VAST Cluster supports multiple user authorization providers, including external providers and a local provider.
VAST Cluster supports the use of the following external authorization providers to authorize access to files and directories:
-
Active Directory (AD). AD may store and provide user and group attributes used by both NFS and SMB protocols. AD is a requirement for enabling SMB access on VAST Cluster.
-
LDAP. Lightweight Directory Access Protocol (LDAP)-based directory servers may store and provide POSIX user and group attributes, as used by the NFS client access protocol.
-
Network Information Service (NIS). A NIS database can also be used as a provider of POSIX user and group attributes, as used by the NFS client access protocol. If NIS is configured, you can also use NIS netgroups to restrict NFS client IP access in the view policy.
In addition to external providers, VAST Cluster features a local provider which enables you to create users manually. The local provider is useful for the following purposes:
-
Adding users who are not defined on external providers, including users who specifically need S3 access. (Users who are defined on external providers can be assigned S3 permissions without being added to the local provider.)
-
Adding POSIX attributes for a user who is defined on Active Directory but only has SMB attributes there and is not defined in an additional configured external provider. In this case, use the same user name as is used on Active Directory so that the user database will associate these attributes to the same user.
-
Adding users when you do not have an external provider configured. (This is an option for NFS and S3 access.)
-
Adding users to manually override incorrect or outdated POSIX attributes on external providers.
Local user attributes override any conflicting POSIX attributes (such as group memberships) on external providers. For information about managing users on the local provider, see Managing Local Users.
Note
The local provider is available for the default tenant only.
VAST Cluster supports the use of multiple authorization providers. The following authorization provider combinations are supported per tenant and correspond to the following protocol support:
Configured Auth Provider(s) |
Protocols Supported on the VAST Cluster |
---|---|
Local + AD + LDAP |
NFSv3, NFSv4.1, SMB, S3 |
Local + AD + NIS |
NFSv3, NFSv4.1, SMB, S3 |
Local + AD |
NFSv3, NFSv4.1, SMB, S3 |
Local + LDAP |
NFSv3, NFSv4.1 (without Kerberos or ID mapping), S3 |
Local + NIS |
NFSv3, S3 |
Local only |
NFSv3, NFSv4.1 (without Kerberos or ID mapping), S3 |
Note
While AD and LDAP providers can be configured on a cluster, no more than one Active Directory provider per cluster is supported for SMB attributes. This provider can be shared by multiple tenants.
If two external authorization providers are connected concurrently to one tenant, one of the two providers is always set as thePOSIX Primary provider. The POSIX Primary provider takes precedence over the second provider in case of any conflicts between attribute values when user information is retrieved from the providers.
For more detailed information about how user access is authorized, see Understanding User Management and Authorization.
Comments
0 comments
Article is closed for comments.