Upload
subhrajitm47
View
222
Download
0
Embed Size (px)
Citation preview
7/29/2019 m10 Qtrees Final
1/39
Qtrees and SecurityStyles
Module 10
Data ONTAP 7.3 Fundamentals
7/29/2019 m10 Qtrees Final
2/39
2008 NetApp. All rights reserved. 2
Module Objectives
By the end of this module, you should be able to:
Describe multiprotocol configuration on a
storage system, including the/etc/usermap.conf file
Explain the purpose of a security style
Configure a security style setting for a qtree
and a volume
Explain the difference between security stylesand access types using the CLI and FilerView
Explain, create, and manage quotas using the
CLI and FilerView
7/29/2019 m10 Qtrees Final
3/39
2008 NetApp. All rights reserved. 3
Qtrees
7/29/2019 m10 Qtrees Final
4/39
2008 NetApp. All rights reserved. 4
Qtrees
A qtree is a logically defined file system that
exists as a special subdirectory at the root of a
volume
When creating a qtree, you can:
Partition data within a volume Establish special quota requirements
The maximum number of qtrees is 4,995 per
volume Qtrees look like a directory to the client
Qtrees can be removed from the client by
removing the directory or using FilerView
7/29/2019 m10 Qtrees Final
5/39
2008 NetApp. All rights reserved. 5
Qtree Advantages
Set a qtree security style without affecting the
security style of other qtrees in a volume
(discussed later)
Set CIFS oplocks, if appropriate, without
affecting the settings of projects in other qtrees Use tree quotas to limit the disk space and
number of files available to each qtree in a
volume (discussed later)
Backup and restore qtrees
7/29/2019 m10 Qtrees Final
6/39
2008 NetApp. All rights reserved. 6
Security Styles
Every qtree and volume has a security style
setting that determines whether files in that
qtree or volume can use Windows NT ACLs or
UNIX security
There are three security styles: NTFS
UNIX
Mixed
To change the security style using the CLI:
qtree security
[ntfs|unix|mixed]
7/29/2019 m10 Qtrees Final
7/39 2008 NetApp. All rights reserved. 7
Security Styles
Security Styles
Security Style
Hosts that can
change Security/
Permissions
CIFS Client Access
Determined by
NFS Client Access
Determined by
unix NFS clients
UNIX permissions
Windows user
names mapped toUNIX account
UNIX permissions
mixedNFS and CIFS
clients
Depends on the last client to set security
settings (permissions)
ntfs CIFS clients Windows NT ACLs
Windows NT ACLs
UNIX user names
mapped toWindows account
7/29/2019 m10 Qtrees Final
8/39 2008 NetApp. All rights reserved. 8
Adding a Qtree
To add a qtree using the CLI:
qtree create
To add a qtree using FilerView:
FilerView > Volumes > Qtree > Add
7/29/2019 m10 Qtrees Final
9/39 2008 NetApp. All rights reserved. 9
Qtree Commands
system> qtree create /vol/vol2/updates
system> qtree security /vol/vol2/updates mixed
system> qtree oplocks /vol/vol2/updates disable
system> qtree create /vol/vol3/show03
system> qtree security /vol/vol3/show03 ntfs
Volume Tree Style Oplocks Status
-------- -------- ----- -------- ------
vol0 unix enabled normal
vol0 mktg ntfs enabled normal
vol1 unix enabled normal
vol2 unix enabled normal
vol2 updates mixed disabled normal
vol3 ntfs enabled normal
vol3 show02 mixed enabled normalvol3 show03 ntfs enabled normal
system> qtree status
7/29/2019 m10 Qtrees Final
10/39 2008 NetApp. All rights reserved. 10
Managing Qtrees
To manage qtrees using the CLI:
qtree status
To manage qtrees using FilerView:
FilerView > Volumes > Qtree > Manage
7/29/2019 m10 Qtrees Final
11/39 2008 NetApp. All rights reserved. 11
Multiprotocols
7/29/2019 m10 Qtrees Final
12/39 2008 NetApp. All rights reserved. 12
Multiprotocols
NetApp storage systems support
heterogeneous environments:
CIFS (usually associated with Windows NTFS)
NFS (usually associated with the UNIX file
system) Setting the security style of a volume or qtree
to:
UNIX, does not prevent CIFS users from access
NTFS, does not prevent NFS users from access
NOTE:The storage systems multiprotocol feature must be properly
configured.
7/29/2019 m10 Qtrees Final
13/39 2008 NetApp. All rights reserved. 13
NAS File Access: Four Scenarios
There are four basic scenarios for NAS fileaccess:
1. A UNIX client accesses a UNIX file (notmultiprotocol)
2. A PC client accesses a file with an ACL (notmultiprotocol)
3. A UNIX client accesses a file with an ACL
4. A PC client accesses a file with UNIX
permissions
Because the first two scenarios are notmultiprotocol scenarios, this modules focuses
on scenarios 3 and 4.
7/29/2019 m10 Qtrees Final
14/39 2008 NetApp. All rights reserved. 14
The /etc/usermap.cfg File
The /etc/usermap.cfg file maps between
Windows NT and UNIX accounts when:
The Windows NT account name does not
match the desired UNIX account name
A different UNIX account is requiredA different Windows NT account is required
7/29/2019 m10 Qtrees Final
15/39 2008 NetApp. All rights reserved. 15
The /etc/usermap.cfg File (Cont.)
Format for File Entries
IPqualifier: NTdomain\NTuser direction
IPqualifier: UnixUser
"Bob Garg" == bobg
mktg\Roy => nobodyengr\Tom => ""
uguest
7/29/2019 m10 Qtrees Final
16/39 2008 NetApp. All rights reserved. 16
The /etc/usermap.cfg File (Cont.)
Guidelines for Using Asterisks
uguest *
homeuser\* == *
*\root => administrator
*\root
7/29/2019 m10 Qtrees Final
17/39 2008 NetApp. All rights reserved. 17
UNIX User Accessing an NTFS Qtree
Authenticate with domain
Accept
If user is mapped to
/etc/usermap.cfg
Domain\user
7/29/2019 m10 Qtrees Final
18/39 2008 NetApp. All rights reserved. 18
Windows NT User Accessing a UNIX Qtree
/etc/passwd or
NIS unixuser ID
If user is mapped to
/etc/usermap.cfgDomain\user
7/29/2019 m10 Qtrees Final
19/39 2008 NetApp. All rights reserved. 19
Multiprotocol Security Administration
Use these guidelines to keep entries simple and
easy to understand:
Make Windows and UNIX user names the
same whenever possible. If the names are
identical, you do not need to create mapentries in the /etc/usermap.cfg file.
Avoid confusing entries that map the same
user to different user names.
Use IP qualifiers only to restrict access.
7/29/2019 m10 Qtrees Final
20/39 2008 NetApp. All rights reserved. 20
Quotas
7/29/2019 m10 Qtrees Final
21/39 2008 NetApp. All rights reserved. 21
Quotas
Quotas are necessary to:
Limit the amount of disk space that can be used
Track disk space usage
Warn of excessive usage
Quota targets
Users
Groups
Qtrees
7/29/2019 m10 Qtrees Final
22/39
2008 NetApp. All rights reserved. 22
Managing Quotas in FilerView
To manage quotas in FilerView:
FilerView > Volumes > Quotas
7/29/2019 m10 Qtrees Final
23/39
2008 NetApp. All rights reserved. 23
Adding a Quota Using
the Quota Rule Wizard
Step 1: Quota Type
7/29/2019 m10 Qtrees Final
24/39
2008 NetApp. All rights reserved. 24
Adding a Quota Using
the Quota Rule Wizard (Cont.)
Step 2: Limits
7/29/2019 m10 Qtrees Final
25/39
2008 NetApp. All rights reserved. 25
Adding a Quota Using
the Quota Rule Wizard (Cont.)
Step 3: Commit
7/29/2019 m10 Qtrees Final
26/39
2008 NetApp. All rights reserved. 26
Turning Quotas On or Off
7/29/2019 m10 Qtrees Final
27/39
2008 NetApp. All rights reserved. 27
Qtree Statistics
To display the number of NFS/CIFS operations resulting
from user access to files in a qtree:
qtree stats
system> qtree stats
No qtrees are in use in Volume vol1
No qtrees are in use in Volume vol0Volume Tree NFS ops CIFS ops
-------- -------- ------- -----
flexvol1 datatree1 9 262
system>
7/29/2019 m10 Qtrees Final
28/39
2008 NetApp. All rights reserved. 28
Quota Errors
Disk quota exceededResults from requests
that cause a user or group to exceed an
applicable quota
Out of disk space Results from requests
that cause the number of blocks or files in aqtree to exceed the qtree limit
Root or Windows administrator account
Group quotas do not apply
Tree quotas do apply
7/29/2019 m10 Qtrees Final
29/39
2008 NetApp. All rights reserved. 29
Editing Quota Rules
To edit quota rules using FilerView:
FilerView > Volumes > Quotas > Edit Rules
7/29/2019 m10 Qtrees Final
30/39
2008 NetApp. All rights reserved. 30
Quota Rules
New users or groups created after the default quota is
in effect will have the default value
Users or groups that do not have a specific quota
defined will have the default value
Configurable rules (/etc/quotas fields) are:
# Target Type Disk Files Thold Sdisk Sfiles
* user@/vol/vol2 50M 15K 45M - 10K
/vol/home/usr/x1 user 50M 10K 45M - -
21 group 750M 75K 700M - 9000
/vol/eng/proj tree 100M 75K 90M - -
writers group@/vol/techpub 75M 75K 70M - -acme\cheng user@/vol/vol2 200M - 150M - -
[email protected] user - - - - -
rtaylor user@/vol/vol2 200M - 150M - -
s-1-5-32-544 user@/vol/vol2 200M - 150M - -
NOTE: Columns are separated by white spaces.
7/29/2019 m10 Qtrees Final
31/39
2008 NetApp. All rights reserved. 31
Quota Report
7/29/2019 m10 Qtrees Final
32/39
2008 NetApp. All rights reserved. 32
Resizing Quotas
Quota information is stored in the/etc/quotas file
Resizing adjusts the active quotas in a specific
volume to reflect changes in the
/etc/quotas file The values in the /etc/quotas file are
displayed in FilerView when you select:
FilerView Volumes Quotas Edit Rules
7/29/2019 m10 Qtrees Final
33/39
2008 NetApp. All rights reserved. 33
Resizing Quotas (Cont.)
For changes to take effect, you must select Resize.
7/29/2019 m10 Qtrees Final
34/39
2008 NetApp. All rights reserved. 34
Quota Information
Beginning with Data ONTAP version 7.3,
AutoSupport contains the following quota
information:
A collection of quota statistics, including a set of
new counters that collect quota statistics The quota configuration file (/etc/quotas)
The user mapping file (/etc/usermap.cfg)
Quota information is included in ASUP as
attachments
7/29/2019 m10 Qtrees Final
35/39
2008 NetApp. All rights reserved. 35
Module Summary
In this module, you should have learned to:
Qtrees allow administrators to create logical
file systems within a volume
Quotas are applied to qtrees
The /etc/usermap.cfg file allows Windowsusers to be mapped to a UNIX account or
UNIX users to be mapped to a Windows
account
The /etc/quotas file defines qtree, volume,
and user quotas for specific users as well as
the default user
7/29/2019 m10 Qtrees Final
36/39
Exercise
Module 10: Qtrees and Security
Styles
Estimated Time: 60 minutes
7/29/2019 m10 Qtrees Final
37/39
Answers
Module 10: Qtrees and Security
Styles
7/29/2019 m10 Qtrees Final
38/39
2008 NetApp. All rights reserved. 38
Check Your Understanding
What is a qtree?
A logically defined file system or a sub volume
What are security styles?
Permissions for the qtree
Does a security style prevent protocols fromaccessing the volume or qtree?
No, they only define which rules to apply
7/29/2019 m10 Qtrees Final
39/39
Check Your Understanding (Cont.)
What are the functions of a quota?
Limit amount of disk space that can be used
Track disk space usage
Warn of excessive usage
Name three quota targets. Users, groups, and qtrees