vserver export-policy check-access

Given a Volume And/or a Qtree, Check to See If the Client Is Allowed Access

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver export-policy check-access command checks whether a specific client is allowed access to a specific export path. This enables you to test export policies to ensure they work as intended and to troubleshoot client access issues.

The command takes the volume name (and optionally the qtree name) as input and computes the export path for the volume/qtree. It evaluates the export policy rules that apply for each path component and displays the policy name, policy owner, policy rule index and access rights for that path component. If no export policy rule matches the specified client IP address access is denied and the policy rule index will be set to 0. The output gives a clear view on how the export policy rules are evaluated and helps narrow down the policy and (where applicable) the specific rule in the policy that grants or denies access.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>, ... parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.
| [-instance ]}
If you specify the -instance parameter, the command displays detailed information about all fields.
-vserver <vserver name> - Vserver Name
This parameter specifies the name of the Vserver in which the export policy resides.
-volume <volume name> - Volume Name
This parameter specifies the name of the volume that you want to check export access for. To check export access for a qtree use the -qtree parameter. The -qtree parameter is optional. If you specify the -qtree parameter, you must provide the name of the volume containing the qtree. If you do not specify the -qtree parameter, export access will be checked only for the volume.
-client-ip <IP Address> - Client IP Address
This parameter specifies the IP address of the client that you want to check export access for.
-authentication-method <authentication method> - Authentication Method
This parameter specifies the authentication method of the client that is attempting access. Possible values include the following:
  • sys - The authentication method used by the client is AUTH_SYS.
  • krb5 - The authentication method used by the client is Kerberos v5.
  • krb5i - The authentication method used by the client is Kerberos v5 with integrity service.
  • krb5p - The authentication method used by the client is Kerberos v5 with privacy service.
  • ntlm - The authentication method used by the client is CIFS NTLM.
  • none - The authentication method used by the client is not explicitly listed in the list of values in the rorule.
-protocol <Client Access Protocol> - Protocol
This parameter specifies the protocol that the client is using when attempting to access the exported path. Possible values include the following:
  • nfs3 - The NFSv3 protocol
  • nfs4 - The NFSv4 protocol
  • cifs - The CIFS protocol
-access-type {read|read-write} - Access Rights to Check for
This parameter specifies the type of access you want to check for. Possible values are read for read-only access and read-write for read-write access.
[-qtree <qtree name>] - Name of the Qtree
This optional parameter specifies the qtree in the volume that is part of the exported path. If you specify this parameter, you must also provide the name of the volume the qtree belongs to.
[-path <text>] - Path
Selects the entries in the output that match the specified path value. This field describes the junction-path path component encountered when evaluating the export policies starting from the root ('/') of the Vserver.
[-policy <text>] - Export Policy
Selects the entries in the output that match the specified policy value. This field describes the export policy that is in effect for the path encountered so far when evaluating the export policies starting from the root ('/') of the Vserver.
[-policy-owner <text>] - Export Policy Owner
Selects the entries in the output that match the specified policy owner value. This field describes the owner of the export policy that is in effect for the path encountered so far when evaluating the export policies starting from the root ('/') of the vserver. The owner of the export policy could be a volume or a qtree.
[-policy-owner-type {volume|qtree}] - Type of Export Policy Owner
Selects the entries in the output that match the specified type of the owner of an export policy. Possible values include the following:
  • volume - The owner of the export policy is a volume
  • qtree - The owner of the export policy is a qtree
[-rule-index <integer>] - Export Policy Rule Index
Selects the entries in the output that match the specified export policy rule index. This field describes the rule index of the rule in the export policy that grants or denies access. If the value of the rule index is 0 it implies none of the client match strings provided in the rules of the export policy matched the specified IP address of the client.
[-access {read|read-write}] - Access Rights
Selects the entries in the output that match the specified access value. This field describes the access rights to the path. Possible values include the following:
  • read - Read access is granted
  • read-write - Read-write access is granted
  • denied - Requested access is denied
[-partial-rule-match {true|false}] - Did a Subset of the Rules Match?
Selects the entries in the output that match if a partially matched subset of rules in the export policy were used to grant access to the client.
[-clientmatch <text>] - Client Match Spec
Selects the entries in the output that match the specified clientmatch string. The clientmatch string denotes the string that resulted in a rule match for the specified client IP address.

Examples

The following examples of the vserver export-policy check-access command display various possible results for client export access checks.
cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method sys -protocol nfs3 -access-type read
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    vs1_root  volume          1 read
/dir1                         default    vs1_root  volume          1 read
/dir1/dir2                    default    vs1_root  volume          1 read
/dir1/dir2/flex1              data       flex_vol  volume         10 read
4 entries were displayed.

cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method sys -protocol nfs3 -access-type read-write
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    vs1_root  volume          1 read
/dir1                         default    vs1_root  volume          1 read
/dir1/dir2                    default    vs1_root  volume          1 read
/dir1/dir2/flex1              data       flex_vol  volume         10 read-write
4 entries were displayed.

cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method sys -protocol nfs3 -access-type read-write -qtree qt1
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    vs1_root  volume          1 read
/dir1                         default    vs1_root  volume          1 read
/dir1/dir2                    default    vs1_root  volume          1 read
/dir1/dir2/flex1              data       flex_vol  volume         10 read
/dir1/dir2/flex1/qt1          primarynames
                                         qt1       qtree           0 denied
5 entries were displayed.

cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method ntlm -protocol cifs -access-type read-write -qtree qt1
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    vs1_root  volume          1 read
/dir1                         default    vs1_root  volume          1 read
/dir1/dir2                    default    vs1_root  volume          1 read
/dir1/dir2/flex1              data       flex_vol  volume         10 read
/dir1/dir2/flex1/qt1          primarynames
                                         qt1       qtree           2 denied
5 entries were displayed.