OneFS provides a single namespace while enabling multi-protocol access, such as NFS and SMB. Linux machines access the data using NFS; Windows computers access the data using SMB. There is a default shared directory (ifs) of OneFS, which lets clients running Windows, UNIX, Linux, or MacOS access the same directories and files. We recommended that you disable the ifs shared directory in a production environment and create dedicated NFS exports and SMB shares for your workload.
To securely support data access to OneFS, it does three main things:
- Connects to directory services, such as Active Directory, NIS, and LDAP, which are also known as identity management systems and authentication providers. A directory service provides a security database of user and group accounts along with their passwords and other account information.
- Authenticates users and groups. Authentication verifies users identity and triggers the creation of an access token that contains information about a user’s identity.
- Controls access to directories and files. OneFS compares the information in an access token with the permissions associated with a directory or a file to allow or deny access to it.
All three of these functions take place in an access zone -- a virtual security context to control access based on an incoming IP address (groupnet) and provides a multi-tenant environment. In an access zone, OneFS connects to directory services, authenticates users, and controls access to resources. A cluster has a default single access zone, which is known as the System access zone. Until you add an access zone, NFS exports are in the default access zone.
The considerations for access zone are as below:
- Each access zone may include at most one MIT Kerberos provider.
- An access zone is limited to a single Active Directory provider; however, OneFS allows multiple LDAP, NIS, and file authentication providers in each access zone. Assign only one type of each provider per access zone to simplify administration.
- Creating a large number of local users and groups may affect system performance. Therefore, we recommend limiting the number of local users and groups per cluster to 25,000 each.
- Use the System access zone for cluster management, and create additional access zones for data access.
- Separate organization tenants using access zone with no more than 50 zones.
- Designate separate directory path for each access while you are creating multiple access zones.
- If DNS settings are different for your different NFS workflows, you can specify the dedicated DNS settings for each workflow using groupnet.