This page describes how to control access to Filestore instances.
Filestore doesn't support Kerberos for securing access to Filestore instances. Use the Linux and Identity and Access Management (IAM) options described on this page instead.
File share export settings
A Filestore file share is assigned the following default
/etc/exports
settings:
- The client list, which identifies the clients allowed to connect to the file share, is composed of all internal IP addresses in the VPC network you selected for the Filestore instance. Internal IP addresses can be any range listed in Subnet ranges. However, if you have clients on non-RFC 1918 subnet ranges, you must explicitly grant them access to the Filestore instance through IP-based access control.
- The
rwoption is used, so the file share is read-write. - The user ID mapping option
no_root_squashis used, so all users and groups, including the root user, are expected to be the same on both the Filestore instance and the client. - All other options use the
/etc/exportsdefaults.
IP-based access control
You can change these export settings by creating access control rules using
the Cloud Console or by specifying a json configuration file during
instance creation using the gcloud tool. For details, see
Configuring IP-based access control.
You can also add new access control rules or modify existing ones after an instance is created. For details, see Editing instances.
File share permissions
When you create a Filestore instance, the file share for that
instance has default POSIX file permissions of rwxr-xr-x. These permissions
mean that on a Filestore instance, only root users on connected
clients have read/write access to the file share. Other users have only read
access by default. Client root users can change permissions and owners.
Configuring access on a file share
When mounting a file share, you can use
mount options and
/etc/fstab settings to determine whether the
file share is writable and if files can be executed on it. After mounting the file share,
you can use standard Linux commands like chmod,
and setfacl to set file and file share permissions.
Setting consistent permissions
We strongly recommend that you set consistent permissions for each user on all clients that connect to the same Filestore instance to prevent privilege escalation. If a file share is mounted on more than one client and a user has root privileges on one client but not the others, then the following privilege escalation scenario is possible:
- A user sets the
setuidattribute on an executable file from the client where the user has root access. - The user then uploads the executable file to the file share.
- The user executes the uploaded file as root on any client where the user has at least read permission.
This scenario is possible because the setuid bit allows the user to execute a
file using the permissions of the file owner, which in this case is root.
IAM roles and permissions
You grant access to Filestore operations by granting Identity and Access Management (IAM) roles to users.
IAM permissions only control access to Filestore operations, like creating a Filestore instance. To control access to operations on the file share, like read or execute, use POSIX file permissions.
Using Filestore roles
To grant Filestore permissions to users, use the Filestore Editor (roles/file.editor) and Filestore Viewer (roles/file.viewer) roles . If you prefer, you can also use basic roles for this purpose.
Use the following table to see the Filestore permissions associated with Filestore roles.
| Permission | Action | Filestore Editor | Filestore Viewer |
| file.locations.get | Get information about a location supported by this service. | ✓ | ✓ |
| file.locations.list | List information about the supported locations for this service. | ✓ | ✓ |
| file.instances.create | Create a Filestore instance. | ✓ | |
| file.instances.update | Update a Filestore instance. | ✓ | |
| file.instances.delete | Delete a Filestore instance. | ✓ | |
| file.instances.get | Get details about a specific Filestore instance. | ✓ | ✓ |
| file.instances.list | List the Filestore instances in the project. | ✓ | ✓ |
| file.operations.get | Get the status of a Filestore instance operation. | ✓ | ✓ |
| file.operations.list | List Filestore instance operations. | ✓ | ✓ |
| file.operations.cancel | Cancel a Filestore instance operation. | ✓ | |
| file.operations.delete | Delete a Filestore instance operation. | ✓ | |
| file.backups.create | Create a Filestore backup. | ✓ | |
| file.backups.update | Update a Filestore backup. | ✓ | |
| file.backups.delete | Delete a Filestore backup. | ✓ | |
| file.backups.get | Get details about a specific Filestore backup. | ✓ | ✓ |
| file.backups.list | List the Filestore backups in the project. | ✓ | ✓ |
| file.snapshots.create | Create a Filestore snapshot. | ✓ | |
| file.snapshots.update | Update a Filestore snapshot. | ✓ | |
| file.snapshots.delete | Delete a Filestore snapshot. | ✓ | |
| file.snapshots.get | Get details about a specific Filestore snapshot. | ✓ | ✓ |
| file.snapshots.list | List the Filestore snapshot in the project. | ✓ | ✓ |
Using basic roles
Filestore permissions are also associated with the IAM basic roles of owner, editor, and viewer. To grant Filestore permissions to users, you can use these roles in addition to the Filestore roles.
Use the following table to see the Filestore permissions associated with basic roles.
| Permission | Action | Project Owner | Project Editor | Project Viewer |
| file.locations.get | Get information about a location supported by this service. | ✓ | ✓ | ✓ |
| file.locations.list | List information about the supported locations for this service. | ✓ | ✓ | ✓ |
| file.instances.create | Create a Filestore instance. | ✓ | ✓ | |
| file.instances.update | Update a Filestore instance. | ✓ | ✓ | |
| file.instances.delete | Delete a Filestore instance. | ✓ | ✓ | |
| file.instances.get | Get details about a specific Filestore instance. | ✓ | ✓ | ✓ |
| file.instances.list | List the Filestore instances in the project. | ✓ | ✓ | ✓ |
| file.operations.get | Get the status of a Filestore instance operation. | ✓ | ✓ | ✓ |
| file.operations.list | List Filestore instance operations. | ✓ | ✓ | ✓ |
| file.operations.cancel | Cancel a Filestore instance operation. | ✓ | ✓ | |
| file.operations.delete | Delete a Filestore instance operation. | ✓ | ✓ | |
| file.backups.create | Create a Filestore backup. | ✓ | ✓ | file.backups.update | Update a Filestore backup. | ✓ | ✓ |
| file.backups.delete | Delete a Filestore backup. | ✓ | ✓ | |
| file.backups.get | Get details about a specific Filestore backup. | ✓ | ✓ | ✓ |
| file.backups.list | List the Filestore backups in the project. | ✓ | ✓ | ✓ | file.snapshots.create | Create a Filestore snapshot. | ✓ | ✓ | file.snapshots.update | Update a Filestore snapshot. | ✓ | ✓ |
| file.snapshots.delete | Delete a Filestore snapshot. | ✓ | ✓ | |
| file.snapshots.get | Get details about a specific Filestore snapshot. | ✓ | ✓ | ✓ |
| file.snapshots.list | List the Filestore snapshot in the project. | ✓ | ✓ | ✓ |
Custom roles
If the predefined IAM roles don't meet your needs, you can define a custom role
with permissions that you specify using IAM's
custom roles.
When you create custom roles for Filestore, make sure that you
include both resourcemanager.projects.get and resourcemanager.projects.list
so that the role has permission to query project resources.