trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon NetApp

Feature request: improve export policies at the FlexVol level in the context of ONTAP-NAS-ECO

Open YvosOnTheHub opened this issue 3 years ago • 2 comments

Describe the solution you'd like Trident provides 3 possibilities to manage Export policies

  • dynamically with autoExportCIDRs & autoExportPolicy backend parameters
  • explicitly with the exportPolicy backend parameter
  • default value (ie: use export policy default)

When managing export policies dynamically, both the Qtrees & the parent FlexVol are assigned the same policy. Not issue here.

However when using the 2 other methods, only the Qtrees are assigned the export policy provided by the admin, or the default one. Here, the parent FlexVol will be linked to a policy created by Trident called trident_qtree_pool_export_policy.

This FlexVol policy is wide open => 0.0.0.0/0 & ::/0

This means that someone could mount the FlexVol & list all the Qtrees/PVC. He may not be able to mount these Qtrees, but seeing their name could be interpreted as a lack of security.

Describe alternatives you've considered If the parameter exportPolicy is specified by the admin, it should be used for the parent Flexvol also. if the default policy is used, it should also be assigned to the FlexVol.

If this is not feasible, documentation could be updated to reflect this behavior

Additional context I also noticed that if several ontap-nas-eco backends are configured with the same prefix, PVC/Qtrees from both backends will be created in the same FlexVol.

YvosOnTheHub avatar Feb 28 '22 15:02 YvosOnTheHub

Hi @YvosOnTheHub,

Do you have a suggestion as to what the root export policy should be other than 0.0.0.0/0? If this export policy isn't set properly then you may not be able to mount the qtree.

gnarl avatar Feb 13 '23 15:02 gnarl

Hi @gnarl , if the exportPolicy parameter is specified in a Trident backend, I would advise to also assign it to the FlexVol hosting the Qtrees with NAS-ECO driver. That way, configuration is consistent.

In my test, before configuring NAS-ECO, I have 2 export policies:

  • default: 0.0.0.0/0
  • trident: 192.168.0.0/24

I then create a NAS-ECO backend with the exportPolicy=trident parameter set.

Upon the creation of the first PVC, Trident creates an export policy called trident_qtree_pool_export_policy (0.0.0.0/0) & assigns it to the FlexVol hosting the Qtrees, while all the qtrees are linked to the trident policy.

Maybe there are some side-effects I dont measure (maybe different backends with the same prefix would point to the same FlexVol? havent tested that...)

++

YvosOnTheHub avatar Feb 13 '23 15:02 YvosOnTheHub