Feature request: improve export policies at the FlexVol level in the context of ONTAP-NAS-ECO

[YvosOnTheHub]

Describe the solution you'd like
Trident provides 3 possibilities to manage Export policies

• dynamically with autoExportCIDRs & autoExportPolicy backend parameters
• explicitly with the exportPolicy backend parameter
• default value (ie: use export policy default)

When managing export policies dynamically, both the Qtrees & the parent FlexVol are assigned the same policy. Not issue here.

However when using the 2 other methods, only the Qtrees are assigned the export policy provided by the admin, or the default one. Here, the parent FlexVol will be linked to a policy created by Trident called trident_qtree_pool_export_policy.

This FlexVol policy is wide open => 0.0.0.0/0 & ::/0

This means that someone could mount the FlexVol & list all the Qtrees/PVC. He may not be able to mount these Qtrees, but seeing their name could be interpreted as a lack of security.

Describe alternatives you've considered
If the parameter exportPolicy is specified by the admin, it should be used for the parent Flexvol also.
if the default policy is used, it should also be assigned to the FlexVol.

If this is not feasible, documentation could be updated to reflect this behavior

Additional context
I also noticed that if several ontap-nas-eco backends are configured with the same prefix, PVC/Qtrees from both backends will be created in the same FlexVol.

[gnarl]

Hi @YvosOnTheHub,

Do you have a suggestion as to what the root export policy should be other than 0.0.0.0/0? If this export policy isn't set properly then you may not be able to mount the qtree.

[YvosOnTheHub]

Hi @gnarl ,
if the exportPolicy parameter is specified in a Trident backend, I would advise to also assign it to the FlexVol hosting the Qtrees with NAS-ECO driver. That way, configuration is consistent.

In my test, before configuring NAS-ECO, I have 2 export policies:

• default: 0.0.0.0/0
• trident: 192.168.0.0/24

I then create a NAS-ECO backend with the exportPolicy=trident parameter set.

Upon the creation of the first PVC, Trident creates an export policy called trident_qtree_pool_export_policy (0.0.0.0/0) & assigns it to the FlexVol hosting the Qtrees, while all the qtrees are linked to the trident policy.

Maybe there are some side-effects I dont measure (maybe different backends with the same prefix would point to the same FlexVol? havent tested that...)

++

[arndt-netapp]

Cisco would like the trident_qtree_pool_export_policy security improved as well. We need read-only access to the volume where qtrees are used with nas-economy, but we do not need to provide read-write access to the volume.

[arndt-netapp]

If exportPolicy is statically defined for an ontap-nas-economy backend, it would be better to use that same policy for both the volume hosting the qtrees and the qtree itself.

[torirevilla]

@arndt-netapp This is an older feature request that should have been closed out as drastic improvements have been made regarding access control for nas-economy qtrees and their flexvols via export policies. In Trident 24.10.0 new qtrees using autoExportPolicy will have a per-qtree export policy where only nodes that are actively mapped will be included in the policy rules. The FlexVol will have a superset of the containing qtree export policy rules. Check out the documentation around export policies here.
If there are further enhancements requests, please open a new issue.