On 02/06/2012 02:07 PM, Adam Litke wrote:
On Fri, Feb 03, 2012 at 11:34:15AM -0500, Keith Robertson wrote:
Can you pin your NFS export to a particular ID (below)? If you do it this way it won't matter what ID the client connects as because the NFS server will just override it with the one in the exports file.
/virt/iso 192.168.122.11(rw,sync,all_squash,anonuid=107,anongid=107) Thanks for this suggestion Keith. We're planning to try this and I think it will be a reasonable workaround. In the name of improved usability I would like to consider relaxing this restriction in vdsm as danken has suggested. Security of the data on the mountpoint is really the job of the NFS server and its configuration.
You're welcome. VDSMD appears to be using NFS in the proper manner and any "relaxation" of permissions would need to occur on the NFS server not on the client (i.e. VDSMD), IMHO. NFS's security model (or lack thereof) is based on both UID/GID mapping and control statements in /etc/exports. Assuming the server isn't "squashing", the NFS client must have a UID/GID that allows it to r/w the exported files and directories in accordance with the normal *nix permission set. I'm not sure how you expect to relax this on the VDSMD side unless you're going to have it seteuid/egid to an ID of your choice prior to r/w. Cheers, Keith