NAME

vos_setseclevels - Sets the permitted security classes and levels for a volume.

SYNOPSIS

vos setseclevels -id <volume name or ID> -levels <class:level+> [-clear] [-config <configuration file>] [-cell <cell name>] [-noauth] [-auth] [-localauth] [-encrypt [<yes|no>]] [-verbose] [-noresolve] [-config <configuration file>] [-help]

DESCRIPTION

The vos setseclevels command sets the permitted security class and level combinations for accessing data from the specified volume. All access to the volume will be checked against this list.

In addition, no access to the volume will be permitted if the hosting file server has a more permissive security policy. All class and level combinations accepted by the file server must also be acceptable for the volume.

CAUTIONS

This command is not effective on read-only or backup volumes.

OPTIONS

-id <volume name or id>

Identifies the volume on which to operate, either by its complete name or volume ID number.

-levels <class:level+>

Defines a list of one or more class:level combinations. As an exception, the rxnull class does not require a level and must appear by itself.

The following classes are recognized: rxnull, rxkad, yfs-rxgk

The following levels are recognized: clear, auth, crypt

-clear

Removes any security level and class setting for the volume.

-cell <cell name>

Names the cell in which to run the command. Do not combine this argument with the -localauth flag. For more details, see vos(1).

-noauth

Assigns the unprivileged identity anonymous to the issuer. Do not combine this flag with the -localauth flag. For more details, see vos(1).

-localauth

Obtains an authentication token using the server encryption key with the highest key version number in the local /etc/yfs/server/KeyFileExt file. The resulting token never expires and has Super User privileges. Do not combine this flag with the -cell argument or -noauth flag. For more details, see vos(1).

-auth

Use the calling user's tokens from the kernel or as obtained using the active Kerberos ticket granting ticket to communicate with the Volume Server and Location Service. This is the default if neither -localauth nor -noauth is given.

Since this option is the default, it is usually not useful for running single command line operations. However, it can be useful when running commands via vos_interactive(1) or vos_source(1), since otherwise it would be impossible to switch from, for example, -localauth back to using regular tokens during a bulk operation.

-verbose

Produces on the standard output stream a detailed trace of the command's execution. If this argument is omitted, only warnings and error messages appear.

-encrypt [<yes|no>]

Enables or disables encrytion for the command so that the operation's results are not transmitted across the network in clear text.

-noresolve

Shows all servers as IP addresses instead of the reverse DNS lookup hostname. -noresolve useful when troubleshooting no such volume and volume moved errors.

-config <configuration file>

Set the location of the configuration file to be used. The default file is /etc/yfs/yfs-client.conf.

-help

Prints the online help for this command. All other valid options are ignored.

OUTPUT

This command produces no output other than error messages.

EXAMPLES

To restrict access to the volume secret_data to clients using yfs_rxgk over encrypted connections:

   % vos setseclevels -id secret_data -levels yfs-rxgk:crypt

PRIVILEGE REQUIRED

The issuer must be listed in the /etc/yfs/server/UserListExt file on the File Server specified by the -server argument and on each Location Server. If the -localauth flag is included, the issuer must instead be logged on to a server with an account capable of reading the /etc/yfs/server/KeyFileExt file.

SEE ALSO

vos_listseclevels(1), fileserver(8),

COPYRIGHT

Copyright AuriStor, Inc. 2014-2021. https://www.auristor.com/ All Rights Reserved.

ACKNOWLEDGEMENTS

"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.