= Client access :toc: :icons: :linkattrs: :imagesdir: ../resources/images == Summary This section will demonstrate how control client access using access points. == Duration NOTE: It will take approximately 10 minutes to complete this section. == Step-by-step Guide === Control client access using access points IMPORTANT: Read through all steps below and watch the quick video before continuing. image::client-access.gif[align="left", width=600] . Return to the browser-based SSH connection of the *EFS Workshop Linux Instance 1* instance. + TIP: If the SSH connection has timed out, e.g. the session is unresponsive, refresh or reload the current browser tab. If that doesn't resolve the issue, close the browser-based SSH connection window and create a new one. Return to the link:https://console.aws.amazon.com/ec2/[Amazon EC2] console. *_Click_* the radio button next to the instance with the name *EFS Workshop Linux Instance 1*. *_Click_* the *Connect* button. *_Click_* the radio button next to *EC2 Instance Connect (browser-based SSH connection)*. Leave the default user name as *ec2-user* and *_click_* *Connect*. + . *_Copy_*, *_paste_*, and *_run_* the following command in the browser-based SSH connection window to see how the Amazon EFS file system has been mounted. The rest of the bash commands below will also be *_run_* in the same browser-based SSH connection window. + [source,bash] ---- mount -t nfs4 ---- + . What is the mount point of the EFS file system? * The output of the command should look similar to this: + [source,bash] ---- fs-01234abc.efs.us-east-1.amazonaws.com:/ on /efs type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.0.12,local_lock=none,addr=10.0.1.176,_netdev) ---- + * Answer: /efs . *_Copy_*, *_paste_*, and *_run_* the following command in the browser-based SSH connection window to get a list of all files and directories under the mount point */efs*. The rest of the bash commands below will also be *_run_* in the same browser-based SSH connection window. + [source,bash] ---- ll /efs ---- + . What directories are under the root of the file system in the mount point */efs*? * The output of the command should look similar to this: + [source,bash] ---- drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 cp drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 02:58 dd drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 fpsync drwxr-xr-x 2 ec2-user ec2-user 6144 Jun 1 00:22 ior drwxr-xr-x 6 ec2-user ec2-user 227328 Jun 1 06:31 parallelcp drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 parallelcpio drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 rsync drwxr-xr-x 24 ec2-user ec2-user 6144 May 31 06:02 smallfile drwxrwxr-x 12 ec2-user ec2-user 6144 Jun 1 01:52 touch ---- + . Make a note of all the directories under the mount point */efs*. . Create a new directory called *client* and some subdirectories with zero-byte files. *_Run_* the following script. + [source,bash] ---- mkdir -p /efs/client/touch1/{1..32} sudo chown ec2-user:ec2-user /efs/client/touch1/{1..32} time seq 1 32 | parallel --will-cite -j 32 touch /efs/client/touch1/{}/test1.{1..32} ---- + . List the contents of the mount point. *_Run_* the following script. + [source,bash] ---- ll /efs/client ---- + * The output of the script should look similar to this: + [source,bash] ---- total 4 drwxr-xr-x 34 root root 6144 Jun 1 14:45 touch1 ---- + . List directories, files, including users and groups. *_Run_* the following script. + [source,bash] ---- tree --du -hug /efs/client/touch1 ---- + * The end of the output should look similar to this: + [source,bash] ---- ├── [ec2-user ec2-user 0] test1.7 ├── [ec2-user ec2-user 0] test1.8 └── [ec2-user ec2-user 0] test1.9 198K used in 32 directories, 1024 files ---- + . Unmount the file system. *_Run_* the following script. + [source,bash] ---- cd sudo umount /efs ---- + . Return to the Amazon EFS console. . *_Click_* the radio button next to the file system. . *_Click_* *Actions* >> *Manage client access* from the File systems tool bar. . Create a simple file system policy. From the *File system policy* section, *_click_* the check boxes of the following policy statements: * Disable root access by default * Enforce in-transit encryption for all clients . *_Click_* *Set policy*. . *_Click_* *Save policy*. . Create an access point and configure the POSIX identity and root directory for all connections using this access point. From the *Access points* section, *_click_* *+ Add access point* at the bottom left of the window. . Complete the *New access points* form using the following table. + [cols="10,10,10,10,10,10,10,10"] |=== | Name | User ID | Group ID | Secondary Group IDs | Path | Owner User ID | Owner Group ID | Permissions | client | 1000 | 1000 | | /client | 1000 | 1000 | 755 |=== . *_Click_* *Save access points*. . *_Click_* the browser's back button to return to the Amazon EFS console. . *_Copy_* the *File system ID*. + * The file system ID should look similar to this: + [source,bash] ---- fs-0123abcd ---- === Validate file system policies and access point . Return to the browser-based SSH connection of the *EFS Workshop Linux Instance 1* instance. . See if you can mount the file system using an unencrypted connection. *_Run_* the following script. Replace the file system ID place holder with the file system ID you copied in the earlier step. + [source,bash] ---- sudo mount -t efs /efs ---- + * The actual command should look similar to this: + [source,bash] ---- sudo mount -t efs fs-0123abcd /efs ---- + . Did the mount command succeed? Why not? . The output of the command should look similar to this: + [source,bash] ---- mount.nfs4: access denied by server while mounting fs-d4d65d57.efs.us-east-1.amazonaws.com:/ ---- + . What must you do to the mount command to successfully mount the file system? . Change the mount command to use an encrypted connection by inserting *-o tls*. *_Run_* the following script. Replace the file system ID place holder with the file system ID you copied in the earlier step. + [source,bash] ---- sudo mount -t efs -o tls /efs ---- + * The actual command should look similar to this: + [source,bash] ---- sudo mount -t efs -o tls fs-0123abcd /efs ---- + . Did the mount command succeed? . Verify the file system successfully mounted. *_Run_* the following script. + [source,bash] ---- mount -t nfs4 ---- + * The output should look similar to this: + [source,bash] ---- 127.0.0.1:/ on /efs type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,port=20279,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1) ---- + . Notice the DNS name of the file system is no longer in the mount output. The file system DNS name is replaced with the IP address of the loopback or localhost. To help identify the DNS name of a file system mounted with an encrypted connection, query the mount.log file and find the last successful mount operation. *_Run_* the following script. + [source,bash] ---- grep -E "Successfully mounted.*/efs" /var/log/amazon/efs/mount.log | tail -1 ---- + . The output of the command should look similar to this: + [source,bash] ---- 2020-06-01 14:55:46,279 - INFO - Successfully mounted fs-0123abcd.efs.us-east-1.amazonaws.com at /efs ---- + . Verify you can access the file system. List the file system objects under the root of the mount point. *_Run_* the following script. + [source,bash] ---- ll /efs ---- + . What directories are under the root of the file system in the mount point */efs*? * The output of the command should look similar to this: + [source,bash] ---- total 256 drwxrwxr-x 3 ec2-user ec2-user 6144 Jun 1 15:25 client drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 cp drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 02:58 dd drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 fpsync drwxr-xr-x 2 ec2-user ec2-user 6144 Jun 2 00:22 ior drwxr-xr-x 6 ec2-user ec2-user 227328 Jun 2 06:31 parallelcp drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 parallelcpio drwxr-xr-x 6 ec2-user ec2-user 6144 Jun 1 01:52 rsync drwxr-xr-x 24 ec2-user ec2-user 6144 May 31 06:02 smallfile drwxrwxr-x 12 ec2-user ec2-user 6144 Jun 1 01:52 touch ---- + . Create more zero-byte files. *_Run_* the following script. + [source,bash] ---- mkdir -p /efs/client/touch2/{1..32} time seq 1 32 | parallel --will-cite -j 32 sudo touch /efs/client/touch2/{}/test1.{1..32} ---- + . Did parallel touch command succeed? Why not? . Rerun the script by but remove *sudo*. *_Run_* the following script. + [source,bash] ---- time seq 1 32 | parallel --will-cite -j 32 touch /efs/client/touch2/{}/test1.{1..32} ---- + . Did parallel touch command succeed? . List directories, files, including users and groups. *_Run_* the following script. + [source,bash] ---- sudo tree --du -hug /efs/client/touch2 ---- + * The output of the script should look similar to this: + [source,bash] ---- ├── [ec2-user ec2-user 0] test1.6 ├── [ec2-user ec2-user 0] test1.7 ├── [ec2-user ec2-user 0] test1.8 └── [ec2-user ec2-user 0] test1.9 198K used in 32 directories, 1024 files ---- + . Unmount the file system. *_Run_* the following script. + [source,bash] ---- cd sudo umount /efs ---- + . Return to the Amazon EFS console. . *_Click_* the radio button next to the file system. . *_Click_* *Actions* >> *Manage client access* from the File systems tool bar. . From the *Access points* section, *_copy_* the *Access point ID*. It should look similar to this: * fsap-0d3c794aa17bcc98d . Run the mount command to use an encrypted connection and the access point. *_Run_* the following script. Replace the file system ID place holder with your file system ID and the access point place holder your copied earlier. + [source,bash] ---- sudo mount -t efs -o tls,accesspoint= /efs ---- + * The actual command should look similar to this: + [source,bash] ---- sudo mount -t efs -o tls,accesspoint=fsap-0123456789abdcef0 fs-0123abcd /efs ---- + . List the contents of the mount point. *_Run_* the following script. + [source,bash] ---- ll /efs ---- + * The output should look similar to this: + [source,bash] ---- total 8 drwxrwxr-x 34 ec2-user ec2-user 6144 Jun 1 15:25 touch1 drwxrwxr-x 34 ec2-user ec2-user 6144 Jun 1 15:31 touch2 ---- + . What happened to all the other directories that were under */efs*? * Earlier you created an access point with the path */client*, so mount points for all connections using that access point will have the root */client*. These connections will only be able to access file system contents within */client*. . Create a new directory called */touch3* and some subdirectories with zero-byte files. *_Run_* the following script. + [source,bash] ---- sudo mkdir -p /efs/touch3/{1..32} time seq 1 32 | parallel --will-cite -j 32 sudo touch /efs/touch3/{}/test1.{1..32} ---- + . List the contents of the mount point. *_Run_* the following script. + [source,bash] ---- ll /efs ---- + * The output of the script should look similar to this: + [source,bash] ---- total 12 drwxrwxr-x 34 ec2-user ec2-user 6144 Jun 1 15:25 touch1 drwxrwxr-x 34 ec2-user ec2-user 6144 Jun 1 15:31 touch2 drwxr-xr-x 34 ec2-user ec2-user 6144 Jun 1 15:43 touch3 ---- + . List directories, files, including users and groups in the *touch3* directory. *_Run_* the following script. + [source,bash] ---- tree --du -hug /efs/touch3 ---- + * The output of the script should look similar to this: + [source,bash] ---- ├── [ec2-user ec2-user 0] test1.6 ├── [ec2-user ec2-user 0] test1.7 ├── [ec2-user ec2-user 0] test1.8 └── [ec2-user ec2-user 0] test1.9 198K used in 32 directories, 1024 files ---- + . Who is the user owner and group owner of all these directories and files? * Notice the owner of all directories and files created in the */touch3* directory is *ec2-user*. Because this instance is using the access point that is mapped to *User ID: 1000 (ec2-user)* and *Groupd ID: 1000 (ec2-user)*, all file system objects will be created as ec2-user, even those created as *sudo*. == Next section Click the link below to go to the next section. image::takeaways.png[link=../13-takeaways/, align="left",width=420]