Mailing List Archive: Netapp: toasters

restrict access to volumes to particular protocols

Index | Next | Previous | View Threaded

pdg at uow

Sep 8, 2009, 9:48 PM

Post #1 of 4 (762 views)
Permalink

restrict access to volumes to particular protocols

Hi people

Is there any way to restrict access to volumes to particular
protocols

eg /vol/oracle can only be accessed by NFS
/vol/myshares can only be accessed by CIFS

I have become a bit concerned because it looks like
domain administrators can set up shares willy nilly
and I really want better security than that on some of
my volumes.

Is there some way to do what I want?

Regards,
pdg

--

See mail headers for contact information.

pdg at uow

Sep 8, 2009, 11:12 PM

Post #2 of 4 (711 views)
Permalink

Re: restrict access to volumes to particular protocols [In reply to]

On Wed, Sep 09, 2009 at 07:34:24AM +0200, Borzenkov, Andrey wrote:
> If you do not trust domain administrators, remove them from local administrators group on filer and/or implement finer grained role restrictions.
>

But this does not soleve the problem methinks. I want them to be able
to set up shares in the volumes they need to. I just do
not want them to be able to set up
shares to oracle databases on the same filer.

One solution would be virtual filers (forget the name
of that feature for the monent). Then I could have the
oracle volumes on seperate virtual filers
to the shares. But thats a lot of bother.

Regards,
pdg

--

See mail headers for contact information.

geraldv at stanford

Sep 8, 2009, 11:36 PM

Post #3 of 4 (700 views)
Permalink

Re: restrict access to volumes to particular protocols [In reply to]

On Sep 8, 2009, at 11:12 PM, Peter D. Gray wrote:

> One solution would be virtual filers (forget the name
> of that feature for the monent). Then I could have the
> oracle volumes on seperate virtual filers
> to the shares. But thats a lot of bother.

This is one of the reasons why we use vfilers via Multistore. It is
particularly handy when a filer is serving many protocols and
privileges need to be delegated.

-=--=-
gerald villabroza <geraldv at stanford.edu>
technical lead, its storage, stanford university

Adam.Fox at netapp

Sep 11, 2009, 10:40 AM

Post #4 of 4 (663 views)
Permalink

RE: restrict access to volumes to particular protocols [In reply to]

MultiStore is the correct solution. Although just as a side commentary,
if you really can't trust your admins, you've got security problems far
beyond what software can help solve.

-- Adam Fox
Systems Engineer
adamfox[at]netapp.com

-----Original Message-----
From: Peter D. Gray [mailto:pdg[at]uow.edu.au]
Sent: Wednesday, September 09, 2009 2:13 AM
To: toasters[at]mathworks.com
Subject: Re: restrict access to volumes to particular protocols

On Wed, Sep 09, 2009 at 07:34:24AM +0200, Borzenkov, Andrey wrote:
> If you do not trust domain administrators, remove them from local
administrators group on filer and/or implement finer grained role
restrictions.
>

But this does not soleve the problem methinks. I want them to be able
to set up shares in the volumes they need to. I just do
not want them to be able to set up
shares to oracle databases on the same filer.

One solution would be virtual filers (forget the name
of that feature for the monent). Then I could have the
oracle volumes on seperate virtual filers
to the shares. But thats a lot of bother.

Regards,
pdg

--

See mail headers for contact information.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com