This topic describes how to manage access points in the File Storage NAS (NAS) console. For example, you can create an access point, view the domain name of an access point, delete an access point, and modify an access point.
Prerequisites
A General-purpose Network File System (NFS) file system is created. For more information, see Create a file system.
Creation of an access point does not depend on a NAS mount target. You can create an access point and use the access point to access NAS data even if no mount target is created or the mount target is disabled.
Limits
Only General-purpose NFS file systems support access points.
A single General-purpose NFS file system allows you to create up to 1,000 access points in two vSwitches.
NoteAn access point can be accessed by ECS instances that belong to different vSwitches in the same virtual private cloud (VPC). We recommend that you create multiple access points in the same vSwitch by default. We recommend that you select a vSwitch that resides in the same zone as the NAS file system to achieve optimal performance.
Create an access point
Log on to the NAS console.
In the left-side navigation pane, choose File System > Access Point.
In the top navigation bar, select a region.
On the Access Point page, click Create Access Point.
On the Create Access Point panel, configure the parameters. The following table describes the parameters.
Parameter
Description
Basic Information
File System
Select a General-purpose NFS file system for which you want to create an access point.
VPC
Select the VPC where the ECS instance resides. If no VPC is available, create a VPC in the VPC console.
ImportantYou must select the VPC where the ECS instance on which you want to mount the file system resides. If you select a VPC that is different from the VPC where the ECS instance resides, you must use Cloud Enterprise Network (CEN) to establish a connection between the VPCs. Then, you can mount the file system across the VPCs. For more information, see Use CEN to mount a NAS file system across VPCs in the same region.
vSwitch
Select a vSwitch that resides in the VPC.
Permission Group
Select a permission group based on your business requirements.
A permission group named VPC default permission group (all allowed) is automatically created for each Alibaba Cloud account. This permission group allows access from all IP addresses in the VPC to the file system by using the access point. You can also create a permission group based on your business scenario. For more information, see Manage permission groups.
Access Point Name
Specify the name of the access point.
The name must be 2 to 128 characters in length.
The name must start with a letter.
The name can contain letters, digits, underscores (_), and hyphens (-).
Root Directory of Access Point
Specify the root directory of the access point in the file system. You can specify a subdirectory in the file system as the root directory of the access point. Users who use the access point to access the file system can access only the specified subdirectory.
Limits:
The directory must start with a forward slash (/).
The directory can contain digits and letters.
The directory can contain underscores (_), hyphens (-), and periods (.).
The directory cannot contain symbolic links, such as the current directory (.), the upper-level directory (..), and other symbolic links.
ImportantIf the root directory of the access point does not exist, configure the parameters in the Create Directory Information section. The system then automatically creates the specified root directory based on your settings.
If the root directory of the access point exists, you do not need to configure the parameters in the Create Directory Information section. The configurations in the Create Directory Information section are ignored even if you configure the parameters.
Create Directory Information (Required only if the root directory of the access point does not exist)
Owner ID
Specify the ID of the owner for the root directory of the access point.
Valid values: 0 to 4294967295.
Owner Group ID
Specify the ID of the owner group for the root directory of the access point.
Valid values: 0 to 4294967295.
POSIX Permission
Specify the Portable Operating System Interface (POSIX) permissions applied to the root directory of the access point.
The value is a valid octal number, such as 0755.
POSIX User (Optional)
ImportantAfter you configure a POSIX user, all input/output (I/O) operations performed over the access point use the POSIX user information to overwrite the original client POSIX user information for verification. If you specify the user ID, you must also specify the user group ID.
UID
Specify the ID of the POSIX user that uses the access point and performs all operations on the file system.
Valid values: 0 to 4294967295.
User Group ID
Specify the ID of the POSIX user group that uses this access point and performs all operations on the file system.
Valid values: 0 to 4294967295.
Secondary User Group Information (Optional)
Specify the ID of the secondary POSIX user group that uses this access point and performs all operations on the file system.
Click OK.
It takes about 10 minutes to create an access point. After the access point is created, you can view the status, domain name, file system, root directory, and POSIX user of the access point on the Access Point page. When the access point is in the Running state, you can use the access point to mount a NAS file system. For more information, see Use an access point to access a file system on Linux.
(Optional) Configure a policy for the access point
Policies for access points are custom Resource Access Management (RAM) policies provided by Alibaba Cloud NAS for access point clients. You can grant the mount, read, and write permissions on a file system to different RAM users or RAM roles within the same Alibaba Cloud account. You can also configure the permission to access a file system as a root user for an access point. This meets your fine-grained permission requirements and implements flexible permission management.
Authentication description
When NAS receives a request from a compute node, NAS checks whether the requester has the required permissions based on the RAM policy configured for the access point.
Limits
After the RAM policy feature is enabled, no accounts (including Alibaba Cloud accounts, RAM users, and RAM roles) are allowed to use the access point to mount and access data by default. To use the access point to mount and access data as a RAM user or RAM role, you must configure a policy for the access point client and attach the policy to the RAM user or RAM role.
If an access point has been used for mounting but the RAM policy feature is disabled, services that are running may be interrupted when you enable the RAM policy feature.
If a RAM user or RAM role has been granted full access (AliyunNASFullAccess) to a NAS file system, the RAM user or RAM role has all the permissions on the access point client by default. To ensure the security of your NAS file system, we recommend that you do not grant this permission to a RAM user. For more information, see What are the relationships between RAM policies for access points and system policies AliyunNASFullAccess and AliyunNASReadOnlyAccess?
Procedure
Enable the RAM policy feature for the file system of the access point.
Log on to the NAS console.
In the left-side navigation pane, choose File System > Access Point.
In the top navigation bar, select a region.
On the Access Point page, click Manage in the Actions column of the access point.
On the details page, click the Access Point Policy tab and enable the RAM policy feature.
: Enables the RAM policy feature.
: Disables the RAM policy feature. The RAM policy feature is disabled by default.
Configure a RAM policy for the access point client.
Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose
.On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Configure the following policy content based on your business requirements and click Next to edit policy information.
Single operation permission
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "nas:ClientMount", "Resource": "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>", "Condition": { "StringEquals": { "nas:AccessPointArn": "<ARN of the access point>" } } } ] }
Multiple operation permissions
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "nas:ClientMount", "nas:ClientWrite" ], "Resource": [ "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>" ], "Condition": { "StringEquals": { "nas:AccessPointArn": "<ARN of the access point>" } } } ] }
The following table describes the parameters.
Parameter
Description
Action
The operation permissions that you can configure for the access point client. Valid values:
nas:ClientMount: the permission to mount a file system and read data.
nas:ClientWrite: the permission to write data. This permission must be configured together with the nas:ClientMount permission to mount a file system, read data from the file system, and write data to the file system.
nas:ClientRootAccess: the permission to access a file system as a root user.
If you are not granted this permission, you are granted the least permissions as the nobody user when you access a file system as a root user.
If a POSIX user is bound to the access point, the POSIX user is also affected by the nas:ClientRootAccess permission. For example, if the POSIX user is bound as the root user but is not granted the nas:ClientRootAccess permission, all the POSIX users who perform I/O operations after a file system is mounted over the access point are finally granted the least permissions as the nobody user.
The nobody user has the least permissions on Linux and can access only the public content of the file system. This ensures the security of the file system.
Resource
The resources of the file system for the access point. Format:
acs:nas:<region>:<account-id>:filesystem/<FilesystemId>
. The Resource parameter contains the following fields:region
: the region where the file system of the access point resides. Example:cn-hangzhou
. You can find the region information in the Alibaba Cloud Resource Name (ARN) of the access point. For more information, see the View the ARN of an access point section in this topic.account-id
: the ID of the Alibaba Cloud account. Example:123456789012***
.FilesystemId
: the ID of the file system for the access point. Example:0d9f24****
. You can obtain the file system ID on the File System List page.
nas:AccessPointArn
The ARN of the access point. Example:
acs:nas:cn-hangzhou:117848947****:accesspoint/fsap-1
. You can obtain the ARN on the Basic Information tab of the access point. For more information, see the View the ARN of an access point section in this topic.
Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Click OK.
Attach the policy for the access point client to a RAM user or RAM role.
NoteA RAM role does not have permanent identity credentials. A RAM role can access NAS resources only by using a Security Token Service (STS) token. When an STS token is issued, you can specify a validity period and access permissions for the STS token. The STS token can be used only for temporary access to a NAS file system. If you continue to access the file system after the STS token expires, an I/O error occurs.
After you grant permissions to a RAM user or RAM role, RAM requires a period of time for the permissions to take effect. Therefore, you must wait for the permissions to take effect on cloud services. For more information, see I have granted permissions in RAM but the permissions do not immediately take effect on cloud services. Why?
Grant permissions to a RAM user.
Create a RAM user. For more information, see Create a RAM user.
If you have created a RAM user, skip this step and proceed to the next step.
Attach the policy for the access point client to the RAM user. For more information, see Grant permissions to a RAM user.
Grant permissions to a RAM role.
Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
If you have created a RAM role, skip this step and proceed to the next step.
Attach the policy for the access point client to the RAM role and grant the STS management permission (AliyunSTSAssumeRoleAccess) to the RAM role. For more information, see Grant permissions to a RAM role.
After you configure the policy for the access point, you can use the access point to mount a NAS file system. For more information, see Use an access point to access a file system on Linux.
View the domain name of the access point
You can use one of the following methods to view the domain name of the access point:
On the Access Point page
On the Access Point page, view the information in the Domain Name of Access Point column of the file system.
On the details page of the file system
On the File System List page, click Manage in the Actions column of the file system. On the file system details page, click the Mount Targets tab. Then, click the Access Point tab and view the information in the Domain Name of Access Point column.
View the root directory of the access point
You can use one of the following methods to view the root directory of the access point:
On the Access Point page
On the Access Point page, view the information in the Root Directory column of the file system.
On the details page of the file system
On the File System List page, click Manage in the Actions column of the file system. On the file system details page, click the Mount Targets tab. Then, click the Access Point tab and view the information in the Root Directory column.
View the ARN of the access point
You can use one of the following methods to view the ARN of the access point:
On the Access Point page
On the Access Point page, click Manage in the Actions column of the file system.
Click the Basic Information tab. In the ARN section, view the ARN of the access point.
On the details page of the file system
On the File System List page, click Manage in the Actions column of the file system.
On the file system details page, click the Mount Targets tab. Then, click the Access Point tab.
Click the access point name. On the access point details page, view the ARN of the access point in the ARN section.
Remove the access point
On the Access Point page, click Remove in the Actions column of the access point.
After you remove an access point, all I/O operations that are being performed on the directory accessed over the access point are interrupted immediately. Proceed with caution.
Modify the permission group of the access point
Click Manage in the Actions column of the access point. On the access point details page, click Modify on the right of the permission group to modify the permission group. For more information about permission groups, see Manage permission groups.