Pnfs, starting with V3.1.9, allows to disable the remove and/or move nfs operation of the content of directories configured as such.
- Once disabled, remove,move will be denied on the content of the corresponding directory regardless of the host or uid this request has been coming from. Not even root on localhost can perform those operations.
- See Inheritance of security properties.
- Other nfs operation are not affected by this property.
- The disable operation can only be activated/deactivated on the pnfs server itself as the root user.
Pnfs, starting with V3.1.9, allows to disable all nfs operations on directories (except lookup) from nontrusted hosts.
- Once enabled, create,move and remove operations will be allowed only by nfs client hosts assigned a trust level above 13.
- See Inheritance of security properties.
- Nfs operation on files (setattr,..) are not affected by this property.
- The descibed operation can only be activated/deactivated on the pnfs server itself as the root user.
Security properties might be inherited by subdirectories of datasets if the compile time flags MD_FLAGS_INHERIT is set. Inheriting security properties might become rather confusing becauseThe newly create object inherits the properties of its parent directory in the moment the object is created. Subsequent changes of the properties of the parent directory don't affect the properties of the child object.
The sclient pnfs tool is used to set/unset the properties decribed above. sclient can only be issued on the pnfs server itself as root user. The pnfsid is used to descibe the object to be modified, therefore pnfs doesn't need to be mounted. For convenience we provide a script (pflags) which first maps a full pathname into a pnfsId which is then passed to sclient. This script needs the pnfs filesystem to do the mapping.
sclient flag <shmid> <pnfsId> remove|move|security on|off plags <fullPathName> remove|move|security on|off
Property Default Description remove on nfs remove operation (dis)allowed within this directory move on nfs move operation (dis)allowed within this directory security off on : nfs operation within this directory only allowed from trusted hosts.