The File Storage service uses five different layers of access control. Each layer has its own authorization entities and methods which are separate from the other layers.
Tip
Watch a video about security in File Storage.
The Oracle Cloud Infrastructure (OCI) policy layer uses policies to control what users can do within Oracle Cloud Infrastructure, such as creating instances, a VCN and its security rules, mount targets, and file systems.
The Network security layer controls which instance IP addresses or CIDR blocks can connect to a host file system. It uses VCN security list rules to allow or deny traffic to the mount target, and therefore access to any associated file system.
The NFS export option layer is a method of applying access control per-file system export based on source IPaddress that bridges the Network Security layer and the NFS v.3 UNIX Security layer.
The NFSv.3 UNIX security and NFSv.3 Kerberos security layers control what users can do on the instance, such as reading and writing files and directories.
| This security layer... | Uses these... | To control actions like... |
|---|---|---|
| Oracle Cloud Infrastructure Identity and Access Management | Users and policies | Creating instances and VCNs. Creating, listing, and associating file systems and mount targets. |
| Network security | IP addresses, CIDR blocks, security lists | Connecting the client instance to the mount target. |
| NFSv.3 Unix security | UNIX users, file mode bits | Reading and writing files and directories. |
| NFSv.3 Kerberos security | Kerberos principals mapped to UNIX users, file mode bits | Reading and writing files and directories. |
| NFSexport options | File system exports, IP addresses, UNIX users | Privileged source port connection, reading and writing files, and limiting root user access on a per-export basis. |
Oracle Cloud Infrastructure Identity and Access Management
You can create users and groups in Oracle Cloud Infrastructure. Then, you can use policies to specify which users and groups can create, access, or change resources such as file systems, mount targets, snapshots, outbound connectors, and export options. See Overview of Identity and Access Management to learn more about how to set up access.
Network Security
The network security layer allows you to use VCN network security groups (NSGs) and security rules to block the appropriate ports from specific IP addresses and CIDR blocks and restrict host access. However, it's on an 'all or nothing' basis - the client either can or cannot access the mount target, and therefore all file systems associated with it. See Ways to Secure Your Network for general information about VCN security groups, security lists, and rules. See Configuring VCN Security Rules for File Storage for specific information about the security rules necessary for File Storage.
NFSv.3 UNIX Security
File Storage service supports the AUTH_SYS style of authentication and permission checking for remote NFS client requests. When mounting file systems, we recommend that you use the -nosuid option. This option disables set-user-identifier or set-group-identifier bits. Remote users are prevented from gaining higher privileges using a setuid program. For more information, see Mounting File Systems.
Remember that users in UNIX aren't the same as users in Oracle Cloud Infrastructure - they're not linked or associated in any way. The Oracle Cloud Infrastructure policy layer doesn't govern anything that happens inside the file system, the UNIX security layer does. Conversely, the UNIX security layer doesn't govern creating file systems or mount targets in Oracle Cloud Infrastructure.
File Storage doesn't support file level Access Control Lists (ACLs). Only user, group, and world permissions are supported, including SUID and SGID. File Storage uses the NFSv3 protocol, which doesn't include support for ACLs. setfacl fails on mounted file systems. getfacl returns only standard permissions.
NFS v.3 Kerberos Security
The File Storage service supports Kerberos authentication via RPCSEC_GSS (RFC2203) with the following security options:
- KRB5 for authentication over NFS
- KRB5I for authentication over NFS and data integrity (unauthorized modification of data in-transit)
- KRB5P for authentication over NFS, data integrity, and data privacy (in-transit encryption)
When Kerberos is configured for a mount target, it's used to prove the identity of the user making the request. After authentication, File Storage contacts your LDAP server for permissions information that it uses for authorization checks. For more information, see Using LDAP for Authorization and Using Kerberos Authentication.
NFSExport Options
NFS export options are a method of applying access control at both the network security layer and the NFS v.3 security layer. You can use NFS export options to limit access to the export by IP addresses or CIDR blocks through an associated mount target. Access to each file system can be restricted to a limited set of clients, allowing for managed hosted environment security. Moreover, you can set NFS v.3 security layer permissions for read-only, read/write, or root-squash for your file systems. See Working with NFS Exports and Export Options for more information.
