Managing protocol user authentication

Setting up authentication servers to configure protocol user access
Before you start configuring authentication for protocol access, the system administrator needs to ensure that the authentication server is set up properly and the connection between the IBM Spectrum Scale system and authentication server is established properly.

Configuring authentication and ID mapping for file access
The system administrator can decide whether to configure authentication and ID mapping method either during the installation of the IBM Spectrum Scale system or after the installation. If the authentication configuration is not configured during installation, you can manually do it by using the mmuserauth service create command from any protocol node of the IBM Spectrum Scale system. This section covers the manual method of configuring authentication for file access.

Managing user-defined authentication
In the user-defined mode of authentication, the user is free to select the authentication and ID mapping methods of their choice. It is the responsibility of the administrator of the client system to manage the authentication and ID mapping for file (NFS and SMB) and object access to the IBM Spectrum Scale system.

Configuring authentication for object access
Configuring authentication for object access by using the command line utility

Deleting the authentication and the ID mapping configuration
Deleting the authentication and ID mapping configuration results in loss of access to data. Before you remove or edit ID mappings, determine how access to data is going to be maintained.

Listing the authentication configuration
Use the mmuserauth service list command to see the authentication method that is configured in the system.

Verifying the authentication services configured in the system
Use the mmuserauth service check command to check whether the authentication configuration is consistent across the cluster and the required services are enabled and running. This command validates and corrects the authentication configuration files and starts any associated services if needed.

Modifying the authentication method
If data already exists or is created with the existing authentication and ID mapping method, it is not recommended to change the authentication or the ID mapping modes. Changing the authentication method also might invalidate the existing ACLs that are applicable to files and directories. ACLs depend on the preexisting users and group IDs.

Authentication limitations
Consider the following authentication limitations when you configure and manage the IBM Spectrum Scale system: