VAST Cluster supports NFSv4.1, the latest version of the Network File System (NFS) file sharing protocol for storage clients to access files and directories.
The VAST Cluster NFSv4.1 implementation includes compound Remote Procedure Calls (RPCs) that combine requests for multiple operations to improve application performance. NFSv4.1 also adds stronger security by providing for network authentication using RPCSEC_GSS, TCP on one port (2049), byte-range locks, and increased parallel I/O.
The NFSv4.1 implementation also includes:
NFSv4.1 can be enabled on a cluster concurrently with NFSv3. For information about enabling NFSv4.1 access, see Enabling NFSv4.1 Access.
VAST Cluster now offers NFS4 ID mapping as a client service that can be enabled by NFSv4.1 clients. ID mapping is the bidirectional translation of numeric User IDs and Group IDs to user and group names as alphanumeric strings.
VAST Cluster supports NFS4 ID mapping with Active Directory (AD) only and not with other LDAP-based authentication providers. When ID mapping is enabled on the NFSv4.1 client, Remote Procedure Calls (RPCs) can send user login names and group login names instead of UIDs and GIDs.
When an NFSv4.1 RPC arrives from Active Directory (AD) with ID mapping on the client side, the domain name in the RPC is validated. The domain name is specified in the Active Directory provider's configuration. If this domain name is correct, the authorization check process continues.
NFSv4.1 has Sessions as a major new feature that changes clients from "stateless" to "stateful".
The Sessions feature addresses network outages and disrupted TCP connections. RPC requests and replies may need retries when new connections are established. Sessions provide "Exactly-Once" Semantics so that lost requests aren't executed more than once in this situation.
The NFS server has a Duplicate Requests Cache (DRC) that saves the replies for executed requests. If a request is duplicated in the DRC, the server resends the reply without executing the request again. The client does not acknowledge the replies so the NFS server does not know how many replies may be lost. The size of the DRC is not limited.
Sessions limits the amount of memory used for DRC by giving each client a fixed number of slots in a table. Each slot holds one client request. The client reuses a slot when the reply for the previous request in the slot has been received. The server now has information about the client receiving the server reply. This makes the client "stateful". If slots aren't available when needed, the client waits for an available slot.
VAST Cluster supports the NFSv4 Access Control List (ACL) permissions system to restrict access to a file or directory by a user or a group. NFSv4 ACLs are defined by a published standard for this version of the Network File System.
The ACL attribute has an array of Access Control Entries (ACEs) that are associated with a file system object. The server uses ACEs in the ACL to perform access control. NFSv4 access options are more specific than the typical read, write and execute permissions in other systems.
ACE options include the following:
The ACE type "A" denotes "Allow" to give the user or the group access to actions on this file system object that require permissions. Any action that is not explicitly given permission is denied permission by default.
The ACE "d" is an inheritance flag so that any new subdirectories will automatically have the same ACL set as the current directory.
The ACE principal can be a named user, a special principal (such as 'owner' or 'everyone'), or a group.
The ACE permissions are denoted by combinations of thirteen letters. The aliases 'R', 'W', and 'X' can also be used as permissions in place of appropriate ACE letter combinations.
ACL attributes can be set, modified and viewed.
In this example, the ACE principal is given an inheritance flag and a list of permissions.