如何配置 EFS 和 EC2 之间的权限
[英]How to configure permissions between EFS and EC2
问题描述
I'm trying to use CloudFormation to setup a mongod instance using EFS storage, and I'm having problems understanding how to configure the file system permissions to make it work.
我正在尝试使用 CloudFormation 来设置使用 EFS 存储的 mongod 实例,但我在理解如何配置文件系统权限以使其工作时遇到问题。
The EFS is not going to be accessed by any existing systems, so I can configure it exactly as I need to. EFS 不会被任何现有系统访问,因此我可以根据需要完全配置它。
I was trying to use the following AWS example as a starting point ...我试图使用以下 AWS 示例作为起点......
https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-efs-accesspoint.html https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-efs-accesspoint.html
AccessPointResource:
Type: 'AWS::EFS::AccessPoint'
Properties:
FileSystemId: !Ref FileSystemResource
PosixUser:
Uid: "13234"
Gid: "1322"
SecondaryGids:
- "1344"
- "1452"
RootDirectory:
CreationInfo:
OwnerGid: "708798"
OwnerUid: "7987987"
Permissions: "0755"
Path: "/testcfn/abc"
In the above example, they seem to have assigned arbitrary group and user id's.在上面的例子中,他们似乎分配了任意组和用户 ID。 What I'm trying to figure out is given the above, how would the user accounts on the EC2 need to be configured to allow full read/write access?我想弄清楚的是,上面给出了 EC2 上的用户帐户需要如何配置以允许完全读/写访问?
I've got to the point where I'm able to mount the access point, but I haven't been able to successfully write to it.我已经到了能够安装接入点的地步,但我还没有能够成功地写入它。
What I've tried...我试过的...
Created a new user on the EC2, and assigned the uid and gid like so...在 EC2 上创建了一个新用户,并像这样分配了 uid 和 gid ...
sudo usermod -u 13234 testuser1
sudo groupmod -g 1322 testuser1
I then sudo to that user and try writing a file to the mount point... No luck然后我对该用户 sudo 并尝试将文件写入挂载点......不走运
I then tried assigning the uid and gid like so...然后我尝试像这样分配 uid 和 gid ......
sudo usermod -u 7987987 testuser1
sudo groupmod -g 708798 testuser1
Again, no luck writing a file.同样,写文件没有运气。
What I'm really looking for is the simplest configuration where I can have a single EC2 user have full read/write access to an EFS folder.我真正在寻找的是最简单的配置,我可以让单个 EC2 用户对 EFS 文件夹具有完全读/写访问权限。 It will be a new EFS and new EC2, so I have full control over how it's setup, if that helps.它将是一个新的 EFS 和新的 EC2,所以我可以完全控制它的设置方式,如果有帮助的话。
Possibly the examples assume some existing knowledge of the workings of NFS, which I may be lacking.可能这些示例假定我可能缺乏有关 NFS 工作原理的一些现有知识。
1 个解决方案
解决方案1
1 2020-09-17 04:11:30
Just in case it helps anyone, I ended up defining my Access Point like so...以防万一它对任何人有帮助,我最终像这样定义了我的接入点......
AccessPointResource:
Type: 'AWS::EFS::AccessPoint'
Properties:
FileSystemId: !Ref FileSystemResource
PosixUser:
Uid: "9960"
Gid: "9940"
RootDirectory:
CreationInfo:
OwnerGid: "9940"
OwnerUid: "9960"
Permissions: "0755"
Path: "/mongo-db"
and then in my userdata for the mongodb server EC2, I added this...然后在我的 mongodb 服务器 EC2 的用户数据中,我添加了这个......
sudo groupadd --system --gid 9940 mongod
sudo useradd --system --uid 9960 --gid 9940 mongod
I'm not actually sure if the gid and uid above need to match what I've defined in the AccessPoint, but it seems to make it easier, as then the server will show the owner of the files as "mongod mongod".我实际上不确定上面的 gid 和 uid 是否需要匹配我在 AccessPoint 中定义的内容,但它似乎更容易,因为服务器会将文件的所有者显示为“mongod mongod”。
I mounted the EFS like so...我像这样安装了 EFS...
sudo mkdir -p /mnt/var/lib/mongo
sudo sudo mount -t efs -o tls,accesspoint=${AccessPointId} ${FileSystemId}: /mnt/var/lib/mongo
I'm still a bit confused about the original AWS provided example.我仍然对 AWS 提供的原始示例感到有些困惑。 If my understanding is correct, it seems it would always create a root directory which cannot be written to.如果我的理解是正确的,它似乎总是会创建一个无法写入的根目录。
Perhaps someone can clarify where it might be helpful to have the root directory owned by a different user to the one specified in the PosixUser.也许有人可以澄清让 PosixUser 中指定的用户拥有不同用户的根目录可能有帮助的地方。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.