Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS Authentication, Identity Management, and Authorization > Introduction
OneFS generates a token for each user upon initial connection to the cluster. In the Unified Permission Model, a token can be thought of as an identification system like a passport, confirming a user’s identity while a visa for each country grants specific access levels.
The token is generated based on the information provided by authentication providers. If an authentication provider is not configured, OneFS locally generates a value, which is referred to as a “fake” value throughout this paper.
The PowerScale OneFS Unified Permission Model has a core requirement that every entity, user, or group has a UNIX component and a SID component. A token is composed of two parts, a UID with associated GIDs and a SID (introduced in Legacy single-protocol environments). Similar to how authentication occurs in a single-protocol environment, in the PowerScale AIMA model, OneFS reaches out to those same providers, if configured, to collect the UID and SID. However, under the Unified Permission Model, those UID and SID values are now combined into a single token.
Figure 10. PowerScale OneFS token
If authentication providers are not configured or unavailable, the fake UID/GID value is assigned, which, by default, is between 1 and 2 million. The default value is configurable, in case those values create a conflict in an existing environment.
During token generation, User Mapping occurs, which connects identities between LDAP and Active Directory to a single user. Mapping identities ensures that a user’s token contains real values for both the UID and SID, as OneFS is aware that it is the same user.
Once a token is generated, the OnDisk ID of a user or group is selected. The OnDisk ID, described further in On-Disk Identity, is used when you create a file, set permissions, or change ownership of a file.
Authentication providers configured in OneFS assist with token generation by responding with values for the UID with associated GIDs and SIDs. The authentication provider’s support for identifiers determines what is provided, as summarized in the following table:
Authentication provider | UID/GIDs | SID | Ranking |
Local Provider | Fake | Fake | Poor |
File Provider | Fake | Fake | Poor |
Active Directory | Fake | Real | Good |
LDAP | Real | Fake | Good |
Active Directory mapping to LDAP | Real | Real | Best |
Active Directory with RFC 2307* | Real | Real | Best |
*For more information about RFC 2307, see Appendix A: Configuring Active Directory, LDAP, RFC 2307, and Kerberized NFS.