grant different access permissions to different IP addresses or CIDR blocks by using permission groups - File Storage NAS

In File Storage NAS (NAS), each permission group represents a whitelist. To ensure data access security, you can create a custom permission group and add rules to grant different access permissions to specific IP addresses or CIDR blocks.

Background information

After you activate NAS, a permission group named "CLASSIC default permission group (all allowed)" or a permission group named "VPC default permission group (all allowed)" is created. The default permission group allows read and write access from all IP addresses to a file system in the classic network or in a virtual private cloud (VPC). No limits are specified for Linux system users. You cannot delete or modify the default permission group.

Important

If the default permission group does not meet your business requirements, you can create a custom permission group and add rules to grant different access permissions to specific IP addresses or CIDR blocks.

Limits

You can use each Alibaba Cloud account to create up to 20 permission groups in a region.
You can add up to 300 rules to each permission group.
You can create permission groups only for VPCs.

Procedure

Note

To ensure data security, we recommend that you add rules only for the required IP addresses or CIDR blocks.

Log on to the NAS console.

Create a permission group.

In the left-side navigation pane, choose File System > Permission Group.
In the top navigation bar, select a region.
On the Permission Group page, click the General-purpose NAS or Extreme NAS tab. Then, click Create Permission Group.

In the Create Permission Group dialog box, configure the required parameters.

新建权限组

The following table describes the required parameters.

Parameter

Description

Name

The name of the permission group. Limits:

The name must start with a letter.
The name can contain letters, digits, underscores (_), and hyphens (-).
The name cannot contain Chinese characters.
The name cannot be the same as that of an existing permission group.

Network Type

Only VPC is supported.

Note

As of November 21, 2022, you cannot create classic network permission groups for General-purpose NAS file systems. Classic network permission groups that were created before November 21, 2022 can still be used.

Add rules to the permission group.

Find the permission group that you created and click Manage Rules in the Actions column. On the page that appears, click Create Rule. In the Create Rule dialog box, configure the parameters described in the following table.

Parameter	Description
Authorization Type	The type of the IP addresses or CIDR blocks that you want to authorize. Valid values: IPv4 access address and IPv6 access address. View the regions that support IPv6 Extreme NAS file systems: China (Hohhot), China (Chengdu), China (Zhangjiakou), China (Shenzhen), China (Shanghai), China (Hangzhou), China (Beijing), and China (Qingdao). General-purpose NAS file systems: US (Virginia), Germany (Frankfurt), and Philippines (Manila).
Authorized Address	The authorization object to which the rule is applied.
Read/Write Permissions	Specifies whether to allow read-only or read and write access from the authorization object to the file system. Valid values: Read-only and Read/Write.
User Permissions	Specifies whether to limit access from Linux users to the file system. This parameter is invalid for Server Message Block (SMB) file systems. No Anonymity: allows access from root users to the file system. Root User Anonymity: maps root users to the nobody user. General Anonymity: maps all users to the nobody user. The nobody user has the least permissions in Linux and can access only the public content of the file system. This ensures the security of the file system.
Priority	The priority of the rule. If multiple rules are applied to an authorization object, the rule that has the highest priority takes effect. Valid values: 1 to 100. The value 1 indicates the highest priority. Note If multiple rules have overlapping CIDR blocks, different permissions, and the same priority, the first rule that you added takes effect. Do not specify overlapping CIDR blocks in a rule.

Click OK.

What to do next

On the Permission Group page, you can perform the operations described in the following table.

Operation	Description
View a list of permission groups and the details of each permission group	View the permission groups that are created in a region and the details of each permission group. The details include the network type, number of rules, and number of associated file systems.
Modify a permission group	Find the permission group and click Edit in the Actions column to modify the description of the permission group.
Delete a permission group	Find the permission group and click Delete in the Actions column to delete the permission group.
View a list of rules	Find the permission group and click Manage Rules in the Actions column to view a list of rules in the permission group.
Modify a rule	Find the permission group and click Manage Rules in the Actions column. On the page that appears, find the rule and click Edit in the Actions column. In the Edit Rule dialog box, modify the following parameters: Authorized Address, Read/Write Permissions, User Permissions, and Priority.
Delete a rule	Find the permission group and click Manage Rules in the Actions column. On the page that appears, find the rule, and click Delete in the Actions column to delete the rule.

References

You can use the encryption in transit feature to protect the data transmitted between your Elastic Compute Service (ECS) instances and NAS file systems against interception or tampering. For more information, see Encryption in transit for NFS file systems or Encryption in transit for SMB file systems.