m10 Qtrees Final

7/29/2019 m10 Qtrees Final

1/39

Qtrees and SecurityStyles

Module 10

Data ONTAP 7.3 Fundamentals


2/39

2008 NetApp. All rights reserved. 2

Module Objectives

By the end of this module, you should be able to:

Describe multiprotocol configuration on a

storage system, including the/etc/usermap.conf file

Explain the purpose of a security style

Configure a security style setting for a qtree

and a volume

Explain the difference between security stylesand access types using the CLI and FilerView

Explain, create, and manage quotas using the

CLI and FilerView


3/39


Qtrees


4/39


Qtrees

A qtree is a logically defined file system that

exists as a special subdirectory at the root of a

volume

When creating a qtree, you can:

Partition data within a volume Establish special quota requirements

The maximum number of qtrees is 4,995 per

volume Qtrees look like a directory to the client

Qtrees can be removed from the client by

removing the directory or using FilerView


5/39


Qtree Advantages

Set a qtree security style without affecting the

security style of other qtrees in a volume

(discussed later)

Set CIFS oplocks, if appropriate, without

affecting the settings of projects in other qtrees Use tree quotas to limit the disk space and

number of files available to each qtree in a

volume (discussed later)

Backup and restore qtrees


6/39


Security Styles

Every qtree and volume has a security style

setting that determines whether files in that

qtree or volume can use Windows NT ACLs or

UNIX security

There are three security styles: NTFS

UNIX

Mixed

To change the security style using the CLI:

qtree security

[ntfs|unix|mixed]


7/39 2008 NetApp. All rights reserved. 7

Security Styles

Security Styles

Security Style

Hosts that can

change Security/

Permissions

CIFS Client Access

Determined by

NFS Client Access

Determined by

unix NFS clients

UNIX permissions

Windows user

names mapped toUNIX account

UNIX permissions

mixedNFS and CIFS

clients

Depends on the last client to set security

settings (permissions)

ntfs CIFS clients Windows NT ACLs

Windows NT ACLs

UNIX user names

mapped toWindows account



Adding a Qtree

To add a qtree using the CLI:

qtree create

To add a qtree using FilerView:

FilerView > Volumes > Qtree > Add



Qtree Commands

system> qtree create /vol/vol2/updates

system> qtree security /vol/vol2/updates mixed

system> qtree oplocks /vol/vol2/updates disable

system> qtree create /vol/vol3/show03

system> qtree security /vol/vol3/show03 ntfs

Volume Tree Style Oplocks Status

-------- -------- ----- -------- ------

vol0 unix enabled normal

vol0 mktg ntfs enabled normal



vol2 updates mixed disabled normal

vol3 ntfs enabled normal

vol3 show02 mixed enabled normalvol3 show03 ntfs enabled normal

system> qtree status



Managing Qtrees

To manage qtrees using the CLI:

qtree status

To manage qtrees using FilerView:

FilerView > Volumes > Qtree > Manage



Multiprotocols



Multiprotocols

NetApp storage systems support

heterogeneous environments:

CIFS (usually associated with Windows NTFS)

NFS (usually associated with the UNIX file

system) Setting the security style of a volume or qtree

to:

UNIX, does not prevent CIFS users from access

NTFS, does not prevent NFS users from access

NOTE:The storage systems multiprotocol feature must be properly

configured.



NAS File Access: Four Scenarios

There are four basic scenarios for NAS fileaccess:

1. A UNIX client accesses a UNIX file (notmultiprotocol)

2. A PC client accesses a file with an ACL (notmultiprotocol)

3. A UNIX client accesses a file with an ACL

4. A PC client accesses a file with UNIX

permissions

Because the first two scenarios are notmultiprotocol scenarios, this modules focuses

on scenarios 3 and 4.



The /etc/usermap.cfg File

The /etc/usermap.cfg file maps between

Windows NT and UNIX accounts when:

The Windows NT account name does not

match the desired UNIX account name

A different UNIX account is requiredA different Windows NT account is required



The /etc/usermap.cfg File (Cont.)

Format for File Entries

IPqualifier: NTdomain\NTuser direction

IPqualifier: UnixUser

"Bob Garg" == bobg

mktg\Roy => nobodyengr\Tom => ""

uguest



The /etc/usermap.cfg File (Cont.)

Guidelines for Using Asterisks

uguest *

homeuser\* == *

*\root => administrator

*\root



UNIX User Accessing an NTFS Qtree

Authenticate with domain

Accept

If user is mapped to

/etc/usermap.cfg

Domain\user



Windows NT User Accessing a UNIX Qtree

/etc/passwd or

NIS unixuser ID

If user is mapped to

/etc/usermap.cfgDomain\user



Multiprotocol Security Administration

Use these guidelines to keep entries simple and

easy to understand:

Make Windows and UNIX user names the

same whenever possible. If the names are

identical, you do not need to create mapentries in the /etc/usermap.cfg file.

Avoid confusing entries that map the same

user to different user names.

Use IP qualifiers only to restrict access.



Quotas



Quotas

Quotas are necessary to:

Limit the amount of disk space that can be used

Track disk space usage

Warn of excessive usage

Quota targets

Users

Groups

Qtrees


22/39


Managing Quotas in FilerView

To manage quotas in FilerView:

FilerView > Volumes > Quotas


23/39


Adding a Quota Using

the Quota Rule Wizard

Step 1: Quota Type


24/39



the Quota Rule Wizard (Cont.)

Step 2: Limits


25/39



the Quota Rule Wizard (Cont.)

Step 3: Commit


26/39


Turning Quotas On or Off


27/39


Qtree Statistics

To display the number of NFS/CIFS operations resulting

from user access to files in a qtree:

qtree stats

system> qtree stats

No qtrees are in use in Volume vol1

No qtrees are in use in Volume vol0Volume Tree NFS ops CIFS ops

-------- -------- ------- -----

flexvol1 datatree1 9 262

system>


28/39


Quota Errors

Disk quota exceededResults from requests

that cause a user or group to exceed an

applicable quota

Out of disk space Results from requests

that cause the number of blocks or files in aqtree to exceed the qtree limit

Root or Windows administrator account

Group quotas do not apply

Tree quotas do apply


29/39


Editing Quota Rules

To edit quota rules using FilerView:

FilerView > Volumes > Quotas > Edit Rules


30/39


Quota Rules

New users or groups created after the default quota is

in effect will have the default value

Users or groups that do not have a specific quota

defined will have the default value

Configurable rules (/etc/quotas fields) are:

# Target Type Disk Files Thold Sdisk Sfiles

* user@/vol/vol2 50M 15K 45M - 10K

/vol/home/usr/x1 user 50M 10K 45M - -

21 group 750M 75K 700M - 9000

/vol/eng/proj tree 100M 75K 90M - -

writers group@/vol/techpub 75M 75K 70M - -acme\cheng user@/vol/vol2 200M - 150M - -

[email protected] user - - - - -

rtaylor user@/vol/vol2 200M - 150M - -

s-1-5-32-544 user@/vol/vol2 200M - 150M - -

NOTE: Columns are separated by white spaces.


31/39


Quota Report


32/39


Resizing Quotas

Quota information is stored in the/etc/quotas file

Resizing adjusts the active quotas in a specific

volume to reflect changes in the

/etc/quotas file The values in the /etc/quotas file are

displayed in FilerView when you select:

FilerView Volumes Quotas Edit Rules


33/39


Resizing Quotas (Cont.)

For changes to take effect, you must select Resize.


34/39


Quota Information

Beginning with Data ONTAP version 7.3,

AutoSupport contains the following quota

information:

A collection of quota statistics, including a set of

new counters that collect quota statistics The quota configuration file (/etc/quotas)

The user mapping file (/etc/usermap.cfg)

Quota information is included in ASUP as

attachments


35/39


Module Summary

In this module, you should have learned to:

Qtrees allow administrators to create logical

file systems within a volume

Quotas are applied to qtrees

The /etc/usermap.cfg file allows Windowsusers to be mapped to a UNIX account or

UNIX users to be mapped to a Windows

account

The /etc/quotas file defines qtree, volume,

and user quotas for specific users as well as

the default user


36/39

Exercise

Module 10: Qtrees and Security

Styles

Estimated Time: 60 minutes


37/39

Answers

Module 10: Qtrees and Security

Styles


38/39


Check Your Understanding

What is a qtree?

A logically defined file system or a sub volume

What are security styles?

Permissions for the qtree

Does a security style prevent protocols fromaccessing the volume or qtree?

No, they only define which rules to apply


39/39

Check Your Understanding (Cont.)

What are the functions of a quota?

Limit amount of disk space that can be used

Track disk space usage

Warn of excessive usage

Name three quota targets. Users, groups, and qtrees

Documents

m10 Qtrees Final