ONTAP 9.15.1 commands

vserver export-policy rule show

Display a list of rules

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver export-policy rule show command displays information about export rules. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information:

  • Vserver name

  • Export policy name

  • Export rule index number

  • Access protocol

  • Client match

  • Read-only access rule

  • Read-write access rule

To display detailed information about a specific export rule, run the command with the -vserver , -policyname , and -ruleindex parameters. The detailed view provides all of the information in the previous list and the following additional information:

  • Anonymous ID

  • Superuser security type

  • Whether set user ID (suid) and set group ID (sgid) access is enabled

  • Whether creation of devices is enabled

  • NTFS security settings

  • Change ownership mode

You can specify additional parameters to display only the information that matches those parameters. For example, to display information only about export rules that have a read-write rule value of never, run the command with the -rwrule never parameter.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields parameter, the command only displays the fields that you specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all entries.

[-vserver <vserver name>] - Vserver

If you specify this parameter, the -policyname parameter, and the -ruleindex parameter, the command displays detailed information about the specified export rule. If you specify this parameter by itself, the command displays information only about the export rules on the specified Vserver.

[-policyname <export policy name>] - Policy Name

If you specify this parameter, the -vserver parameter, and the -ruleindex parameter, the command displays detailed information about the specified export rule. If you specify this parameter by itself, the command displays information only about the export rules on the specified policy.

[-ruleindex <integer>] - Rule Index

If you specify this parameter, the -vserver parameter, and the -policyname parameter, the command displays detailed information about the specified export rule. If you specify this parameter by itself, the command displays information only about the export rules that have the specified index number.

[-protocol <Client Access Protocol>,…​] - Access Protocol

If you specify this parameter, the command displays information only about the export rules that have the specified access protocol or protocols. Possible values include the following:

  • any - Any current or future access protocol

  • nfs - Any current or future version of NFS

  • nfs3 - The NFSv3 protocol

  • nfs4 - The NFSv4 protocol

  • cifs - The CIFS protocol

You can specify a comma-separated list of multiple access protocols for an export rule. If you specify the protocol as any, you cannot specify any other protocols in the list.

[-clientmatch <text>] - List of Client Match Hostnames, IP Addresses, Netgroups, or Domains

If you specify this parameter, the command displays information only about the export rules that have a clientmatch list containing all of the strings in the specified client match. You can specify the match as a list of strings in any of the following formats:

  • As a hostname; for instance, host1

  • As an IPv4 address; for instance, 10.1.12.24

  • As an IPv6 address; for instance, fd20:8b1e:b255:4071::100:1

  • As an IPv4 address with a subnet mask expressed as a number of bits; for instance, 10.1.12.0/24

  • As an IPv6 address with a subnet mask expressed as a number of bits; for instance, fd20:8b1e:b255:4071::/64

  • As an IPv4 address with a network mask; for instance, 10.1.16.0/255.255.255.0

  • As a netgroup, with the netgroup name preceded by the @ character; for instance, @eng

  • As a domain name preceded by the . character; for instance, .example.com

[-rorule <authentication method>,…​] - RO Access Rule

If you specify this parameter, the command displays information only about the export rule or rules that have the specified read-only rule. Possible values include the following:

  • sys - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is AUTH_SYS. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes sys.

  • krb5 - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5.

  • krb5i - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with integrity service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5i.

  • krb5p - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with privacy service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5p.

  • ntlm - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is CIFS NTLM. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes ntlm.

  • any - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume regardless of the security type of that incoming request. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) remains the same as the security type of the incoming request.

If the security type of the incoming request is AUTH_NONE, read access will be granted to that incoming request as an anonymous user.
  • none - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume as an anonymous user if the security type of that incoming request is not explicitly listed in the list of values in the rorule. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes none.

  • never - For an incoming request from a client matching the clientmatch criteria, do not allow any access to the volume regardless of the security type of that incoming request.

You can specify a comma-separated list of multiple security types for an export rule. If you specify the security type as any or never , you cannot specify any other security types.

For an incoming request from a client matching the clientmatch criteria, if the security type doesn’t match any of the values listed in rorule (as explained above), access will be denied to that incoming request.
[-rwrule <authentication method>,…​] - RW Access Rule

If you specify this parameter, the command displays information only about the export rule or rules that have the specified read-write rule. Possible values include the following:

  • sys - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the effective security type (determined from rorule) of that incoming request is AUTH_SYS.

  • krb5 - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the effective security type (determined from rorule) of that incoming request is Kerberos 5.

  • krb5i - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the security type of that incoming request is Kerberos v5 with integrity service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5i.

  • krb5p - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the security type of that incoming request is Kerberos v5 with privacy service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5p.

  • ntlm - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume if the effective security type (determined from rorule) of that incoming request is CIFS NTLM.

  • any - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume regardless of the effective security type (determined from rorule) of that incoming request.

If the effective security type (determined from rorule) of the incoming request is none, write access will be granted to that incoming request as an anonymous user.
  • none - For an incoming request from a client matching the clientmatch criteria, allow write access to the volume as an anonymous user if the effective security type (determined from rorule) of that incoming request is none.

  • never - For an incoming request from a client matching the clientmatch criteria, do not allow write access to the volume regardless of the effective security type (determined from rorule) of that incoming request.

You can specify a comma-separated list of multiple security types for an export rule. If you specify the security type as any or never , you cannot specify any other security types.

For an incoming request from a client matching the clientmatch criteria, if the effective security type (determined by rorule) doesn’t match any of the values listed in rwrule (as explained above), write access will be denied to that incoming request.
[-anon <text>] - User ID To Which Anonymous Users Are Mapped

If you specify this parameter, the command displays information only about the export rule or rules that have the specified anonymous ID.

[-superuser <authentication method>,…​] - Superuser Security Types

If you specify this parameter, the command displays information only about the export rule or rules that have the specified superuser security type. Possible values include the following:

  • sys - For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume if the effective security type (determined from rorule) of that incoming request is AUTH_SYS.

  • krb5 - For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume if the effective security type (determined from rorule) of that incoming request is Kerberos v5.

  • krb5i - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with integrity service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5i.

  • krb5p - For an incoming request from a client matching the clientmatch criteria, allow read access to the volume if the security type of that incoming request is Kerberos v5 with privacy service. The effective security type of the incoming request (to be used subsequently in evaluation of rwrule/superuser) becomes krb5p.

  • ntlm - For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume if the effective security type (determined from rorule) of that incoming request is CIFS NTLM.

  • any - For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow superuser access to the volume regardless of the effective security type (determined by rorule) of that incoming request.

If the effective security type (determined from rorule) of the incoming request is none, access will be granted to that incoming request as an anonymous user.
  • none - For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow access to the volume as an anonymous user if the effective security type (determined from rorule) of that incoming request is none.

  • never - For an incoming request from a client matching the clientmatch criteria and with the user ID 0, allow access to the volume as an anonymous user regardless of the effective security type (determined from rorule) of that incoming request.

Only export rules that were created in an earlier release can have the superuser parameter set to the security type never

You can specify a comma-separated list of multiple security types for superuser access. If you specify the security type as any , you cannot specify any other security types.

For an incoming request from a client matching the clientmatch criteria and with the user ID 0, if the effective security type doesn’t match any of the values listed in superuser (as explained above), the user ID is mapped to anonymous user.
[-allow-suid {true|false}] - Honor SetUID Bits in SETATTR

If you specify this parameter, the command displays information only about the export rule or rules that have the specified setting for set user ID (suid) and set group ID (sgid) access.

[-allow-dev {true|false}] - Allow Creation of Devices

If you specify this parameter, the command displays information only about the export rule or rules that have the specified setting for the creation of devices.

[-ntfs-unix-security-ops {ignore|fail}] - NTFS Unix Security Options (privilege: advanced)

If you have specified this parameter for a particular export policy rule, then the command displays information about the UNIX security options that apply to that export policy rule. The setting can either prohibit (with value fail ) or allow (with value ignore ) UNIX-type permissions changes on NTFS (Windows) volumes when the request originates from an NFS client. If the Vserver NTFS UNIX security option is set to fail or allow for the Vserver, then this parameter is overridden.

[-ntfs-unix-security-ops-vs {fail|ignore|use_export_policy}] - Vserver NTFS Unix Security Options (privilege: advanced)

If you specify this parameter, the command displays information about the UNIX security options that apply to all volumes in this Vserver. The setting can prohibit (with value fail ) or allow (with value ignore ) UNIX-type permissions changes on NTFS (Windows) volumes when the request originates from an NFS client, or you can set it to use_export_policy . If you set this parameter to fail or allow , this parameter overrides the individual UNIX security options set for the export policy rules. If you set this parameter to use_export_policy , the UNIX security options associated with the respective export policy rule is used.

[-chown-mode {restricted|unrestricted}] - Change Ownership Mode (privilege: advanced)

If you have specified this parameter for a particular export policy rule, then the command displays information about the change ownership mode that applies to that export-policy rule. The setting can either allow only the root (with value restricted ) or all users (with value unrestricted ) to change file ownership provided the on-disk permissions allow the operation. If the Vserver change ownership mode is set to restricted or unrestricted for the Vserver, then this parameter is overridden.

[-chown-mode-vs {restricted|unrestricted|use_export_policy}] - Vserver Change Ownership Mode (privilege: advanced)

If you specify this parameter, the command displays information about the change ownership mode that applies to all volumes in this Vserver. The setting can allow only the root (with value restricted ) or all users (with value unrestricted ) to change ownership of the files that they own, or you can set it to use_export_policy . If you set this parameter to restricted or unrestricted , this parameter overrides the individual change ownership mode set for the export policy rules. If you set this parameter to use_export_policy , the change ownership mode associated with the respective export policy rule is used.

Examples

The following example displays information about all export rules:

cluster1::> vserver export-policy rule show
       Policy             Rule    Access   Client                   RO
Vserver      Name               Index   Protocol Match                    Rule
------------ ------------------ ------  -------- ------------------------ ------
vs0          default_expolicy   1       any      0.0.0.0/0,::0/0          any
vs0          read_only_expolicy 2       any      0.0.0.0/0                any
vs1          default_expolicy   1       any      10.10.10.10,11.11.11.11  any
vs1          test_expolicy      1       any      0.0.0.0/0                any
4 entries were displayed.
Top of Page