Configuring Multi-Account Access

Scenarios

In addition to multi-VPC access, SFS Capacity-Oriented file systems also support cross-VPC access with different accounts.

If the VPCs used by other accounts are added as authorized VPCs of an SFS Capacity-Oriented file system, and IP addresses or ranges of cloud servers are added as authorized addresses, cloud servers under different accounts can share the same file system.

For more information about VPC, see the Virtual Private Cloud.

With VPC peering, an SFS Turbo file system can be accessed across accounts. For details about VPC peering connection and usage instructions, see VPC Peering Connection.

This section describes how to configure multi-account access for an SFS Capacity-Oriented file system. Currently, only SFS Capacity-Oriented file systems in the CN North-Beijing4 region support multi-account access.

Use Restrictions

• You can add a maximum of 20 authorized VPCs for a file system and a maximum of 400 ACL rules for each authorized VPC.
• If a VPC added to a file system has been deleted from the VPC console, the IP addresses or IP address ranges of this VPC can still be seen as activated in the file system's VPC list. But this VPC can no longer be used and you are advised to remove it from the list.

Procedure for SFS Capacity-Oriented

1. Log in to the SFS console.
2. In the file system list, click the name of the target file system. On the displayed page, locate the Authorizations area.
3. Click Tenant authorized to add VPC to add VPCs used by other accounts for the file system. See Figure 1.
   Figure 1 Adding a VPC of an authorized tenant
   
   Table 1 describes the parameters to be configured.

   Table 1 Parameter description

   Parameter	Description
   VPC	Enter the VPC ID of the VPC to be added. You can obtain the VPC ID on the details page of the target VPC on the VPC console.
   Authorized Address/Segment	Enter one IPv4 address or range in each line. Enter a valid IPv4 address or range that is not starting with 0 except 0.0.0.0/0. If you add 0.0.0.0/0, any IP address within this VPC will be authorized to access the file system. Do not enter an IP address or IP address range starting with any number ranging from 224 to 255, for example 224.0.0.1 or 255.255.255.255, because class D and class E IP addresses are not supported. IP addresses starting with 127 are also not supported. If you enter an invalid IP address or IP address range, the authorization may fail to be added, or the added authorization does not work. Do not enter multiple IP addresses (separated using commas) in a line. For example, do not enter 10.0.1.32,10.5.5.10. If you enter an IP address range, enter it in the format of IP address/mask. For example, enter 192.168.1.0/24. Do not enter 192.168.1.0-255 or 192.168.1.0-192.168.1.255. The number of bits in a subnet mask must be an integer ranging from 0 to 31, and mask value 0 is valid only in 0.0.0.0/0.
   Priority	The value must be an integer ranging from 0 to 100. 0 has the highest priority, and 100 the lowest. In the same VPC, the permission of the IP address or IP address range with the highest priority is preferentially used. If IP addresses or IP address ranges are of the same priority, the permission of the most recently added or modified one will be used. For example, if the client IP address is 10.1.1.32 and both 10.1.1.32 (read/write) with priority 100 and 10.1.1.0/24 (read-only) with priority 50 meet the requirements, the permission of 10.1.1.0/24 (read-only) is used because it has a lower priority. If there is no other priority, all IP addresses in 10.1.1.0/24, including 10.1.1.32, have the read-only permission.
   Read-Write Permission	You can select Read-write or Read-only. The default value is Read-write.
   User Permission	Whether to retain the user identifier (UID) and group identifier (GID) of the shared directory. There are two options: all_squash: The UIDs and GIDs of shared files are mapped to user nobody, which is suitable for public directories. no_all_squash (default value): The UIDs and GIDs of shared files are retained. You do not need to configure this parameter if you add an authorized address for a CIFS file system.
   User Root Permission	Whether to allow the client to access as root. There are two options: root_squash: Clients cannot access as root. When a client accesses as root, the user is mapped to user nobody. no_root_squash (default value): Clients are allowed to access as root who has full control and access permissions of the root directories. You do not need to configure this parameter if you add an authorized address for a CIFS file system.

4. Click OK. The added VPC is displayed in the list.
5. Click on the left of the VPC name to view the IP addresses or IP address ranges added to this VPC. You can add, edit, or delete IP addresses or IP address ranges. In the Operation column of the target VPC, click Add. The Add Authorized Address/Segment dialog box is displayed. See Figure 2. Table 1 describes the parameters to be configured.
   Figure 2 Adding an authorized address or segment
   

Procedure for General Purpose File System

1. Log in to the SFS console.
2. Go to the General Purpose File System list, locate the target file system, and click the file system name. On the displayed details page, go to the permissions management tab page.
3. Click Add Multi-Tenant VPC to add VPCs of other accounts. See Figure 3.
   Figure 3 Add Multi-Tenant VPC
   

4. Click OK. The added VPCs are displayed in the list.

Verification

After another user's VPC is configured for the file system, if the file system can be mounted to ECSs in the VPC and the ECSs can access the file system, the configuration is successful.