oracular (5) mfsexports.cfg.5.gz

Provided by: moosefs-master_3.0.117-1.1build2_amd64 bug

NAME

       mfsexports.cfg - MooseFS access control for mfsmounts

DESCRIPTION

       The file mfsexports.cfg contains MooseFS access list for mfsmount clients.

SYNTAX

       Syntax is:

       ADDRESS DIRECTORY [OPTIONS]

       Lines starting with # character are ignored as comments.

       ADDRESS can be specified in several forms:

       *                   all addresses
       n.n.n.n             single IP address
       n.n.n.n/b           IP class specified by network address and number of significant bits
       n.n.n.n/m.m.m.m     IP class specified by network address and mask
       f.f.f.f-t.t.t.t     IP range specified by from-to addresses (inclusive)

       DIRECTORY  can  be  /  or  path  relative  to  MooseFS root; special value . means MFSMETA
       companion filesystem.

       OPTIONS list:

       ro, readonly
              export tree in read-only mode; this is default

       rw, readwrite
              export tree in read-write mode

       alldirs
              allows to mount any subdirectory of specified directory (similarly to NFS)

       dynamicip
              allows reconnecting of already  authenticated  client  from  any  IP  address  (the
              default is to check IP address on reconnect)

       ignoregid
              disable  testing  of  group  access at mfsmaster level (it's still done at mfsmount
              level) - in this case "group" and "other" permissions are logically  added;  needed
              for  supplementary  groups  to  work  (mfsmaster  receives  only user primary group
              information)

       admin  administrative privileges - currently: allow changing of quota values  and  storage
              classes management

       maproot=USER[:GROUP]
              maps  root (uid=0) accesses to given user and group (similarly to maproot option in
              NFS mounts); USER and GROUP can be given either as name or number; if no  group  is
              specified,  USER's primary group is used. Names are resolved on mfsmaster side (see
              note below).

       mapall=USER[:GROUP]
              like above but maps all non privileged users (uid!=0) accesses to  given  user  and
              group (see notes below).

       password=PASS, md5pass=MD5
              requires password authentication in order to access specified resource

       minversion=VER
              rejects access from clients older than specified

       mingoal=N, maxgoal=N
              specify range in which goal can be set by users

       mintrashtime=TDUR, maxtrashtime=TDUR
              specify range in which trashtime can be set by users

       disable=OPERATION[:OPERATION[:...]]
              do not allow the client to perform certain operations

       Default   options   are:   ro,   maproot=999:999,  mingoal=1,  maxgoal=9,  mintrashtime=0,
       maxtrashtime=4294967295.

NOTES

       USER and GROUP names (if not  specified  by  explicit  uid/gid  number)  are  resolved  on
       mfsmaster host.

       TDUR  can  be  specified as number without time unit (number of seconds) or combination of
       numbers with time units. Time units are: W,D,H,M,S. Order is important - less  significant
       time  units  can't  be  defined  before  more significant time units.  Time units are case
       insensitive.

       Option mapall works in MooseFS in different way than in  NFS,  because  MooseFS  is  using
       FUSE's  "default_permissions"  option.  When  mapall option is used, users see all objects
       with uid equal to mapped uid as their own and  all  other  as  root's  objects.  Similarly
       objects with gid equal to mapped gid are seen as objects with current user's primary group
       and all other objects as objects with group 0 (usually  wheel).  With  mapall  option  set
       attribute cache in kernel is always turned off.

       Option  disable  can  take  many parameters (operations to disable) in two ways: as a list
       separated by colons (:) or by repeating the option many times.  List  of  operations  that
       can be disabled:
       chown        - don't allow the client to perform the chown operation
       chmod        - don't allow the client to perform the chmod operation
       symlink      - don't allow the client to create symbolic links
       mkfifo       - don't allow the client to create FIFOs
       mkdev        - don't allow the client to create devices
       mksock       - don't allow the client to create sockets
       mkdir        - don't allow the client to create directories
       unlink       - don't allow the client to remove non directory objects (will also deny move/rename operation if target inode already exists!)
       rmdir        - don't allow the client to remove directories (will also deny move/rename operation if target inode already exists!)
       rename       - don't allow the client to change inodes (files, directories) names
       move         - don't allow the client to move inodes (files, directories) to another path
       link         - don't allow the client to create hard links
       create       - don't allow the client to create new files
       readdir      - don't allow the client to list directories ('ls' command will not work)
       read         - don't allow the client to read from files
       write        - don't allow the client to write to files
       truncate     - don't allow the client to shorten the length of a file with truncate command
       setlength    - don't allow the client to increase the length of a file with truncate command
       appendchunks - don't allow the client to add chunks from one file to another (mfsappendchunks)
       snapshot     - don't allow the client to create snapshots
       settrash     - don't allow the client to change trash retention time
       setsclass    - don't allow the client to set storage classes
       seteattr     - don't allow the client to set mfs extra attributes
       setxattr     - don't allow the client to set XATTRs
       setfacl      - don't allow the client to set ACLs

EXAMPLES

       *                    /       ro
       192.168.1.0/24       /       rw
       192.168.1.0/24       /       rw,alldirs,maproot=0,password=passcode
       10.0.0.0-10.0.0.5    /test   rw,maproot=nobody,password=test
       10.1.0.0/255.255.0.0 /public rw,mapall=1000:1000
       10.2.0.0/16          /       rw,alldirs,maproot=0,mintrashtime=2h30m,maxtrashtime=2w
       192.168.1.0/24       /       rw,disable=unlink:rmdir:truncate
       192.168.1.0/24       /       rw,disable=unlink,disable=rmdir,disable=truncate

REPORTING BUGS

       Report bugs to <bugs@moosefs.com>.

       Copyright (C) 2023 Jakub Kruszona-Zawadzki, Saglabs SA

       This file is part of MooseFS.

       MooseFS  is free software; you can redistribute it and/or modify it under the terms of the
       GNU General Public License as published by the Free Software Foundation, version 2 (only).

       MooseFS is distributed in the hope that it will  be  useful,  but  WITHOUT  ANY  WARRANTY;
       without  even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with  MooseFS;  if
       not,  write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
       02111-1301, USA or visit http://www.gnu.org/licenses/gpl-2.0.html

SEE ALSO

       mfsmaster(8), mfsmaster.cfg(5)