VAST Cluster supports the use of the following external authorization providers to authorize access to files and directories:
Active Directory (AD). AD may store and provide user and group attributes used by both NFS and SMB protocols. AD is a requirement for enabling SMB access on VAST Cluster.
LDAP. Lightweight Directory Access Protocol (LDAP)-based directory servers may store and provide POSIX user and group attributes, as used by the NFS client access protocol.
Network Information Service (NIS). A NIS database can also be used as a provider of POSIX user and group attributes, as used by the NFS client access protocol. If NIS is configured, you can also use NIS netgroups to restrict NFS client IP access in the view policy.
In addition, VAST Cluster features a local provider which enables you to create users manually. The local provider is useful for the following purposes:
Adding users who are not defined on external providers, including users who specifically need S3 access. (Users who are defined on external providers can be assigned S3 permissions without being added to the local provider.)
Adding POSIX attributes for a user who is defined on Active Directory but only has SMB attributes there and is not defined in an additional configured external provider. In this case, use the same user name as is used on Active Directory so that the user database will associate these attributes to the same user.
Adding users when you do not have an external provider configured. (This is an option for NFS and S3 access.)
Adding users to manually override incorrect or outdated POSIX attributes on external providers.
Local user attributes override any conflicting POSIX attributes (such as group memberships) on external providers. For information about managing users on the local provider, see Managing Local Users.
Authorization providers can be used to authorize access requested via the following client access protocols:
-
NFS. To authorize NFS access, VAST Cluster supports Active Directory, LDAP, NIS and the local provider.
The authorization provider provides NFS (also known as POSIX) attributes for each user. That is: each user's uid, the user's leading group gid and the gid identifying each other/auxiliary group to which the user belongs. All supported authorization provider types (AD, LDAP and NIS) can store these NFS/POSIX attributes.
SMB. For SMB access, VAST Cluster requires the use of Active Directory. Active Directory provides SMB (aka Windows) attributes for each user: user SID, primary group SID and auxilliary groups' SIDs.
Either NIS or a non-Active Directory LDAP server may be connected to a cluster in addition to a joined Active Directory.
The following authorization provider options are supported and correspond to the following protocol support:
Configured Auth Provider(s) |
Protocols Supported on the VAST Cluster |
---|---|
Local + AD + LDAP |
NFS, SMB, S3 |
Local + AD + NIS |
NFS, SMB, S3 |
Local + AD |
NFS, SMB, S3 |
Local + LDAP |
NFS, S3 |
Local + NIS |
NFS, S3 |
Local only |
NFS, S3 |
If two external authorization providers are connected concurrently, one of the two providers is always set as thePOSIX Primary provider. The POSIX Primary provider takes precedence over the second provider in case of any conflicts between attribute values when user information is retrieved from the providers.
For more detailed information about how user access is authorized, see Understanding User Management and Authorization.
Comments
0 comments
Article is closed for comments.