click Management Rules in the Operations column to view the list of rules in the permission group.
Modify the rule Click Management Rules. On the page that appears, find the rule, and click Edit in the Operations column to modify the parameter settings. The parameters include Authorized Address, Read And Write Permissions, User Permissions, and Priority fields.
Delete the rule Click Management Rules. On the page that appears, find the rule, and click Delete in the Operations column to delete the rule.