Summary
Multiple layers of security need to be navigated to specify the access requirements: IAM; Network Security; NFS Security (Unix or Kerberos); and NFS options.
Reference
Overview
There are four (4) layers of security:
| Security Layer | Resources | Control |
|---|---|---|
| IAM Service | Users and policies | Creating instances (NFS clients) ans FSS VCNs; creating, listing, associating file systems and mount targets |
| Network Security | IP addresses, CIDR blocks, security lists, network security groups. | Connecting the NFS client instances to the mount target |
| NFS Export Options | File syste, exports, IP addresses, UNIX users | Privileged source port connection, reading and writing files, and limiting root user access on a per-file basis. |
| Unix Security | UNIX user, file mode bits | Mounting file systems, reading and writing files |
Lab
This topic is covered by Lab 15-1: File Storage: Configure NFS Export Options:
Overview
NFS export options enable you to create more granular access control to limit VCN access. You can use NFS export options to specify access levels for IP addresses or CIDR blocks connecting to file systems through exports in a mount target. Doing this provides better security controls in multi-tenant environments.
Additionally, by using NFS export option access controls, you can limit the clients' ability to connect to the file system and view or write data.
In this lab, you'll learn how to allow read-only access to the file system from one instance and read/write access from the other instance.
In this lab, you'll:
- Create a Virtual Cloud Network and its components
- Create two VM instances
- Create a file system
- Configure VCN Security Rules for file storage
- Mount the file system from both the Instances
- Perform testing
Security
About File Storage Security says:
| This security layer... | Uses these... | To control actions like... |
|---|---|---|
| Oracle Cloud Infrastructure Identity and Access Management | Users and policies | Creating instances and VCNs. Creating, listing, and associating file systems and mount targets. |
| Network security | IP addresses, CIDR blocks, security lists | Connecting the client instance to the mount target. |
| NFS v.3 Unix security | UNIX users, file mode bits | Reading and writing files and directories. |
| NFS v.3 Kerberos security | Kerberos principals mapped to UNIX users, file mode bits | Reading and writing files and directories. |
| NFS export options | File system exports, IP addresses, UNIX users | Privileged source port connection, reading and writing files, and limiting root user access on a per-export basis. |