Configuring the exports file

This topic explains the purpose of the exports file, describes the available options, and details how to configure it. This topic includes the following sections:

Related topics

Configuration-files-overview

Configuring-the-users-or-users-local-files

Configuring-the-secure-file

Configuring-the-securecert-file

About the exports file

The exports file determines which TrueSight Server Automation clients have access to a server. With the exports file you can set permissions on a per-client basis and, when necessary, use the users or users.local files to override those permissions for particular users. Often the exports file is used to set global permission that apply to users on all client machines.

For example, you can use the exports file to limit all clients to read-only permission on the server. Then you can use the users or users.local files to specify individual users who are granted read/write permission on that server.

Access permissions are defined for each individual RSCD agent and must be configured separately on each host where the RSCD agent is running. Updating the exports file on the host where you are running Network Shell or other TrueSight Server Automation applications does not set access permissions for managed servers.

When an rscd daemon starts on a server, it automatically reads the exports file. When changes are made to the exports file, the daemon automatically re-reads it. All subsequent client connections have the access permissions defined in the modified version of the exports file. Existing client connections are not affected by the changes. You do not have to restart the agent or otherwise instruct it to read the new exports file.

If the exports file does not exist or it does not contain any configuration information, you cannot establish a connection with an agent.

The exports file resides in different locations in Windows and UNIX systems, as described in the following table.

The exports file does not grant permissions on Windows servers to roles that are set up for Windows user mapping. For information about Windows user mapping, see the Windows user mapping and agent ACLs. If you are using Windows user mapping to grant permissions to roles, the exports file might still include entries that apply to Windows servers. Only the user mapping information in the exports file is ignored.


The following topics provide more information about configuring the exports file.

To configure the exports file

Create entries that correlate the host names of clients with the permissions that should be granted to those clients. Use the following format for each entry:

<hostNnames> <option1...optionN>
  • <hostNnames> is a list of comma-separated IP addresses, resolvable host names, or subnet designations. Subnet designations are used to define a range of addresses (see Subnet designations in configuration files). Using an asterisk instead of a list of host names defines default options that apply to any host not specifically named in the *exports* file.
  • <option1...optionN> is a list of comma-separated fields. Each option defines a type of access permission that applies to the hosts you have named in that entry. For a complete list of available options, see Options for exports file. If a single option sets multiple values, separate each value with a colon, as in the following: 
    validusers=user1:user2
    Lines in the exports file that begin with # are considered to be comments.

Options for the exports file

For each of the entries in the exports file, you can apply any of the options listed below. When defining multiple options, enter options in a comma-separated list.

Permission examples

The following code examples provide different levels of access to users and administrators.

Example

Description

* ro,rootdir=/pubs,user=guest
  • Allows customers access to software updates from servers.
    The asterisk means permissions apply to all clients unless there are other entries that define different permissions for specific hosts. 
  • Grants read-only access to all clients and maps all incoming connections so that users have "guest" privileges.
    The root directory for these users is set to /pubs.
* rw,nosuid,anon=-1

Grants read/write access to all users but turns off the setting of setuid/setgid bits and denies unknown users access.

admin1,admin2 rw,user=Administrator

Maps incoming connections from machines called admin1 and admin2 to the local user called Administrator.
Notes:

  • On Windows, the user name entered is validated against a list of local users on the machine.
  • When using the exports file to set up user privilege mapping on Domain Controllers, map users to Administrator or an account in one of the BuiltIn groups.

host1,host2,host3 rw,rootdir=/reports,root=host1
host4,host5 ro,rootdir=/reports

Allows both read/write and read-only access for selected hosts, granting them root access from only one host and changing the root directory to /reports.

host1,host2,host3 rw,rootdir=/reports,root=host1
host4,host5 ro,rootdir=/reports

Allows both read/write and read-only access for selected hosts, granting them root access from only one host and changing the root directory to /reports.

* rw,allowed=sysadmin1:sysadmin2,user=root

Grants two users (sysadmin1 and sysadmin2 ) read/write permission for all servers, and also maps their user privileges to root.

Notes:

  • This configuration can be assigned when administrators (who typically work on Windows clients) need to manage remote UNIX servers. 
  • Because Windows machines have no inherent concept of root, a configuration entry such as this example
    is important if administrators working on Windows clients want to modify the configuration of UNIX servers.
  • This entry would be added to the exports file on every remote server being managed by the two administrators.

Defines exception hosts and values for subnets. To create different access (ro/rw) permissions for various hosts
within a subnet, you first define the exception hosts and then define the default value for the remaining subnet.

In this example, the host (host1.foo.com) has read/write privileges while everybody else in the subnet
(subnet mask 255.255.255.192) has read-only privileges.

@192.168.10.1/24 rw=@192.168.10.1/25,ro=@192.168.10.129/25

Splits an address range.

In this example, an address range of 192.168.10.1-255 is split up such that the range from 1-127 has
read/write privileges, while the range 128-255 has read-only privileges.

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*