#restricting write access for an ntfs volume that is shared out as a subfolder of the SVM root share

1 messages · Page 1 of 1 (latest)

brittle yoke
#

Hi,

For an automated way of decommissioning a ntfs volume, our workflow would need to restrict writes to the volume by end users, then do a full backup, and then after a grace period delete the volume.
As the volume has no share, but is accessible through the share on the SVM root and a DFS path, how can I prohibit write access to the volume without stopping the ability to do an ndmp backup of it?

Am grateful for all suggestions
thanks,

tranquil sun
#

this is a bit tricky. At least I have not found an easier way, but this is what should work:

  • Create an export-policy with a rule that lalows access to all users (client-match 0.0.0.0/0, rwrule any, rorule any, protocol cifs)
  • apply this rule to all volumes that are exported via CIFS (this is to make sure you don't lose access on the next step)
  • set the CIFS option -is-exportpolicy-enabled to true
  • check that you still have access to all volumes 😉
  • create a second export policy, again with one rule, protocol=cifs, rorule=any, rwrule=never,clientmatch=0.0.0.0/0
  • apply this export-policy to the volume where you want to prohibit access
  • check that you can still write on all other volumes except the one with the changed policy

If you have never fiddled with export policies I suggest you try this on a test SVM first to see how it works

#

I mean, if you don't need read-only access to the volume at all, you can simply unmount it from the namespace to make it inaccessible. That is easier but doesn't allow reads during the transition period

#

I am not sure if NDMP needs the volume to be mounted in the namespace to be able to dump it

spring zealot
#

Hot take: take a backup from a clone after you've offlined the og volume?

#

Or unmount and remount to a private/locked down share to do the same work

#

Darkstars got the most correct answer, but SMB export policies are persnickety and once youve put it in place, it takes effect immediately so you must be 100% certain what you implement is what you want

eternal vessel
#

Don't unmount it.

#

If you have NFS users connected, it can rewind and blackhole your CPU.