Skip to Main Content
IBM System Storage Ideas Portal


This portal is to open public enhancement requests against IBM System Storage products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Created by Guest
Created on Jan 29, 2016

mmcesdr secondary config should create NFS exports without RW access to all clients

Please can you modify mmcesdr secondary config so that it creates secure NFS exports (for use by AFM) by only exporting to the gateways of the primary cluster, and not all clients.

When mmcesdr is used (mmcesdr secondary config) to set up the secondary cluster for protocol cluster replication, it creates exports that are accessible to ANY client on the network. For example:

secondary# mmnfs export list --nfsdefs /mnt/mygpfs/nfs-cac31
Path Delegations Clients Access_Type Protocols Transports Squash Anonymous_uid Anonymous_gid SecType PrivilegedPort DefaultDelegations Manage_Gids NFS_Commit
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/mnt/mygpfs/nfs-cac31 none * RW 3,4 TCP NO_ROOT_SQUASH -2 -2 SYS FALSE none FALSE FALSE

As a consequence, ANY client can mount ANY of the NFS exports created on the secondary cluster by mmcesdr and access data there. Those exports will contain copies of all the data from the primary (production) cluster, and hence provide a way for unauthorized people to get access to the production data via the secondary cluster export used by AFM.

Mmcesdr should be setting up it NFS exports for use by AFM by only exporting to the gateways at the primary site. mmcesdr should be able to add this information into the DR_Config file that is creates and which is copied to the secondary site prior to the running of the “mmcesdr secondary config” command, so that the NFS exports created for use by AFM are only available to the primary cluster gateways.

Idea priority Urgent
  • Guest
    Reply
    |
    Sep 30, 2020

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - IBM Spectrum Scale
    Product - Spectrum Scale (formerly known as GPFS) - Public RFEs
    Component - Product functionality

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - IBM Spectrum Scale
    Product - Spectrum Scale (formerly known as GPFS) - Public RFEs
    Component - V4 Product functionality

  • Guest
    Reply
    |
    Apr 20, 2016

    To me this just seems like another step to lock down the share is required with `mmnfs export change ..... `. It would be nice if mmcesdr did this correctly though, but perhaps I'm missing something.

  • Guest
    Reply
    |
    Jan 30, 2016

    Creating a new RFE based on Community RFE #83231 in product Spectrum Scale (formerly known as GPFS) - Public RFEs.