Fileset access control for remote clusters
In IBM Spectrum Scale 5.1.4, administrators can allow access to remote cluster nodes to only a subset of filesets instead of the entire file system.
The mmauth grant is issued to specify the list of allowed filesets while
granting access to the file system. For example,
mmauth grant accessingCluster -f gpfs --fileset FilesetList The mmauth grant command or the mmauth deny command can be
issued to modify the list of allowed filesets. For example,
mmauth deny accessingCluster -f gpfs --fileset FilesetListWhen access is allowed to only certain filesets, a subset of the file system namespace containing the allowed filesets is visible on the remote cluster nodes. The mmlsfileset, mmlssnapshot and mmlsquota command outputs will also display the corresponding information only on the allowed filesets.
Administrators must consider the following factors while setting up fileset access control for
remote clusters:
- While setting up the allowed fileset list for the first time, the root fileset must be included.
- The root fileset cannot be removed from the allowed list later by using the mmauth deny command.
- Both independent and dependent filesets can be included in the allowed fileset list.
- When the allowed fileset list is created, the filesets that are not in that list cannot be accessed from the authorized remote clusters.
- When the allowed fileset list is changed, a file system remount is necessary on the remote nodes for the new list to be effective.
- If a fileset exists in the allowed list, all the filesets that are linked above it in the file system namespace must also exist in the list to ensure that the access to the fileset works properly.
Fileset access control does not offer a hard security boundary. It is therefore important that the root administrator of the remote cluster must be fully trusted by the root administrator of the home cluster.
For more information, see mmauth command.