All Products
Search
Document Center

Apsara File Storage NAS:Manage a permission group

Last Updated:Dec 05, 2023

In Apsara File Storage NAS, each permission group represents a whitelist. You can create a permission group and add related rules to allow access from specific IP addresses or CIDR blocks to a file system. You can also grant different access permissions to IP addresses or CIDR blocks.

Background information

After you activate NAS, a permission group named "CLASSIC default permission group (all allowed)" or a permission group named "VPC default permission group (all allowed)" is created. The default permission group allows read and write access from all IP addresses to a file system in the classic network or in a virtual private cloud (VPC). No limits are specified for Linux system users. You cannot delete or modify the default permission group.

Important

If the default permission group does not meet your business requirements, you can customize a permission group and related rules to grant different access permissions to IP addresses or CIDR blocks.

Limits

  • You can use each Alibaba Cloud account to create up to 20 file systems in a region.

  • You can add up to 300 rules to each permission group.

  • You can create permission groups only for VPCs.

Create a permission group and add rules to the permission group

Note

To ensure data security, we recommend that you add rules for only the required IP addresses and CIDR blocks.

  1. Log on to the NAS console.

  2. Creates a permission group.

    1. In the left-side navigation pane, choose File System > Permission Group.

    2. In the top navigation bar, select a region.

    3. On the Permission Group page, click the General-purpose NAS or Extreme NAS tab. Then, click Create Permission Group.

    4. In the Create Permission Group dialog box, configure the parameters.

      Create a permission group

      The following table describes the parameters.

      Parameter

      Description

      Name

      The name of the permission group.

      Note

      The name must be unique within the Alibaba Cloud account.

      Network Type

      Valid values: VPC and Classic Network.

      Note

      Only a permission group that resides in a VPC can be attached to the mount target of an Extreme NAS file system.

  3. Add rules to the permission group.

    1. Find the created permission group and click Manage Rules in the Actions column.

    2. On the List of rules page of the permission group, click Create Rule. In the dialog box that appears, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      Authorization Type

      The type of the IP addresses or CIDR blocks that you want to authorize. Valid values: IPv4 access address and IPv6 access address. This parameter is valid only in the China (Hohhot) region.

      Authorized Address

      The authorized object to which the rule is applied.

      Note

      If the permission group resides in the classic network, you can specify a single IP address rather than a CIDR block for this parameter.

      Read/Write Permissions

      Specifies whether to allow read-only or read and write access from the authorized object to the file system. Valid values: Read-only and Read/Write.

      User Permissions

      Specifies whether to limit access from Linux to the file system. This parameter is invalid for Server Message Block (SMB) file systems.

      • No Anonymity: allows access from root users to the file system.

      • Root User Anonymity: grants root users the least permissions as the nobody user.

      • General Anonymity: grants all users the least permissions as the nobody user.

      The nobody user has the least permissions in Linux and can access only the public content of the file system. This ensures the security of the file system.

      Priority

      The priority of the rule. If multiple rules are applied to an authorized object, the rule that has the highest priority takes effect. Valid values: 1 to 100. The value 1 indicates the highest priority.

      Note

      If multiple rules have overlapping CIDR blocks, different permissions, and the same priority, the first rule that you added takes effect. Do not specify overlapping CIDR blocks in a rule.

    3. Click OK.

What to do next

On the Permission Group page, you can perform the following operations.

Operation

Description

View the permission groups and the details of the permission groups

View the permission groups in a region and the details of these permission groups. The details include the network type, number of rules, and number of attached file systems.

Modify a permission group

Find the permission group and click Edit in the Actions column to modify the description of the permission group.

Delete a permission group

Find the permission group and click Delete in the Actions column to delete the permission group.

View the list of rules

Find the permission group and click Manage Rules in the Actions column to view the rules in the permission group.

Modify a rule

Click Manage Rules. On the page that appears, find the rule, and click Edit in the Actions column to modify the parameters. The parameters include Authorized Address, Read/Write Permissions, User Permissions, and Priority.

Delete a rule

Click Manage Rules. On the page that appears, find the rule, and click Delete in the Actions column to delete the rule.