Managing user-defined authentication
In the user-defined mode of authentication, the user is free to select the authentication and ID-mapping methods of their choice. It is the responsibility of the administrator of the client system to manage the authentication and ID mapping for file (NFS and SMB) and object access to the IBM Storage Scale system.
The IBM Storage Scale system administrators are not allowed use any of the GPFS commands to manage authentication. It is important for the end user to be aware of the limitations, if any, of the authentication and ID-mapping scheme that will be implemented after you configured the user-defined mode of authentication.
The user-defined mode is appropriate in the following circumstances:
- The client already has protocol deployments either on GPFS installations or on different systems and is planning to move to using the protocol stack on the IBM Storage Scale system. The client wants to replicate the current authentication and ID-mapping configuration. In this case, the client system administrator must be familiar with the required configuration settings that will be applied to the system.
- If the end user wants an authentication method that is not supported by the IBM Storage Scale system.
Note: If the end user wants to configure the authentication methods that are supported by the
IBM
Storage Scale system, it is highly recommended to
configure the authentication and ID-mapping methods by using the mmuserauth
command instead of opting for the user-defined method of authentication.
The IBM
Storage Scale system administrator needs to
specify that the user-defined mode of authentication is used by using the --type
userdefined option in the mmuserauth service create command as shown
in the following
example:
mmuserauth service create --type userdefined --data-access-method file
File Authentication configuration completed successfully.Submit the mmuserauth service list command to see the current authentication
configuration as shown in the following example:
mmuserauth service list
FILE access configuration : USERDEFINED
PARAMETERS VALUES
-------------------------------------------------
OBJECT access not configured
PARAMETERS VALUES
-------------------------------------------------Typically, user-defined authentication is used when existing GPFS customers are already using GPFS with NFS and do
not want to alter the authentication that is already configured on these systems. You can configure
user-defined authentication for both object and file access or for object or file
alone.
Note: Authorization depends upon authentication and ID mapping that is configured with the
system. That is, the ACL control on exports, files, and directories depend on the authentication
method that is configured.
File authentication configuration
Ensure the following while you are using the user-defined mode of authentication for file access:
- Ensure that the authentication server and ID-mapping server are always reachable from all the protocol nodes. For example, if NIS is configured as the ID-mapping server, you can use the 'ypwhich' command to ensure that NIS is configured and reachable from all the protocol nodes. Similarly, if LDAP is configured as authentication and ID-mapping server, you can bind to the LDAP server from all protocol nodes to monitor if the LDAP server is reachable from all protocol nodes.
- Ensure that the implemented authentication and ID-mapping configuration is always consistent across all the protocol nodes. This requires that the authentication server and ID-mapping server are manually maintained and monitored by the administrator. The administrator must also ensure that the configuration files are not overwritten due to node restart and other similar events.
- Ensure that the implemented authentication and ID mapping-related daemons and processes across the protocol nodes are always up and running.
- The users or groups, accessing the IBM
Storage Scale
system over NFS and SMB protocols must resolve to a unique UID and GID respectively on all protocol
nodes. Especially, it must be resolved in implementations where different servers are used for
authentication and ID mapping. The name that is registered in ID-mapping server for user and group
must be checked for resolution.For example,
# id fileuser uid=1234(fileuser) gid=5678(filegroup) groups=5678(filegroup)Note: However, in some use cases where only NFSV3 based access to the IBM Storage Scale system is used. In such cases, the user and group IDs are obtained from the NFS client and the ID-mapping setting is not configured on the protocol nodes. - If the IBM Storage Scale system is configured for multiprotocol support (that is, the same data is accessed through both NFS and SMB protocols), ensure that the IDs of users and groups are consistent across the NFS clients and SMB clients and that they resolve uniquely on the protocol nodes.
- Ensure that UID and GID across users and groups that are accessing the system are not conflicting. This conflict check must be strictly enforced, especially in multiprotocol-based access deployments.
- Ensure that the Kerberos configuration files, placed on all protocol nodes, are in synchronization with each other. Ensure that the clients and the IBM Storage Scale system are part of the same Kerberos realm or trusted realm.
- While you are deploying two or more IBM Storage Scale clusters, ensure that the ID mapping is consistent in cases where you want to use IBM Storage Scale features like AFM, AFM-DR, and asynchronous replication of data.
The following table provides an overview of the authentication requirements for each file access
protocol. Refer this table when you plan to use user-defined mode as the authentication method.
| File access protocol | Requirements |
|---|---|
| NFSV3 | In scenarios where user name and group name are expected to be used to native
GPFS commands (for example, setting data
ownership, listing user or group quota), the IBM
Storage Scale system must be able to resolve the UID and GID
to user name and group name and vice versa, consistently across all the protocol
nodes. Note: However, for some use cases where only the NFSv3 based access to the
IBM
Storage Scale system is used. In such cases, the user
and group IDs are coming from the NFS client and ID-mapping setting is not
configured on the protocol nodes.
|
| Kerberos NFSV3 |
Ensure that the user name and group name that are used to access data consistently resolve to same UID and GID across all protocol nodes and NFS clients. Ensure that the time is synchronized on the NFS server, NFS clients, and Kerberos
server.
Note: User names and group names are case-sensitive.
|
| NFSV4 | Ensure that the user name and group name that are used to access data
consistently resolve to same UID and GID across all protocol nodes and NFS clients. Domain name
must be specified in the /etc/idmapd.conf file and it must be the same on both
the NFS server and NFS clients.
Note: User names and group names are
case-sensitive.
|
| Kerberos NFSv4 | Ensure that the user name and group name that are used to access data
consistently resolve to same UID and GID across all protocol nodes and NFS clients. Ensure that the time is synchronized on the NFS server, NFS clients, and Kerberos server. Domain name and local-realms must be specified in the /etc/idmapd.conf file and it must be the same on both the NFS server and NFS clients. The value of "local-realms” takes the value of Kerberos realm with which the IBM Storage Scale system protocol nodes are configured. |
| SMB | Ensure that the user name and group name that are used to access data
consistently resolve to same UID and GID across all protocol nodes and NFS clients. While you integrate with non-windows server, ensure that the samba attributes are populated on the directory server for every user and group that are planning to access the IBM Storage Scale system. Special care must be taken to match the samba domain SIDs. For Kerberized SMB access, ensure that time is synchronized the SMB server, SMB client, and Kerberos server. |