VAST Cluster supports multiple user authorization providers, including external providers and a local provider.
Tip
For more detailed information about how user access is authorized, see Understanding User Management and Authorization.
The following external authorization providers can be used to authorize access to files and directories stored on VAST Cluster:
-
Active Directory (AD). AD may store and provide user and group attributes used by NFS and SMB protocols. AD is required to enable SMB access on VAST Cluster.
-
Lightweight Directory Access Protocol (LDAP). LDAP-based directory servers may store and provide POSIX user and group attributes, as used by the NFS protocol. If LDAP is configured, you can also use LDAP netgroups to restrict NFS client hosts' access in the view policy.
-
Network Information Service (NIS). A NIS database can be used as a provider of POSIX user and group attributes, as used by the NFS protocol. If NIS is configured, you can also use NIS netgroups to restrict NFS client hosts' access in the view policy.
In addition to external providers, VAST Cluster features a local provider which enables you to create users manually. Use the local provider to:
-
Add users which are not defined on external providers, including users which specifically need S3 access. (Users which are defined on external providers can be assigned S3 permissions without being added to the local provider.)
-
Add POSIX attributes for a user that is defined on Active Directory but only has SMB attributes there and is not defined in an additional configured external provider. In this case, use the same user name as is used on Active Directory so that the user database associates these attributes with the same user.
-
Add users when you do not have an external provider configured. This is an option for NFS and S3 access.
-
Add users to manually override incorrect or outdated POSIX attributes on external providers.
Local user attributes override any conflicting POSIX attributes (such as group memberships) on external providers. For information about managing users on the local provider, see Managing Local Users.
Note
The local provider is available for the default tenant only.
The following combinations are supported per tenant:
|
Configured Auth Provider(s) |
Protocols Supported on the VAST Cluster |
|---|---|
|
Local + AD + LDAP |
NFSv3, NFSv4.1, SMB, S3 |
|
Local + AD + NIS |
NFSv3, NFSv4.1, SMB, S3 |
|
Local + AD |
NFSv3, NFSv4.1, SMB, S3 |
|
Local + LDAP |
NFSv3, NFSv4.1 (without Kerberos or ID mapping), S3 |
|
Local + NIS |
NFSv3, S3 |
|
Local only |
NFSv3, NFSv4.1 (without Kerberos or ID mapping), S3 |
Note
While AD and LDAP providers can be configured on a cluster, no more than one AD provider per cluster is supported for SMB attributes. This provider can be shared by multiple tenants.
If two external authorization providers are connected to one tenant at the same time, one of the two providers is always set as the POSIX Primary provider. The POSIX Primary provider takes precedence over the second provider in case of any conflicts between attribute values when user information is retrieved from the providers.
Comments
0 comments
Article is closed for comments.