Access Control

Use this topic to learn about controlling access to Filestore instances.

Filestore doesn't support Kerberos for securing access to Filestore instances. Use the Linux and Cloud Identity and Access Management (IAM) options described below instead.

Fileshare export settings

A Filestore fileshare is assigned fixed /etc/exports settings, as follows:

  • The client list, which identifies the clients allowed to connect to the fileshare, is composed of all internal IP addresses in the VPC network you selected for the Filestore instance. Internal IP addresses are those in ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 per RFC 1918.
  • The rw option is used, so the fileshare is read-write.
  • The user ID mapping option no_root_squash is used, so all users and groups, including the root user, are expected to be the same on both the Filestore instance and the client.
  • All other options use the /etc/exports defaults.

You can't change fileshare export settings.

Fileshare permissions

When you create a Filestore instance, the fileshare for that instance has default Unix permissions of rwxr-xr-x, octal notation 755. These permissions mean that on a Filestore instance, only root users on connected clients have read/write access to the fileshare. Other users have only read access by default, but client root users can change permissions and owners.

Configuring access on a fileshare

When mounting a Filestore fileshare on a client, you can use options for the mount command and settings in the /etc/fstab file to determine whether the mounted fileshare is writable and if files can be executed on it. After mounting the fileshare, you can use standard Linux commands like chmod, and setfacl to set file and fileshare permissions.

Setting consistent permissions

We strongly recommend that you set consistent permissions for each user on all clients that connect to the same Filestore instance, because of an issue that occurs when:

  • A fileshare is mounted on more than one client, and
  • A user has root permission on one client but not the others

The user can upload a file with the setuid bit set from the client where they have root access, which then allows them to execute the file as root on any other client where they have at least read permission. This is because the setuid bit allows a user to execute a file using the permissions of the file owner, in this case root.

IAM roles and permissions

You grant access to Filestore operations by granting Cloud Identity and Access Management (IAM) roles to users.

IAM permissions only control access to Filestore operations, like creating a Filestore instance. Access to operations on the Filestore fileshare, like read or execute, are determined by Linux permissions.

Using Filestore roles

You can use the Filestore Editor and Filestore Viewer roles to grant Filestore permissions to users. If you prefer, you can also use primitive roles for this purpose.

Use the following table to see the Filestore permissions associated with Filestore roles.

Permission Action Filestore Editor role Filestore Viewer role
file.locations.get Get information about a specific location supported by this service.
file.locations.list List information about the supported locations for this service.
file.instances.create Create a Filestore instance.
file.instances.update Update a Filestore instance.
file.instances.delete Delete a Filestore instance.
file.instances.get Get details about a specific Filestore instance.
file.instances.list List the Filestore instances in the project.
file.operations.get Get the status of a Filestore instance operation.
file.operations.list List Filestore instance operations.
file.operations.cancel Cancel a Filestore instance operation.
file.operations.delete Delete a Filestore instance operation.

Using primitive roles

Filestore permissions are also associated with the IAM primitive roles of owner, editor, and viewer. You can use these roles in addition to the Filestore roles to grant Filestore permissions to users.

Use the following table to see the Filestore permissions associated with primitive roles.

Permission Action Project Owner role Project Editor role Project Viewer role
file.locations.get Get information about a specific location supported by this service.
file.locations.list List information about the supported locations for this service.
file.instances.create Create a Filestore instance.
file.instances.update Update a Filestore instance.
file.instances.delete Delete a Filestore instance.
file.instances.get Get details about a specific Filestore instance.
file.instances.list List the Filestore instances in the project.
file.operations.get Get the status of a Filestore instance operation.
file.operations.list List Filestore instance operations.
file.operations.cancel Cancel a Filestore instance operation.
file.operations.delete Delete a Filestore instance operation.

Custom roles

If the predefined IAM roles don't meet your needs, you can define custom role with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Filestore, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list so that the role has permission to query project resources. Otherwise, the Google Cloud console won't function correctly for Filestore.