Adding a File System Access Rule¶

Function¶

This API is used to add a file system access rule.

Note

This API is an asynchronous API. If the returned status code is 200, the API request is successfully delivered and received. Later, you can refer to Querying File System Access Rules to check whether the access rule is added successfully.
APIs whose microversions are from 2.28 to 2.42 can ignore error statuses of existing access rules during rule adding. API microversions are specified by using the X-Openstack-Manila-Api-Version parameter in the request headers.

URI¶

POST /v2/{project_id}/shares/{share_id}/action?vpc_ip_base_acl={vpc_ip_base_acl}

Parameter description

Parameter	Mandatory	Type	Description
share_id	Yes	String	Specifies the ID of the shared file system.
project_id	Yes	String	Specifies the project ID of the operator.
vpc_ip_base_acl	No	String	Specifies the identifier used with IP address-based authorization. Currently, only enable is available, which indicates that an access rule used with IP address-based authorization will be created. Important NOTICE: To ensure compatibility, if this parameter is left blank or set to a value other than enable, you can still use this API to create an access rule used with IP address-based authorization. However, this method of creation has been discarded and will not be maintained in the future.

Request¶

Parameter description
Parameter
Mandatory
Type
Description
os-allow_access
Yes
Object
Specifies the os-allow_access objects.
Note
If the API version ranges from 1.0 to 2.6, the top-layer parameters of the request body in the JSON format use prefix os-. If the API version is later than 2.6, prefix os- must be removed.

Parameter	Mandatory	Type	Description
os-allow_access	Yes	Object	Specifies the os-allow_access objects.

Description of field os-allow_access

Parameter	Mandatory	Type	Description
access_level	No	String	Specifies the access level of the file system. Possible values are ro (read-only) and rw (read-write). The default value is rw (read-write).
access_type	Yes	String	Specifies the storage access method. If the NFS protocol is used, specify cert. If multiple protocols are used, specify cert. Note Value user indicates storage access using username. Value cert indicates storage access using VPC ID and IP address.
access_to	Yes	String	Specifies the value that defines the access rule. The value varies with the scenario: If access_type is set to user, specify AK for this parameter. If access_type is set to cert: In VPC-based authorization scenarios, specify the VPC ID for this parameter. In IP address-based authorization scenarios: For an NFS file system, specify the value in the format of VPC ID#IP address#priority#user permission, for example, 0157b53f-4974-4e80-91c9-098532bcaf00#2.2.2.2/16#100#all_squash,root_squash. For a multi-protocol file system, specify the value in the format of #protocol type#access method#VPC ID#IP address#priority#user permission, for example, #NFS#IP#07207b50-61b4-4e40-b272-e5433105c2d0#1.1.1.1#1#no_all_squash,no_root_squash. Note Description of and restrictions on the VPC ID, IP address, priority, and user permission: VPC ID: ID of the VPC. IP address: Tenant IPv4 address or address segment of the ECS's active network port. Each rule only supports one IPv4 address or address segment. The mask format is used to represent an address segment. For example, 192.168.1.0/24 represents the IP address segment of 192.168.1.0 to 192.168.1.255. Other address segment formats, such as 192.168.1.0-255, are not supported. The entered IPv4 address or address segment must be valid and cannot be an IP address or address segment starting with 0 except 0.0.0.0/0. The value 0.0.0.0/0 indicates any IP address in the VPC. In addition, the IP address or address segment cannot start with 127 or 224 to 255, for example, 127.0.0.1, 224.0.0.1, or 255.255.255.255. This is because IP addresses or address segments starting with 224 to 239 are class D addresses and they are used for multicast. IP addresses or address segments starting with 240 to 255 are class E addresses and they are used for research. If an invalid IP address or address segment is used, the access rule may fail to be added or the added access rule cannot take effect. Priority: Priority of a share access rule. It must be an integer ranging from 0 to 100. 0 indicates the highest priority, and 100 indicates the lowest priority. In the same VPC, the permission of the IP address or address segment with the highest priority is preferentially used. For example, if your IP address for mounting is 10.1.1.32, and the authorized 10.1.1.32 (read/write) and 10.1.1.0/24 (read-only) both meet the requirements, the permission of the IP address or segment with the higher priority is used first. If some IP addresses or address segments are of the same priority, one permission of them is randomly chosen. User permission: Set the user permission in the format of allSquash,rootSquash. That is, allSquash is separated from rootSquash using a comma (,). The value of allSquash can be all_squash or no_all_squash. The value of rootSquash can be root_squash or no_root_squash. Important NOTICE: When creating a shared access rule for the IP address-based authorization scenario, the microversions of the APIs must be 2.28 or later and the vpc_ip_base_acl parameter must be added to the request URL. For details, see the following request example (which varies with the IP address-based authorization scenario). For an ECS in VPC A, its IP addresses can be successfully added to the authorized IP addresses of VPC B, but the file system of VPC B cannot be mounted to this ECS. The VPC used by the ECS and the file system must be the same one.

Parameter

Mandatory

Type

Description

access_level

String

Specifies the access level of the file system. Possible values are ro (read-only) and rw (read-write). The default value is rw (read-write).

access_type

Yes

String

Specifies the storage access method.

If the NFS protocol is used, specify cert.
If multiple protocols are used, specify cert.

Note

Value user indicates storage access using username.
Value cert indicates storage access using VPC ID and IP address.

access_to

Yes

String

Specifies the value that defines the access rule. The value varies with the scenario:

If access_type is set to user, specify AK for this parameter.

If access_type is set to cert:

In VPC-based authorization scenarios, specify the VPC ID for this parameter.
In IP address-based authorization scenarios:
- For an NFS file system, specify the value in the format of VPC ID#IP address#priority#user permission, for example, 0157b53f-4974-4e80-91c9-098532bcaf00#2.2.2.2/16#100#all_squash,root_squash.

For a multi-protocol file system, specify the value in the format of #protocol type#access method#VPC ID#IP address#priority#user permission, for example, #NFS#IP#07207b50-61b4-4e40-b272-e5433105c2d0#1.1.1.1#1#no_all_squash,no_root_squash.

Note

Description of and restrictions on the VPC ID, IP address, priority, and user permission:

VPC ID: ID of the VPC.
IP address: Tenant IPv4 address or address segment of the ECS's active network port. Each rule only supports one IPv4 address or address segment. The mask format is used to represent an address segment. For example, 192.168.1.0/24 represents the IP address segment of 192.168.1.0 to 192.168.1.255. Other address segment formats, such as 192.168.1.0-255, are not supported. The entered IPv4 address or address segment must be valid and cannot be an IP address or address segment starting with 0 except 0.0.0.0/0. The value 0.0.0.0/0 indicates any IP address in the VPC. In addition, the IP address or address segment cannot start with 127 or 224 to 255, for example, 127.0.0.1, 224.0.0.1, or 255.255.255.255. This is because IP addresses or address segments starting with 224 to 239 are class D addresses and they are used for multicast. IP addresses or address segments starting with 240 to 255 are class E addresses and they are used for research. If an invalid IP address or address segment is used, the access rule may fail to be added or the added access rule cannot take effect.
Priority: Priority of a share access rule. It must be an integer ranging from 0 to 100. 0 indicates the highest priority, and 100 indicates the lowest priority. In the same VPC, the permission of the IP address or address segment with the highest priority is preferentially used. For example, if your IP address for mounting is 10.1.1.32, and the authorized 10.1.1.32 (read/write) and 10.1.1.0/24 (read-only) both meet the requirements, the permission of the IP address or segment with the higher priority is used first. If some IP addresses or address segments are of the same priority, one permission of them is randomly chosen.
User permission: Set the user permission in the format of allSquash,rootSquash. That is, allSquash is separated from rootSquash using a comma (,). The value of allSquash can be all_squash or no_all_squash. The value of rootSquash can be root_squash or no_root_squash.

Important

NOTICE:

When creating a shared access rule for the IP address-based authorization scenario, the microversions of the APIs must be 2.28 or later and the vpc_ip_base_acl parameter must be added to the request URL. For details, see the following request example (which varies with the IP address-based authorization scenario).
For an ECS in VPC A, its IP addresses can be successfully added to the authorized IP addresses of VPC B, but the file system of VPC B cannot be mounted to this ECS. The VPC used by the ECS and the file system must be the same one.

Example request (IP address-based authorization)
POST /v2/{project_id}/shares/{share_id}/action?vpc_ip_base_acl=enable
Adding a file system access rule (value of the rule parameter 0560a527-0e77-40a6-aa3b-110beecad368#127.0.0.1#1#all_squash,root_squash):
```
{
    "allow_access": {
        "access_to": "0560a527-0e77-40a6-aa3b-110beecad368#127.0.0.1#1#all_squash,root_squash",
        "access_type": "cert",
        "access_level": "rw"
    }
}
```
Important
When creating the share access rule for an IP address-based authorization scenario.
1. The X-Openstack-Manila-Api-Version parameter must be specified for the request header, and the value of X-Openstack-Manila-Api-Version must be from 2.28 to 2.42.
2. The vpc_ip_base_acl parameter must be added in the request URL and the value of vpc_ip_base_acl must be set to enable. To ensure compatibility, if this parameter is left blank or set to a value other than enable, you can still use this API to create an access rule used with IP address-based authorization. However, this method of creation has been discarded and will not be maintained in the future.

Response¶

Parameter description
Parameter
Type
Description
access
Object
Specifies the access objects. If the access rule is not updated, this value is null.

Parameter	Type	Description
access	Object	Specifies the access objects. If the access rule is not updated, this value is null.

Description of the access field

Parameter	Type	Description
share_id	String	Specifies the ID of the shared file system to which the access rule is added.
access_type	String	Specifies the type of the access rule.
access_to	String	Specifies the object that the backend grants or denies access.
access_level	String	Specifies the level of the access rule.
id	String	Specifies the ID of the access rule.
state	String	Specifies the status of the access rule. If the API version is earlier than 2.28, the status of the access rule is new, active, or error. In versions from 2.28 to 2.42, the status of the access rule is queued_to_apply, applying, active, error, queued_to_deny, or denying.
access_key	String	Specifies the access credential of the access rule. This parameter exists only when the value of X-Openstack-Manila-Api-Version in the request header is from 2.21 to 2.42.
created_at	String	Specifies the time when the access rule was created. This parameter exists only when the value of X-Openstack-Manila-Api-Version in the request header is greater than or equal to 2.33.
updated_at	String	Specifies the time when the access rule was updated. This parameter exists only when the value of X-Openstack-Manila-Api-Version in the request header is greater than or equal to 2.33.

Example response

NFS file system:

{
    "access":{
        "access_key":null,
        "share_id":"7ec1115f-518b-40ff-a998-5599ce2da332",
        "access_type":"cert",
        "access_to":"0560a527-0e77-40a6-aa3b-110beecad368#0.0.0.0/0#1#all_squash,root_squash",
        "access_level":"rw",
        "state":"queued_to_apply",
        "id":"24615391-d58d-4a74-ac5a-520233c9c396",
        "created_at": "2017-07-07T03:15:06.858662",
        "updated_at": "2018-07-07T03:15:06.858662"
    }
}

Status Codes¶

Normal
200

Abnormal

Status Code	Description
400 Bad Request	The server failed to process the request.
401 Unauthorized	You must enter a username and the password to access the requested page.
403 Forbidden	Access to the requested page is forbidden.
404 Not Found	The requested page was not found.
405 Method Not Allowed	You are not allowed to use the method specified in the request.
406 Not Acceptable	The response generated by the server could not be accepted by the client.
407 Proxy Authentication Required	You must use the proxy server for authentication. Then the request can be processed.
408 Request Timeout	The request timed out.
409 Conflict	The request could not be processed due to a conflict.
500 Internal Server Error	Failed to complete the request because of an internal service error.
501 Not Implemented	Failed to complete the request because the server does not support the requested function.
502 Bad Gateway	Failed to complete the request because the request is invalid.
503 Service Unavailable	Failed to complete the request because the service is unavailable.
504 Gateway Timeout	A gateway timeout error occurred.

last updated: 2024-09-07 01:06