IP-based access control

Managed Lustre provides IP-based access control through the root squash feature.

Root squash is a security feature that prevents a root user on a client VM from having root privileges on a Managed Lustre file system. When a root user accesses the Managed Lustre file system, their privileges are "squashed" down to those of a less-privileged user.

Root squash can be configured for a new Managed Lustre instance or for an existing one. You can apply a default root squash setting to all clients, or specify custom rules for certain clients.

By default, root squash is not configured on a Managed Lustre instance.

Disable IP forwarding

The default Compute Engine configuration allows instances to enable IP forwarding. To prevent users from circumventing root squash policies by impersonating a different source IP address, you should disable IP forwarding using the constraints/compute.vmCanIpForward organization policy. See Creating and managing organization policies for instructions.

Configure default root squash

To apply root squash to all clients that connect to the instance, specify a default squash UID and GID, and set the squash mode to ROOT_SQUASH. A commonly used value for UID and GID is 65534, which translates to the nobody user.

Note that by default a nobody user is limited to read and execute access only. Only root users and members of the Owner group have write access to the file system.

Create instance

To create an instance with default root squash:

gcloud

Use the --default-squash-mode, --default-squash-uid, and --default-squash-gid flags to set the default values:

gcloud lustre instances create INSTANCE_NAME \
  --project=PROJECT_ID \
  --location=LOCATION \
  --network=NETWORK_NAME \
  --per-unit-storage-throughput=PER_UNIT_STORAGE_THROUGHPUT \
  --capacity-gib=CAPACITY \
  --filesystem=FS_NAME \
  --default-squash-mode=ROOT_SQUASH \
  --default-squash-uid=UID \
  --default-squash-gid=GID

Where:

  • --default-squash-mode is one of ROOT_SQUASH or NO_SQUASH.
  • --default-squash-uid and --default-squash-gid set the default IDs to which to squash root users.

For a full list and description of available fields when creating an instance, see the gcloud lustre instances create reference.

REST

To create an instance using the REST API, send a request to the following endpoint and include an accessRulesOptions object:

POST https://lustre.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances?instanceId=INSTANCE_NAME
Authorization: Bearer AUTH_TOKEN
{
  "filesystem": "FS_NAME",
  "perUnitStorageThroughput": "PER_UNIT_STORAGE_THROUGHPUT",
  "capacityGib": "CAPACITY_GIB",
  "network": "NETWORK",
  "accessRulesOptions": {
    "defaultSquashMode": "SQUASH_MODE",
    "defaultSquashUid": UID,
    "defaultSquashGid": GID
  }
}

For details on creating an instance using the REST API, see the projects.locations.instances.create API reference.

Google Cloud console

Root squash cannot be configured using the Google Cloud console.

Update instance

To update an existing instance to use default root squash:

gcloud

Use the --default-squash-mode, --default-squash-uid, and --default-squash-gid flags to set the default values:

gcloud lustre instances update INSTANCE_NAME \
  --project=PROJECT_ID \
  --location=LOCATION \
  --default-squash-mode=ROOT_SQUASH \
  --default-squash-uid=UID \
  --default-squash-gid=GID

Where:

  • --default-squash-mode is one of ROOT_SQUASH or NO_SQUASH.
  • --default-squash-uid and --default-squash-gid set the default IDs to which to squash root users.

REST

To update an instance using the REST API, send a PATCH request to its specific endpoint. You must specify accessRulesOptions in the updateMask:

PATCH https://lustre.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/INSTANCE_NAME?updateMask=accessRulesOptions
Authorization: Bearer AUTH_TOKEN

{
  "accessRulesOptions": {
    "defaultSquashMode": "ROOT_SQUASH",
    "defaultSquashUid": UID,
    "defaultSquashGid": GID
  }
}

For more information about updating an instance, see Manage instances.

Google Cloud console

Root squash cannot be configured using the Google Cloud console.

Configure root squash with exceptions

To apply root squash to all clients except a specific set of trusted clients, specify an accessRulesOptions JSON object. This object contains a defaultSquashMode and the default UID and GID to use, plus a rule that exempts certain clients based on their IP address ranges.

A commonly used value for the squash UID and GID is 65534, which translates to the nobody user. Note that the nobody user does not have write access to the file system. Only root users and members of the Owner group have read, write and execute access. Other users are limited to read and execute access only.

Create the JSON object

If you're using gcloud to create or update your instance, create a file named access_rules_options.json with your configuration.

If you're using the REST API, the JSON is the same, but you'll include it directly in your Instance object when creating or updating an instance.

The JSON may contain the following fields:

{
  "accessRulesOptions": {
    "accessRules": [
      {
        "name": "NAME",
        "ipAddressRanges": [
          "IP_ADDRESS_OR_CIDR_RANGE_1",
          "IP_ADDRESS_OR_CIDR_RANGE_2"
        ],
        "squashMode": "NO_SQUASH"
      }
    ],
    "defaultSquashMode": "SQUASH_MODE",
    "defaultSquashUid": UID,
    "defaultSquashGid": GID
  }
}

When setting a specific access rule:

  • name is a user-defined name for this rule. It must use only alphanumeric characters and underscores (_) and be 16 characters or less. name is required if an access rule is specified.

  • ipAddressRanges is a list of one or more IP addresses or CIDR ranges that do not overlap. Ranges are specified in the following format: 192.168.0.0/24. ipAddressRanges is required if an access rule is specified.

  • squashMode is always NO_SQUASH. squashMode is required if an access rule is specified.

When setting the default squash behavior:

  • defaultSquashMode is one of ROOT_SQUASH or NO_SQUASH. If set to NO_SQUASH, do not set the default squash UID and GID, or an invalid argument error is returned. This field is required.

  • defaultSquashUid and defaultSquashGid are the user and group ID values to which to convert root users who don't match any specific access rules. Do not include if the defaultSquashMode is NO_SQUASH.

For example, to set a default root squash with an exception for root users from a specific range of IP addresses and a particular IP address:

{
  "accessRulesOptions": {
    "accessRules": [
      {
        "name": "dont_squash",
        "ipAddressRanges": [
          "192.100.1.10",
          "192.168.0.0/24"
        ],
        "squashMode": "NO_SQUASH"
      }
    ],
    "defaultSquashMode": "ROOT_SQUASH",
    "defaultSquashUid": 65534,
    "defaultSquashGid": 65534
  }
}

Create or update an instance using the JSON file

Include your JSON when creating or updating an instance.

gcloud

Use the --flags-file option to reference the JSON file when creating or updating an instance.

To create an instance:

gcloud lustre instances create INSTANCE_NAME \
  --project=PROJECT_ID \
  --location=LOCATION \
  --network=NETWORK_NAME \
  --per-unit-storage-throughput=PER_UNIT_STORAGE_THROUGHPUT \
  --capacity-gib=CAPACITY \
  --filesystem=FS_NAME \
  --flags-file=access_rules_options.json

For a full list and description of available fields, see Create a Managed Lustre instance.

To update an instance:

gcloud lustre instances update INSTANCE_NAME \
  --project=PROJECT_ID \
  --location=LOCATION \
  --flags-file=access_rules_options.json

REST

To create an instance using the REST API, send a request to the following endpoint and include an accessRulesOptions object:

POST https://lustre.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances?instanceId=INSTANCE_NAME
Authorization: Bearer AUTH_TOKEN
{
  "filesystem": "FS_NAME",
  "perUnitStorageThroughput": "PER_UNIT_STORAGE_THROUGHPUT",
  "capacityGib": "CAPACITY_GIB",
  "network": "NETWORK",
  "accessRulesOptions": {
    "accessRules": [
      {
        "name": "NAME",
        "ipAddressRanges": [
          "IP_ADDRESS_OR_CIDR_RANGE_1",
          "IP_ADDRESS_OR_CIDR_RANGE_2"
        ],
        "squashMode": "NO_SQUASH"
      }
    ],
    "defaultSquashMode": "SQUASH_MODE",
    "defaultSquashUid": UID,
    "defaultSquashGid": GID
  }
}

For details on creating an instance using the REST API, see Create a Managed Lustre instance.

To update an instance using the REST API, send a PATCH request to its specific endpoint. You must specify accessRulesOptions in the updateMask:

PATCH https://lustre.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/INSTANCE_NAME?updateMask=accessRulesOptions
Authorization: Bearer AUTH_TOKEN

{
  "accessRulesOptions": {
    "accessRules": [
      {
        "name": "NAME",
        "ipAddressRanges": [
          "IP_ADDRESS_OR_CIDR_RANGE_1",
          "IP_ADDRESS_OR_CIDR_RANGE_2"
        ],
        "squashMode": "NO_SQUASH"
      }
    ],
    "defaultSquashMode": "SQUASH_MODE",
    "defaultSquashUid": UID,
    "defaultSquashGid": GID
  }
}

For more information about updating an instance, see Manage instances.

Google Cloud console

Root squash cannot be configured using the Google Cloud console.

Remove root squash from an instance

To remove all root squash settings from an instance, update the instance to clear the access rules and set the default mode to NO_SQUASH.

gcloud 

gcloud lustre instances update INSTANCE_NAME \
  --project=PROJECT_ID \
  --location=LOCATION \
  --default-squash-mode=NO_SQUASH \
  --clear-access-rules \
  --default-squash-uid=0 --default-squash-gid=0

REST 

PATCH https://lustre.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/INSTANCE_NAME?updateMask=accessRulesOptions
Authorization: Bearer AUTH_TOKEN

{
  "accessRulesOptions": {
    "defaultSquashMode": "NO_SQUASH"
  }
}

Google Cloud console

Root squash cannot be configured using the Google Cloud console.