ONTAP 9.12.1 commands
vserver export-policy rule show
Display a list of rules
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver export-policy rule show
command displays information about export rules. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information:
-
Vserver name
-
Export policy name
-
Export rule index number
-
Access protocol
-
Client match
-
Read-only access rule
-
Read-write access rule
To display detailed information about a specific export rule, run the command with the -vserver
, -policyname
, and -ruleindex
parameters. The detailed view provides all of the information in the previous list and the following additional information:
-
Anonymous ID
-
Superuser security type
-
Whether set user ID (suid) and set group ID (sgid) access is enabled
-
Whether creation of devices is enabled
-
NTFS security settings
-
Change ownership mode
You can specify additional parameters to display only the information that matches those parameters. For example, to display information only about export rules that have a read-write rule value of never, run the command with the -rwrule never
parameter.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields
parameter, the command only displays the fields that you specify. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all entries. [-vserver <vserver name>]
- Vserver-
If you specify this parameter, the
-policyname
parameter, and the-ruleindex
parameter, the command displays detailed information about the specified export rule. If you specify this parameter by itself, the command displays information only about the export rules on the specified Vserver. [-policyname <export policy name>]
- Policy Name-
If you specify this parameter, the
-vserver
parameter, and the-ruleindex
parameter, the command displays detailed information about the specified export rule. If you specify this parameter by itself, the command displays information only about the export rules on the specified policy. [-ruleindex <integer>]
- Rule Index-
If you specify this parameter, the
-vserver
parameter, and the-policyname
parameter, the command displays detailed information about the specified export rule. If you specify this parameter by itself, the command displays information only about the export rules that have the specified index number. [-protocol <Client Access Protocol>,…]
- Access Protocol-
If you specify this parameter, the command displays information only about the export rules that have the specified access protocol or protocols. Possible values include the following:
-
any
- Any current or future access protocol -
nfs
- Any current or future version of NFS -
nfs3
- The NFSv3 protocol -
nfs4
- The NFSv4 protocol -
cifs
- The CIFS protocol
You can specify a comma-separated list of multiple access protocols for an export rule. If you specify the protocol as any, you cannot specify any other protocols in the list.
-
[-clientmatch <text>]
- List of Client Match Hostnames, IP Addresses, Netgroups, or Domains-
If you specify this parameter, the command displays information only about the export rules that have a clientmatch list containing all of the strings in the specified client match. You can specify the match as a list of strings in any of the following formats:
-
As a hostname; for instance, host1
-
As an IPv4 address; for instance, 10.1.12.24
-
As an IPv6 address; for instance, fd20:8b1e:b255:4071::100:1
-
As an IPv4 address with a subnet mask expressed as a number of bits; for instance, 10.1.12.0/24
-
As an IPv6 address with a subnet mask expressed as a number of bits; for instance, fd20:8b1e:b255:4071::/64
-
As an IPv4 address with a network mask; for instance, 10.1.16.0/255.255.255.0
-
As a netgroup, with the netgroup name preceded by the @ character; for instance, @eng
-
As a domain name preceded by the . character; for instance, .example.com
-
[-rorule <authentication method>,…]
- RO Access Rule-
If you specify this parameter, the command displays information only about the export rule or rules that have the specified read-only rule. Possible values include the following:
-
sys
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is AUTH_SYS. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes sys. -
krb5
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5. -
krb5i
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with integrity service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5i. -
krb5p
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with privacy service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5p. -
ntlm
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is CIFS NTLM. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes ntlm. -
any
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume regardless of the security type of that incoming request. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) remains the same as the security type of the incoming request.
If the security type of the incoming request is AUTH_NONE, read access will be granted to that incoming request as an anonymous user. -
none
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume as an anonymous user if the security type of that incoming request is not explicitly listed in the list of values in the rorule. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes none. -
never
- For an incoming request from a client matching the clientmatch criteria, do not allow any access to the volume regardless of the security type of that incoming request.
You can specify a comma-separated list of multiple security types for an export rule. If you specify the security type as
any
ornever
, you cannot specify any other security types.For an incoming request from a client matching the clientmatch criteria, if the security type doesn’t match any of the values listed in rorule (as explained above), access will be denied to that incoming request. -
[-rwrule <authentication method>,…]
- RW Access Rule-
If you specify this parameter, the command displays information only about the export rule or rules that have the specified read-write rule. Possible values include the following:
-
sys
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the effective security type (determined from rorule) of that incoming request is AUTH_SYS. -
krb5
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the effective security type (determined from rorule) of that incoming request is Kerberos 5. -
krb5i
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the security type of that incoming request is Kerberos v5 with integrity service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5i. -
krb5p
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the security type of that incoming request is Kerberos v5 with privacy service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5p. -
ntlm
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the effective security type (determined from rorule) of that incoming request is CIFS NTLM. -
any
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume regardless of the effective security type (determined from rorule) of that incoming request.
If the effective security type (determined from rorule) of the incoming request is none, write access will be granted to that incoming request as an anonymous user. -
none
- For an incoming request from a client matching the clientmatch criteria, allow write access to the volume as an anonymous user if the effective security type (determined from rorule) of that incoming request is none. -
never
- For an incoming request from a client matching the clientmatch criteria, do not allow write access to the volume regardless of the effective security type (determined from rorule) of that incoming request.
You can specify a comma-separated list of multiple security types for an export rule. If you specify the security type as
any
ornever
, you cannot specify any other security types.For an incoming request from a client matching the clientmatch criteria, if the effective security type (determined by rorule) doesn’t match any of the values listed in rwrule (as explained above), write access will be denied to that incoming request. -
[-anon <text>]
- User ID To Which Anonymous Users Are Mapped-
If you specify this parameter, the command displays information only about the export rule or rules that have the specified anonymous ID.
[-superuser <authentication method>,…]
- Superuser Security Types-
If you specify this parameter, the command displays information only about the export rule or rules that have the specified superuser security type. Possible values include the following:
-
sys
- For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume if the effective security type (determined from rorule) of that incoming request is AUTH_SYS. -
krb5
- For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume if the effective security type (determined from rorule) of that incoming request is Kerberos v5. -
krb5i
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with integrity service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5i. -
krb5p
- For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with privacy service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5p. -
ntlm
- For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume if the effective security type (determined from rorule) of that incoming request is CIFS NTLM. -
any
- For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume regardless of the effective security type (determined by rorule) of that incoming request.
If the effective security type (determined from rorule) of the incoming request is none, access will be granted to that incoming request as an anonymous user. -
none
- For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow access to the volume as an anonymous user if the effective security type (determined from rorule) of that incoming request is none. -
never
- For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow access to the volume as an anonymous user regardless of the effective security type (determined from rorule) of that incoming request.
Only export rules that were created in an earlier release can have the superuser parameter set to the security type never
You can specify a comma-separated list of multiple security types for superuser access. If you specify the security type as
any
, you cannot specify any other security types.For an incoming request from a client matching the clientmatch criteria and with the user ID 0, if the effective security type doesn’t match any of the values listed in superuser (as explained above), the user ID is mapped to anonymous user. -
[-allow-suid {true|false}]
- Honor SetUID Bits in SETATTR-
If you specify this parameter, the command displays information only about the export rule or rules that have the specified setting for set user ID (suid) and set group ID (sgid) access.
[-allow-dev {true|false}]
- Allow Creation of Devices-
If you specify this parameter, the command displays information only about the export rule or rules that have the specified setting for the creation of devices.
[-ntfs-unix-security-ops {ignore|fail}]
- NTFS Unix Security Options-
If you have specified this parameter for a particular export policy rule, then the command displays information about the UNIX security options that apply to that export policy rule. The setting can either prohibit (with value
fail
) or allow (with valueignore
) UNIX-type permissions changes on NTFS (Windows) volumes when the request originates from an NFS client. If the Vserver NTFS UNIX security option is set to fail or allow for the Vserver, then this parameter is overridden. [-ntfs-unix-security-ops-vs {fail|ignore|use-export-policy}]
- Vserver NTFS Unix Security Options-
If you specify this parameter, the command displays information about the UNIX security options that apply to all volumes in this Vserver. The setting can prohibit (with value
fail
) or allow (with valueignore
) UNIX-type permissions changes on NTFS (Windows) volumes when the request originates from an NFS client, or you can set it touse-export-policy
. If you set this parameter tofail
orallow
, this parameter overrides the individual UNIX security options set for the export policy rules. If you set this parameter touse-export-policy
, the UNIX security options associated with the respective export policy rule is used. [-chown-mode {restricted|unrestricted}]
- Change Ownership Mode-
If you have specified this parameter for a particular export policy rule, then the command displays information about the change ownership mode that applies to that export-policy rule. The setting can either allow only the root (with value
restricted
) or all users (with valueunrestricted
) to change file ownership provided the on-disk permissions allow the operation. If the Vserver change ownership mode is set to restricted or unrestricted for the Vserver, then this parameter is overridden. [-chown-mode-vs {restricted|unrestricted|use-export-policy}]
- Vserver Change Ownership Mode-
If you specify this parameter, the command displays information about the change ownership mode that applies to all volumes in this Vserver. The setting can allow only the root (with value
restricted
) or all users (with valueunrestricted
) to change ownership of the files that they own, or you can set it touse-export-policy
. If you set this parameter torestricted
orunrestricted
, this parameter overrides the individual change ownership mode set for the export policy rules. If you set this parameter touse-export-policy
, the change ownership mode associated with the respective export policy rule is used.
Examples
The following example displays information about all export rules:
cluster1::> vserver export-policy rule show Policy Rule Access Client RO Vserver Name Index Protocol Match Rule ------------ ------------------ ------ -------- ------------------------ ------ vs0 default_expolicy 1 any 0.0.0.0/0,::0/0 any vs0 read_only_expolicy 2 any 0.0.0.0/0 any vs1 default_expolicy 1 any 10.10.10.10,11.11.11.11 any vs1 test_expolicy 1 any 0.0.0.0/0 any 4 entries were displayed.