1. Applicable environment
1. Use the storage capacity of professional servers to save teaching resources and corporate resources, which can be shared, read and accessed by authorized users.
2. It is necessary to manage batches of users. Different users belong to different groups, and different groups have different access rights. For example, some users only need to read, open and execute, while some users need to be able to modify the content, name, and directory structure of resources. .
3. Shared resources can have read-only access. For example, public immutable resources require that the content cannot be modified; shared resources can also be added by management users and deleted.
4. Each user has his own independent part of the space, and other users cannot view or access the private independent space; there are also public folders that can be read, executed, opened, and downloaded; there are also public folders that can upload data, modify, and add new files. , deleted folders (the administrator can set the settings for users with permissions, and users with permissions can specify the directory for uploading resources).
2. Ideas and planning
(1) Hardware resource planning
1. Use vmware's virtualization technology
to install ESXI6.7 (192.168.0.7/24) on a professional server. In this example, openmediavault is Debian Linux (192.168.128.99/24), which is installed on the ESXI6.7 array disk. Create a new 8GB of system hard disk space is used to start the debian Linux system, and then the ESXI6.7 array disk is planned to have 8TB of thick provisioned delayed zero storage space to store teaching resources or enterprise resources (according to the later requirements for storage space, 8TB can be dynamically adjusted to a larger capacity without affecting the data already stored). As for the installation of ESXI6.7, the deployment of disk arrays, the installation and virtualization deployment of 10G network cards, the installation of Debian Linux, the installation of openmediavault, and the intercommunication of different network segments, please refer to the detailed process in the previous CSDN article. This article The operation of the example will not be described again. The hardware server resources are as follows:
2. The debian Linux hardware resources used in this example are as follows:
3. The 10 Gigabit network card used in this example is as shown below:
(2) System resource planning
1. The capacity of vCPU, v memory, and data hard disk storage can be dynamically adjusted according to actual needs. Note that the hard disk storage capacity can only be changed from small to large, not from large to small.
2. The operating system uses the debian Linux system running under virtualized ESXI6.7. The running of the debian Linux system itself does not require high hardware resources. In the future, the main teaching resources or enterprise resources will be stored in the 8TB virtualized storage, so the capacity of the 8TB storage can be dynamically expanded.
3. The openmediavault platform has been included in the Debian Linux system, download address:
https://www.openmediavault.org/
(3) User, group, and permission planning
1. User planning (used to log in to the shared resource platform)
(1 ) read read-only user, specially used to open, view, browse, and download resources
(2) write writable user, specially used to modify, add, upload, and delete resources
(3) admin management user, specially used Unified management of read and write resources, and no management rights for each user's private space
2. Group planning (used for batch management of users)
(1) Read group, add read-only users to this group, when dealing with When permissions are configured for the read group, all users in it will have the permissions configured in the read group.
(2) Write group, add writable users to this group. When permissions are configured for the write group, all users in it will have the permissions configured in the read group. Will have the permissions configured in the write group
3. Permission planning (reasonable allocation of permissions based on the user's role)
(1) SMB/CIFS share permissions: read-only, browseable
(2) Storage - Service - Privileges: write/read, read only, no access
(3) Storage - Service - ACL access control permissions: Owner permissions (write only, write/execute, read only, read/execute, read/write, read/write/execute ); user group permissions; other user permissions
4. In this example, the client accesses through Windows sharing, adding a username + password; the previous example mainly uses NFS access without user password.
3. Configuration process
(1) Memory configuration
1. After adding an 8TB hard drive on debian Linux, as shown below:
2. Raid management, this example is no longer configured
because the 8TB virtual disk in this example is already 4TB*7 hard drives used for raid 5 on the physical server, and 8TB is divided from them, so the performance is already 7 Two hard disks work at the same time, which is equivalent to at least 6 times the speed of one hard disk. One of the capacity is used for parity check. When a certain hard disk is physically damaged, a new hard disk can be mounted to generate data, so 1 Data on bad hard drives will not be lost.
If you do not have a hard raid, you can create a soft raid in openmediavault and click the + sign, as shown below:
3. File system configuration
In Storage - File System, click the + sign to configure the added 8TB disk as an EXT4 file system and mount it to make it online, as shown below:
4. Shared folder configuration
In Storage - Shared Folder, configure 3 shared folders, as shown below:
Share/read: used to share read-only data resources, which can be used for the actions of opening, viewing, browsing, and downloading
Share/write: used for sharing writable data resources, which can be used for the actions of modifying, adding, uploading, and deleting
Users : Used to store the private space of all users, that is, the contents of the user's home directory home
(2) Service configuration
1. Turn on User-Settings-Home Directory function (for private space), as shown below:
2. Enable Service - SMB/CIFS/Settings - Home Directory Function (for private space), as shown below:
3. Create a new share, name it share-read, select public, uncheck read-only, and check to browse.
4. After completing share-read and share-write, as shown below:
(3) User and group configuration
1. Create 3 new users, respectively for reading, writing, and management, and assign the users to the corresponding groups. The three groups adm, root, and users are the group names that come with the system. The read and write groups require After manual creation, place the admin1, read, and write users in the corresponding groups, as shown below:
2. Create 2 new groups (for batch management of users), add the read user to the read group, and add the write user to the write group.
(4) User and group permissions and user private space configuration
1. Storage - shared folder, the path of the new share/read is the shared folder
2. After completing the other 2 shared folders, there are a total of 3 shared folders in the shared folder, as shown below:
3. Privilege configuration of shared folders
(1) Configure the privileges of the share-read shared folder. Select share-read and click Privileges, as shown below:
(2) Configure the read user, read group, write user, and write group's access permissions to the share-read shared folder to be read-only, that is, read-only; configure the admin1 user's access permissions to the share-read shared folder to be read/write, that is, both reading and writing are possible.
(3) Configure the privileges of the share-write shared folder. After selecting share-write, click Privileges, as shown below:
(4) Configure the read user and read group to have read-only rights to the share-write shared folder, and the write user, write group, and admin1 management user to have read/write rights to the share-write shared folder, as shown below:
(5) For the users shared folder, do not configure privileges, as shown below:
4. Access control list configuration of shared folders:
(1) After selecting the users shared folder, open the access control list, as shown below:
(2) Select the shared folder/root directory to be configured in the picture below, as shown below:
(3) Configure the access control list of the root directory, as shown below:
(4) Configure the access control list of the share-read shared folder, as shown below:
(5) Configure the access control list of the share-write shared folder, as shown below:
(6) Configure the access control list of the admin1 shared folder, as shown below:
Note: The access control list is configured here in the administrator's home directory. No access is not allowed for read users, write users, read groups, and write groups.
4. Result verification
(1) read user login
1. After entering \192.168.128.99 in the address bar of this computer, press the Enter key, as shown below:
2. Enter the username and password of the read user, as shown below:
3. After the read user logs in, you can see 3 folders
(1) read: the read user’s host directory, that is, the private space folder, which other users cannot see
(2) share-read: only the read user is allowed to read. Get, open, browse, and download the content inside
(3) share-write: Only read users are allowed to read, open, browse, and download the content inside.
4. The read user reads 3 folders
(1) The read user reads the share-write folder and can open it normally, as shown below:
(2) The read user reads the share-read folder and can open it normally, as shown below:
(3) The read user reads the read host folder
5. The read user writes to 3 folders
(1) the read user writes to the read folder and prompts that access is denied, as shown below:
(2) The read user writes to the share-read folder and prompts that access is denied, as shown below:
(3) The read user writes to the share-write folder and prompts that access is denied, as shown below:
(2) Write user login
1. Close all shared folders that were previously opened. Before switching to the write user, use the net use command to view the currently saved read user shares.
2. Use the net use \192.168.128.99\IPC$ /delete command to delete the currently saved read user share, and then use net use to check that the current share is empty, as shown below: (Note that when deleting the sharing record, the results seen by net use are to delete)
3. After about 30 seconds, log in as the write user, as shown below:
4. At this time, the write user can see 3 folders, but there is no longer the read host directory (private space) seen before, but he can see his own write host directory, as shown below:
5. Use the write user to verify permissions
(1) The write user can read/write the write folder and can open and upload files, indicating that reading and writing are normal, as shown below:
(2) The write user reads/writes the share-read folder. It can be opened for reading normally, but writing is rejected. The share-read shared folder is public and unchangeable data, and only ordinary users are allowed to read it.
(3) The write user reads/writes the share-write file. It can be opened and read normally, and it can be uploaded and written normally, as shown below:
(3) Admin1 user login
1. Close all shared folders that were previously opened, and then use the net use and net use \192.168.128.99 /delete commands to delete the recorded login shares, as shown below:
2. Wait for about 30 seconds, then open sharing and log in as user admin1, as shown below:
3. After the admin1 user logs in, he can see 3 folders. The read folder and the write folder are the private space directories of the user read. The write folder is the private space directory of the write user, so the admin1 administrator cannot see them. ,As shown below:
4. Use admin1 to manage user verification permissions
(1) The admin1 user has normal read/write permissions on the admin1 folder, as shown below:
(2) The admin1 user has normal read/write permissions on the share-read folder, as shown below:
(3) The admin1 user has normal read/write permissions on the share-write folder, as shown below:
(4) The file is opened directly from the shared network disk. There is no need to download and then open it. Functionally verify it.
1. MP4 files can be opened directly and played normally, as shown below:
2. PPTX files can be opened directly, as shown below:
3. Excel worksheet files can be opened directly, as shown below:
4. Word documents can be opened directly, as shown below:
5. PDF documents can be opened directly, as shown below:
6. Notepad documents can be opened directly, as shown below:
At this point, user read only has read permissions for read, share-read, and share-write;
user write has read permissions for share-read and read and write permissions for write and share-write;
user Admin1 has permissions for admin1, share-read, share-write has read and write permissions.
The configuration of network disk sharing, permissions, users, groups, privileges, and access control lists is completed. Please criticize and correct any shortcomings. The time relationship, the recursion and inheritance rights can be understood by yourself.