Managing Client Groups - An Easier Approach
Managing Client Groups - An Easier Approach
On UNIX-based NFS servers, it's much easier to control access to the NFS shares based on host names or IP addresses. You just have to put them in the export file and it's done. It's not so difficult in Windows either - you can click on the Permission buttons on the NFS Sharing tab and add/remove hosts and control the access type and root squash option graphically.
While that's easy - Server for NFS supports a concept called client groups. These groups are very much similar to netgroups as far NFS is concerned - it's just a group of hosts which you can use to restrict access to NFS shares. This concept didn't really take off well because there's isn't a GUI to manage it. I, otherwise, see a lot of benefit in using client groups rather than using host names to control access.
So, while a GUI would have been the best, here's a batch file that can be used to automate a lot of work that is required and to help people who would really to use it -
@Echo Off
IF "%1" == "" GOTO SyntaxErrorGOTO %1
:SyntaxErrorEcho Invalid SyntaxEcho.GOTO SYNTAX
:SYNTAXEcho SYNTAX:Echo %0 creategroup sharename - create the readonly and readwrite access groups for the mentioned shareEcho %0 deletegroup sharename - delete the readonly and readwrite access groups for the mentioned shareEcho %0 list - list all the client groups and their membersEcho %0 RO sharename client1[,client2] - add client(s) to a readonly CG of a share.Echo add /delete to remove the client from the RO groupEcho %0 RW sharename client1[,client2] - add client(s) to a readwrite CG of a shareEcho add /delete to remove the client from the RW groupGOTO Exit
:CREATEGROUPIf "%1" == "" GOTO SyntaxErrorIf "%2" == "" GOTO SyntaxErrornfsadmin server creategroup %2-ROnfsshare %2 -o ro=%2-ROnfsadmin server creategroup %2-RWnfsshare %2 -o rw=%2-RWEcho.Echo Client groups %2-RO and %2-RW have been created.Echo.GOTO Exit
:DELETEGROUPIf "%1" == "" GOTO SyntaxErrorIf "%2" == "" GOTO SyntaxErrornfsshare %2 -o removeclient=%2-ROnfsadmin server deletegroup %2-ROnfsshare %2 -o removeclient=%2-RWnfsadmin server deletegroup %2-RWEcho.Echo Client groups %2-RO and %2-RW have been deleted.Echo.GOTO Exit
:LISTIf "%1" == "" GOTO SyntaxErrorfor /f "usebackq delims=# eol=;" %%i in (`nfsadmin server listgroups ^|findstr /I [a-z] ^|findstr /V "The following"`) do @nfsadmin server listmembers %%iGOTO Exit
:ROSET OP=addIf "%1" == "" GOTO SyntaxErrorIf "%2" == "" GOTO SyntaxErrorIf "%3" == "" GOTO SyntaxErrorif "%4" == "/delete" SET OP=deletenfsadmin server %OP%members %2-RO %3GOTO Exit
:RWSET OP=addIf "%1" == "" GOTO SyntaxErrorIf "%2" == "" GOTO SyntaxErrorIf "%3" == "" GOTO SyntaxErrorif "%4" == "/delete" SET OP=deletenfsadmin server %OP%members %2-RW %3GOTO Exit
:ExitEcho.
How does it work?
Rather than forcing users to think and name the client groups, this batch file uses the NFS share name to manage the groups. The syntax looks like to the following -
CGEDIT CREATEGROUP <SHARENAME> - This will create two client groups - SHARENAME-RW and SHARENAME-RO - that can be used to easily identify what kind of access is granted and add these groups to the share name mentioned
CGEDIT DELETEGROUP <SHARENAME> - This deletes the client groups created using the above syntax and removes them from the share properpties
CGEDIT LIST - lists all the client groups and their members
CGEDIT RO SHARENAME CLIENT1[,CLIENT2] - Adds the mentioned client(s) to the Read-only client group created to the given share
If /DELETE is passed as the last argument, it will remove the mentioned clients from the client groupCGEDIT RW SHARENAME CLIENT1[,CLIENT2] - Adds the mentioned client(s) to the Read-Write client group created to the given share
If /DELETE is passed as the last argument, it will remove the mentioned clients from the client group
This is not a widely used feature so many of you may not find it interesting but if you do, I hope you find it useful.