Hi, this is Amol Choukekar, Principal Solutions
Architect with EMC Isilon Storage Division. In this video, we’ll discuss the basics
of multi-protocol file access with EMC Isilon’s OneFS file system.
EMC Isilon’s OneFS file system, by design, is a multi-protocol enabled file system, and
provides unified access to integrate and consolidate workflows that require multi-protocol file
access. Before discussing multi-protocol, let’s take
a look at the most common file protocols and the most common authentication providers supported
by Isilon’s OneFS. The most common file protocols are SMB or
CIFS, as it’s commonly known for Windows, NFS version 3 and version 4 for UNIX and Linux,
FTP and HTTP for file transfers, and HDFS for dig data.
The most common authentication providers supported by Isilon OneFS are Active Directory,or Active
Directory with RFC 2307, also called Services for UNIX for Windows users, LDAP, NIS and
NIS Plus for UNIX and Linus users. Now, multi-protocol is being able to seamlessly
provide unified access to the same set of data using any of these protocols and users
from any of these authentication providers. In today’s enterprise IT, there are primarily
two types of operating environments: a Microsoft Windows-type operating environment and a UNIX
or Linux-type operating environment. To properly configure multi-protocol file
access, it is important to understand how these operating environments handle data access
and security. In the Windows world, a user or group is identified
through what is called a security identifier, or SID.
In the UNIX and Linux world, a user and group is identified through what is called a UID
and GID. In the Windows world, a file or directory
is secured through what is called an access control list or ACL, which is simply a list
of access control entries. In the UNIX world, a file or directory is
secured through what is called POSIX mode bits, which define what the owner can do,
what the group can do, and what everyone else can do.
When configuring multi-protocol file access, it’s important to note that ACLs are much
more expressive that the POSIX mode bits. OneFS handles user and group identities through
what is called authentication, identity mapping, and authorization, also known as AIMA.
Let’s say a user comes in through a Windows client the first time and accesses file resources
stored on the Isilon OneFS file system. OneFS will perform a look up of that user
and try and find information such as a security identifier, his primary group, all the other
groups that he belongs to, and also try to find the real UID and GID if one of the external
authentication providers are configured and form what is called an access token.
It is that access token that authorizes that user to perform certain operations on files
and directories depending on the access control list.
If, as part of the look up process, OneFS is not able to secure a real UID and GID,
OneFS will generate a UID and GID for that user in the one million range and store it
in the identity mapping database. OneFS will also form a two-way mapping ID
from the security identifier and the UID and GID to identify the commonality between the
user in the different authentication providers. OneFS stores file identities on disk in one
of three modes: native, UNIX, or SID. In the UNIX on-disk permission mode, OneFS
will always store the UIDs and GIDs on disk. In the SID mode, OneFS will always store the
security identifier on disk, whereas in the default native mode, OneFS will store the
real UID and GID if one is found from the external authentication providers or will
store the SID if one is not found in the external authentication providers.
OneFS will do so in the default native mode because the generated UIDs and GIDs in the
one million range can be different in different clusters when data is replicated between two
different clusters. So it is recommended to use the native on-disk
permissions mode when configuring a multi-protocol environment and set up either a combination
of Active Directory or Active Directory with LDAP or NIS to identify the common user between
two different operating environments. OneFs provides a unified security model and
approximates ACLs into POSIX mode bits and vice-versa on the fly.
Let’s say a user called Mike comes in from a Windows client and creates a file called
“File 1”. Because he came in from Windows with a SID,
we’ll secure that file with real ACLs. Now, let’s say Mike goes in to a UNIX client
and accesses the same file through a UNIX client, UNIX only understand POSIX mode bits.
OneFS will approximate those ACLs into POSIX mode bits and Mike will be able to access
the same file that he wrote from the Windows client.
Now let’s take another example. Let’s say Mike comes in from a UNIX client
and creates a file called “File 2”, his file will be secured through what is called POSIX
mode bits. Now Mike comes in through Windows and tries
the access the file “File 2”. Windows does not understand POSIX mode bits,
so OneFS will approximate those POSIX mode bits into synthetic ACLs and Mike will be
able to access his file that he wrote from the UNIX client now from a Windows client
the same way. File and directory permissions can be traditionally
managed from a Windows or a UNIX client. File and directory permissions can now also
be managed directly on the Isilon OneFS platform. The Isilon OneFS CLI provides an extension
to the “ls” command that allows you to inspect not only the POSIX mode bits but the
real ACLs associated with the files and directories. One way to find out if a file has a real ACL
or not is to run the “ls –led” command on the OneFS CLI.
If the file or directory has a plus symbol associated with it, that file has a real Windows
ACL. Now, the same OneFS CLI provides the “chmod”
command that allows you to manipulate not only the POSIX mode bits, but also the real
ACLs associated with files and directories. The Isilon OneFS platform also provides fine-tuned
global ACL policies the determine file manipulation behavior.
To maintain security and reduce the overhead associated with managing different user names
and group names across authentication providers in different operating environments, it is
recommended to keep the user name and the group name the same.
However, there can be a few exceptions in legacy environments.
OneFS does provide a way to manage these discrepancies with user and group names by creating user
mapping rules. For example, there could be a user called
“MIKE” in Active Directory and his corresponding account could be called “MIKE_UNIX” in LDAP
or NIS. A user mapping rule can be created to treat
“MIKE” and “MIKE_UNIX” as the same user. Again, it is recommended to keep these user
name and group name discrepancies to a minimum and reduce the number of user mapping rules
created on the Isilon OneFS platform. As we saw in this video, the Isilon OneFS
file system provides all the features and functionality that are required to successfully
integrate and consolidate workflows that requires multi-protocol functionality.
If you have any future questions and would like to configure multi-protocol functionality
on an Isilon OneFS platform, please contact your account team.
Thanks for watching.