tencent cloud


Permission Management

Last updated: 2024-01-22 22:15:48


    A client must be in the same network as the file system, for which a permission group needs to be configured to manage the access and read/write permissions of the client. This document describes how to do so.


    Step 1. Create a permission group

    1. Log in to the CFS console and click Permission Group on the left sidebar.
    2. On the permission group page, click Create. In the pop-up window, configure the permission group name and remarks.

    Step 2. Add a permission group rule

    Click the name of a permission group to enter the rule list page. You can add, edit, or delete rules in the rule list. If no rule is added to the permission group, all IPs will be allowed. The rules are described as below:
    Access Address
    You can enter a single IP or a CIDR block, such as or The default access address is *, indicating that all IPs are allowed. Please note that you need to enter the CVM instance's private IP here.
    Read & Write Permissions
    Read-only or read/write.
    User Permissions
    The four options below are used for controlling the permissions of a user.
    all_squash: Any user will be mapped to an anonymous user or user group.
    no_all_squash: A user will be first matched with a local user, and if the match fails, it will be mapped to an anonymous user or user group.
    root_squash: A root user will be mapped to an anonymous user or user group.
    no_root_squash: A root user will be allowed to maintain root account permissions.
    User permissions configuration is not supported for CIFS/SMB file systems and Turbo file syste‍ms and will not take effect.
    The default permission is 755 for each file system, and nfsnobody does not have write permission. Therefore, if there are no special needs, no_root_squash is recommended. If the root user creates a file directory and mounts the file system, when the access address is set to all_squash or root_squash, an access IP can only read files. (This is because the mount path requires root permissions, but the access IP has been mapped to an anonymous user.)
    You can configure an integer between 1 and 100 as the priority level, where 1 indicates the highest priority. If the permission of a single IP conflicts with that of an IP within a CIDR block in the same permission group, the permission with a higher priority will apply. If their priority levels are the same, the permission of the single IP will apply. If two overlapping CIDR blocks are configured with different permissions and the same priority levels, the permissions of the overlapping CIDR blocks will take effect randomly. Please avoid configuring overlapping CIDR blocks.
    Priority configuration is not supported for CIFS/SMB file systems and will not take effect.

    Step 3. Configure a permission group for a file system

    The configuration of a permission group can be modified after the file system is created. You can choose to create a permission group first and select it when creating a file system. You can also select the default permission group when creating a file system and then go to the file system details page to change the permission group.
    If the file system is mounted with the NFS v4 protocol, the modification to the permission group rules of the file system will take effect in 2 minutes.

    Step 4. Modify the information and rules of a permission group

    You can enter the permission group details page to modify the name, remarks, and rules of a permission group.
    Permission group rules take effect asynchronously. Therefore, avoid adding individual IPs frequently.
    We recommend you add a CIDR block or batch import IPs using a template.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support