vserver export-policy check-access
Given a Volume And/or a Qtree, Check to See If the Client Is Allowed Access
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver export-policy check-access
command checks whether a specific client is allowed access to a specific export path. This enables you to test export policies to ensure they work as intended and to troubleshoot client access issues.
The command takes the volume name (and optionally the qtree name) as input and computes the export path for the volume/qtree. It evaluates the export policy rules that apply for each path component and displays the policy name, policy owner, policy rule index and access rights for that path component. If no export policy rule matches the specified client IP address access is denied and the policy rule index will be set to 0. The output gives a clear view on how the export policy rules are evaluated and helps narrow down the policy and (where applicable) the specific rule in the policy that grants or denies access.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. -vserver <vserver name>
- Vserver Name-
This parameter specifies the name of the Vserver in which the export policy resides.
-volume <volume name>
- Volume Name-
This parameter specifies the name of the volume that you want to check export access for. To check export access for a qtree use the -qtree parameter. The -qtree parameter is optional. If you specify the -qtree parameter, you must provide the name of the volume containing the qtree. If you do not specify the -qtree parameter, export access will be checked only for the volume.
-client-ip <IP Address>
- Client IP Address-
This parameter specifies the IP address of the client that you want to check export access for.
-authentication-method <authentication method>
- Authentication Method-
This parameter specifies the authentication method of the client that is attempting access. Possible values include the following:
-
sys
- The authentication method used by the client is AUTH_SYS. -
krb5
- The authentication method used by the client is Kerberos v5. -
krb5i
- The authentication method used by the client is Kerberos v5 with integrity service. -
krb5p
- The authentication method used by the client is Kerberos v5 with privacy service. -
ntlm
- The authentication method used by the client is CIFS NTLM. -
none
- The authentication method used by the client is not explicitly listed in the list of values in the rorule.
-
-protocol <Client Access Protocol>
- Protocol-
This parameter specifies the protocol that the client is using when attempting to access the exported path. Possible values include the following:
-
nfs3
- The NFSv3 protocol -
nfs4
- The NFSv4 protocol -
cifs
- The CIFS protocol
-
-access-type {read|read-write|denied}
- Access Rights to Check for-
This parameter specifies the type of access you want to check for. Possible values are read for read-only access and read-write for read-write access.
[-qtree <qtree name>]
- Name of the Qtree-
This optional parameter specifies the qtree in the volume that is part of the exported path. If you specify this parameter, you must also provide the name of the volume the qtree belongs to.
[-path <text>]
- Path-
Selects the entries in the output that match the specified path value. This field describes the junction-path path component encountered when evaluating the export policies starting from the root ('/') of the Vserver.
[-policy <text>]
- Export Policy-
Selects the entries in the output that match the specified policy value. This field describes the export policy that is in effect for the path encountered so far when evaluating the export policies starting from the root ('/') of the Vserver.
[-policy-owner <text>]
- Export Policy Owner-
Selects the entries in the output that match the specified policy owner value. This field describes the owner of the export policy that is in effect for the path encountered so far when evaluating the export policies starting from the root ('/') of the vserver. The owner of the export policy could be a volume or a qtree.
[-policy-owner-type {volume|qtree}]
- Type of Export Policy Owner-
Selects the entries in the output that match the specified type of the owner of an export policy. Possible values include the following:
-
volume
- The owner of the export policy is a volume -
qtree
- The owner of the export policy is a qtree
-
[-rule-index <integer>]
- Export Policy Rule Index-
Selects the entries in the output that match the specified export policy rule index. This field describes the rule index of the rule in the export policy that grants or denies access. If the value of the rule index is 0 it implies none of the client match strings provided in the rules of the export policy matched the specified IP address of the client.
[-access {read|read-write|denied}]
- Access Rights-
Selects the entries in the output that match the specified access value. This field describes the access rights to the path. Possible values include the following:
-
read
- Read access is granted -
read-write
- Read-write access is granted -
denied
- Requested access is denied
-
[-partial-rule-match {true|false}]
- Did a Subset of the Rules Match?-
Selects the entries in the output that match if a partially matched subset of rules in the export policy were used to grant access to the client.
[-clientmatch <text>]
- Client Match Spec-
Selects the entries in the output that match the specified clientmatch string. The clientmatch string denotes the string that resulted in a rule match for the specified client IP address.
[-security-style <security style>]
- Security Style-
Selects the entries in the output that match the specified security style value. Possible values are unix, ntfs and mixed.
Examples
The following examples of the vserver export-policy check-access
command display various possible results for client export access checks.
cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method sys -protocol nfs3 -access-type read Policy Policy Rule Security Path Policy Owner Owner Type Index Access Style -------------------- ---------- --------- ---------- ---- ---------- ---------- / default vs1_root volume 1 read mixed /dir1 default vs1_root volume 1 read mixed /dir1/dir2 default vs1_root volume 1 read mixed /dir1/dir2/flex1 data flex_vol volume 10 read mixed 4 entries were displayed. cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method sys -protocol nfs3 -access-type read-write Policy Policy Rule Security Path Policy Owner Owner Type Index Access Style -------------------- ---------- --------- ---------- ---- ---------- ---------- / default vs1_root volume 1 read mixed /dir1 default vs1_root volume 1 read mixed /dir1/dir2 default vs1_root volume 1 read mixed /dir1/dir2/flex1 data flex_vol volume 10 read-write mixed 4 entries were displayed. cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method sys -protocol nfs3 -access-type read-write -qtree qt1 Policy Policy Rule Security Path Policy Owner Owner Type Index Access Style -------------------- ---------- --------- ---------- ---- ---------- ---------- / default vs1_root volume 1 read mixed /dir1 default vs1_root volume 1 read mixed /dir1/dir2 default vs1_root volume 1 read mixed /dir1/dir2/flex1 data flex_vol volume 10 read mixed /dir1/dir2/flex1/qt1 primarynames qt1 qtree 0 denied mixed 5 entries were displayed. cluster1::> vserver export-policy check-access -vserver vs1 -client-ip 10.22.32.42 -volume flex_vol -authentication-method ntlm -protocol cifs -access-type read-write -qtree qt1 Policy Policy Rule Security Path Policy Owner Owner Type Index Access Style -------------------- ---------- --------- ---------- ---- ---------- ---------- / default vs1_root volume 1 read mixed /dir1 default vs1_root volume 1 read mixed /dir1/dir2 default vs1_root volume 1 read mixed /dir1/dir2/flex1 data flex_vol volume 10 read mixed /dir1/dir2/flex1/qt1 primarynames qt1 qtree 2 denied mixed 5 entries were displayed.