• Scalable File Service

sfs
  1. Help Center
  2. Scalable File Service
  3. API Reference
  4. SFS APIs
  5. Share Access Rules
  6. Adding Share Access Rules

Adding Share Access Rules

Function

This interface is used to add share access rules.

NOTE:
  • This interface is an asynchronous interface. If the return value is 200, the request sent by the interface is received. Later, you can refer to Querying Share Access Rules to check whether the share access rule is added successfully.
  • APIs whose microversion is 2.28 or later can ignore error statuses of existing share access rules during rule adding. The microversions of APIs are specified by using the X-Openstack-Manila-Api-Version parameter in the request headers.

URI

  • POST /v2/{project_id}/shares/{share_id}/action?vpc_ip_base_acl={vpc_ip_base_acl}
  • Parameter description

    Parameter

    Mandatory

    Type

    Description

    share_id

    Yes

    string

    Specifies the UUID of the shared file system.

    project_id

    Yes

    string

    Specifies a project ID in a multi-project scenario.

    vpc_ip_base_acl

    No

    string

    Specifies the identifier of the IP address-based authorization scenario. Currently, only enable is available. The value enable indicates creating a share access rule for the IP address-based authorization scenario.

    NOTICE:

    To ensure compatibility, even though this parameter is left blank or set to another value other than enable, you can use the interface to create a share access rule for the IP address-based authorization scenario. However, this method of creation has been discarded and will not be maintained in the future.

Request

  • Parameter description

    Parameter

    Mandatory

    Type

    Description

    os-allow_access

    Yes

    object

    Specifies the os-allow_access object.

    NOTE:

    If the API version ranges from 1.0 to 2.6, the top-layer parameters of the request body in the JSON format use prefix os-. If the API version is later than 2.6, prefix os- must be removed.

  • Description of field os-allow_access

    Parameter

    Mandatory

    Type

    Description

    access_level

    Yes

    string

    Specifies the access level of the shared file system. Possible values are ro (read-only) and rw (read-write).

    access_type

    Yes

    string

    Specifies the type of the share access rule. The value can be NFS.

    access_to

    Yes

    string

    Specifies the value that defines the access rule. The value contains 1 to 255 characters. The value varies according to the scenario:

    • Enter the VPC ID in VPC authorization scenarios.
    • Set this parameter in IP address authorization scenario.
      • Enter the value in the format of VPC ID#IP address#priority#user permission for an NFS share, for example, 0157b53f-4974-4e80-91c9-098532bcaf00#2.2.2.2/16#100#all_squash,root_squash.
    NOTE:

    Description of and restrictions on the VPC ID, IP address, priority, and user permission:

    • VPC ID: ID of the VPC.
    • IP address: Tenant IPv4 address or address segment of the ECS's active network port. Each rule only supports one IPv4 address or address segment. The mask format is used to represent an address segment. For example, 192.168.1.0/24 represents the IP address segment of 192.168.1.0 to 192.168.1.255. Other address segment formats, such as 192.168.1.0-255, are not supported. The entered IPv4 address or address segment must be valid and cannot be an IP address or address segment starting with 0 except 0.0.0.0/0. The value 0.0.0.0/0 indicates any IP address in the VPC. In addition, the IP address or address segment cannot start with 127 or 224 to 255, for example, 127.0.0.1, 224.0.0.1, or 255.255.255.255. This is because IP addresses or address segments starting with 224 to 239 are class D addresses and they are used for multicast. IP addresses or address segments starting with 240 to 255 are class E addresses and they are used for research. If an invalid IP address or address segment is used, the access rule may fail to be added or the added access rule cannot take effect.
    • Priority: Priority of a share access rule. It must be an integer ranging from 0 to 100. 0 indicates the highest priority, and 100 indicates the lowest priority. In the same VPC, the permission of the IP address or address segment with the highest priority is preferentially used. For example, if your IP address for mounting is 10.1.1.32, and the authorized 10.1.1.32 (read/write) and 10.1.1.0/24 (read-only) both meet the requirements, the permission of the IP address or segment with the higher priority is used first. If some IP addresses or address segments are of the same priority, one permission of them is randomly chosen.
    • User permission: Set the user permission in the format of allSquash,rootSquash. That is, allSquash is separated from rootSquash using a comma (,). The value of allSquash can be all_squash or no_all_squash. The value of rootSquash can be root_squash or no_root_squash.
    NOTICE:
    • When creating a shared access rule for the IP address-based authorization scenario, the microversions of the APIs must be 2.28 or later and the vpc_ip_base_acl parameter must be added to the request URL. For details, see the following request example (which varies with the IP address-based authorization scenario).
    • For an ECS in VPC A, its IP addresses can be successfully added to the authorized IP addresses of VPC B, but the file system of VPC B cannot be mounted to this ECS. The VPC used by the ECS and the file system must be the same one.
  • Example response (VPC-based authorization)
    When the specified API version ranges from 1.0 to 2.6, the request example is as follows:
    { 
        "os-allow_access": { 
            "access_to": "59cd070d-9c4c-462e-9dcc-b6bb716225bc", 
            "access_type": "cert", 
            "access_level": "rw" 
        } 
    }

    When the specified API version is later than 2.6, the request example is as follows:

    { 
        "allow_access": { 
            "access_to": "59cd070d-9c4c-462e-9dcc-b6bb716225bc", 
            "access_type": "cert", 
            "access_level": "rw" 
        } 
    }
  • Example response (IP address-based authorization)

    POST /v2/{project_id}/shares/{share_id}/action?vpc_ip_base_acl=enable

    NFS share:

    { 
        "allow_access": { 
            "access_to": "0560a527-0e77-40a6-aa3b-110beecad368#0.0.0.0/0#1#all_squash,root_squash", 
            "access_type": "cert", 
            "access_level": "rw" 
        } 
    }

    When creating the share access rule for an IP address-based authorization scenario.

    1. The X-Openstack-Manila-Api-Version parameter must be specified for the request header, and the value of X-Openstack-Manila-Api-Version must be 2.28 or later.

    2. The vpc_ip_base_acl parameter must be added in the request URL and the value of vpc_ip_base_acl must be set to enable. To ensure compatibility, even though this parameter is left blank or set to another value other than enable, you can use the interface to create a share access rule for the IP address-based authorization scenario. However, this method of creation has been discarded and will not be maintained in the future.

Response

  • Parameter description

    Parameter

    Type

    Description

    access

    object

    Specifies the access object. If the share access rule is not updated, this value is null.

  • Description of field access

    Parameter

    Type

    Description

    share_id

    string

    Specifies the UUID of the shared file system to which the access rule is added.

    access_type

    string

    Specifies the type of the share access rule.

    access_to

    string

    Specifies the access that the back end grants or denies.

    access_level

    string

    Specifies the access level of the shared file system.

    id

    string

    Specifies the UUID of the share access rule.

    state

    string

    Specifies the status of the share access rule. If the API version is earlier than 2.28, the status of the share access rule can be new, active, or error. In 2.28 and later versions, the status of the share access rule can be queued_to_apply, applying, active, error, queued_to_deny, or denying.

    access_key

    string

    Specifies the access credential of the access rule. This parameter exists only when the value of X-Openstack-Manila-Api-Version in the request header is equal to or greater than 2.21.

    created_at

    string

    Time when a shared access rule is created. This parameter exists only when the value of X-Openstack-Manila-Api-Version in the request header is equal to or greater than 2.33.

    updated_at

    string

    Time when a shared access rule is updated. This parameter exists only when the value of X-Openstack-Manila-Api-Version in the request header is equal to or greater than 2.33.

  • Example response
    {
      "access": {
        "share_id": "15940c49-789f-476a-b099-a3be7d311854",
        "access_type": "cert",
        "access_to": "59cd070d-9c4c-462e-9dcc-b6bb716225bc",
        "access_level": "rw",
        "state": "new",
        "id": "418e3cf4-08c3-4ed2-a29a-ceffa346b3b8",
        "access_key":null,
        "created_at": "2017-07-07T03:15:06.858662",
        "updated_at": "2018-07-07T03:15:06.858662"
      }
    }
  • Example response (IP address-based authorization)

    NFS share:

    {
        "access":{
            "access_key":null,
            "share_id":"7ec1115f-518b-40ff-a998-5599ce2da332",
            "access_type":"cert",
            "access_to":"0560a527-0e77-40a6-aa3b-110beecad368#0.0.0.0/0#1#all_squash,root_squash",
            "access_level":"rw",
            "state":"queued_to_apply",
            "id":"24615391-d58d-4a74-ac5a-520233c9c396",
            "created_at": "2017-07-07T03:15:06.858662",
            "updated_at": "2018-07-07T03:15:06.858662"
        }
    }

Status Codes

  • Normal

    200

  • Abnormal

    Status Code

    Description

    400 Bad Request

    The server failed to process the request.

    401 Unauthorized

    You must enter a username and the password to access the requested page.

    403 Forbidden

    You are forbidden to access the requested page.

    404 Not Found

    The requested page was not found.

    405 Method Not Allowed

    You are not allowed to use the method specified in the request.

    406 Not Acceptable

    The response generated by the server could not be accepted by the client.

    407 Proxy Authentication Required

    You must use the proxy server for authentication. Then the request can be processed.

    408 Request Timeout

    The request timed out.

    409 Conflict

    The request could not be processed due to a conflict.

    500 Internal Server Error

    Failed to complete the request because of an internal service error.

    501 Not Implemented

    Failed to complete the request because the server does not support the requested function.

    502 Bad Gateway

    Failed to complete the request because the request is invalid.

    503 Service Unavailable

    Failed to complete the request because the service is unavailable.

    504 Gateway Timeout

    A gateway timeout error occurred.