isilon - 配置Foundation for Access
目录设置
isilon推荐的目录结构之一:
目录结构2:
推荐的每个目录的permissions设置:
Authentication Provider Structure
Access Control架构组件如下:
1、External Protocols
包括 SMB, NFS, S3, HTTP, FTP, HDFS, and SWIFT; 指的是client 通过这些External Protocols来访问PowerScale Cluster;
2、lsassd daemon
lsassd daemon是OneFS的 authentication daemon,用来连接external providers进行用户查找;
3、access zone
图片上的现实的“xattire zone”,“gearitup zone” 就是 “access zone”
access zone: 虽然默认Isilon Cluster是看作一个物理机器,但是 Cluster可以被分离成为多个virtual containers,这些virtual containers就叫做 access zone;
access zone可以隔离数据,并控制访问这个zone的权限;
4、Exernal Providers
图片上的“AD”,“LDAP”就是“Exernal Providers”; 这些Exernal Providers包含提供验证的用户凭据列表,一旦用户验证成功,OneFS就会生成一个访问令牌,用于用户访问文件和文件夹;
5、Internal Providers
internal Providers位于cluster操作系统内,分为 “Local Providers”和“File Providers”
access zone是自动创建Local providers的;
Local Providers:为administrator添加的用户账号 提供 “authentication” 和 “查找” 功能;
File Providers: 提供第三方来源的用户和组的信息;
access zone最佳实践
access zone最多50个;
| Best Practice | Detail |
| Create unique base directory. | Achieves data isolation. Base directories can overlap only if workflows share data. |
| System zone is for global admin access only. | Employ ZRBAC for zone administration. |
| Create zones to isolate data for different clients. | Do not isolate if workflow requires shared data. |
| Avoid overlapping UID/GID ranges for providers in same zone. | Potential for UID/GID conflicts if overlap in same zone. |
多租户的场景
网络配置:
By default, OneFS builds Groupnet0, Subnet0, and Pool0. Leave the System zone in Groupnet0.
A subnet can also be called the SmartConnet zone and contain one or more pools. Pools enable more granular network configuration.
Each organization in the environment is called a tenant.
网络配置过程
1、创建 groupnet
2、创建 authentication Providers
3、创建access zone
4、创建subnet
5、创建pool
isilon01-1# isi network groupnets create <id> --dns-servers=<ip> isi auth ads create <name> <user> isilon01-1# isi auth ads create <name> <user> --groupnet=<groupnet name> isilon01-1# isi zone zones create <name> <path> --auth-providers=<list of auth providers> --groupnet=<groupnet name> isilon01-1# isi network subnets create <id> <addr-family> { ipv4 | ipv6} <prefix-len> isilon01-1# isi network pools create <id> --access-zone=<zone name>
查看:
//查看groupnets isilon01-1# isi network groupnets list ID DNS Cache Enabled DNS Search DNS Servers Subnets --------------------------------------------------------------- groupnet0 1 lab.com 192.168.110.2 subnet0 --------------------------------------------------------------- Total: 1 isilon01-1# isilon01-1# isi network groupnets view groupnet0 ID: groupnet0 Name: groupnet0 Description: Initial groupnet DNS Cache Enabled: True DNS Options: - DNS Search: lab.com DNS Servers: 192.168.110.2 Server Side DNS Search: True Allow Wildcard Subdomains: True Subnets: subnet0 isilon01-1# //查看zone access isilon01-1# isi zone list Name Path ------------ System /ifs ------------ Total: 1 isilon01-1# isilon01-1# isi zone view System Name: System Path: /ifs Groupnet: groupnet0 Map Untrusted: Auth Providers: lsa-local-provider:System, lsa-file-provider:System NetBIOS Name: User Mapping Rules: - Home Directory Umask: 0077 Skeleton Directory: /usr/share/skel Cache Entry Expiry: 4H Negative Cache Entry Expiry: 1m Zone ID: 1 isilon01-1# //查看 subnets isilon01-1# isi network subnets list ID Subnet Gateway|Priority Pools SC Service Addrs ----------------------------------------------------------------------------------------- groupnet0.subnet0 192.168.110.0/24 192.168.110.2|10 pool0 192.168.110.50-192.168.110.50 ----------------------------------------------------------------------------------------- Total: 1 isilon01-1# isilon01-1# isi network subnets view groupnet0.subnet0 ID: groupnet0.subnet0 Name: subnet0 Groupnet: groupnet0 Pools: pool0 Addr Family: ipv4 Base Addr: 192.168.110.0 CIDR: 192.168.110.0/24 Description: Initial subnet DSR Addrs: - Gateway: 192.168.110.2 Gateway Priority: 10 MTU: 1500 Prefixlen: 24 Netmask: 255.255.255.0 SC Service Addrs: 192.168.110.50-192.168.110.50 //SC,SmartConnect SC Service Name: VLAN Enabled: False VLAN ID: - isilon01-1# //查看pools isilon01-1# isi network pools list ID SC Zone IP Ranges Allocation Method ----------------------------------------------------------------------------------------- groupnet0.subnet0.pool0 isilon01.lab.com 192.168.110.40-192.168.110.40 static ----------------------------------------------------------------------------------------- Total: 1 isilon01-1# isilon01-1# isi network pools view groupnet0.subnet0.pool0 ID: groupnet0.subnet0.pool0 Groupnet: groupnet0 Subnet: subnet0 Name: pool0 Rules: rule0 Access Zone: System Allocation Method: static Aggregation Mode: lacp SC Suspended Nodes: - Description: Initial ext-1 pool Ifaces: 1:ext-1 IP Ranges: 192.168.110.40-192.168.110.40 Rebalance Policy: auto SC Auto Unsuspend Delay: 0 SC Connect Policy: round_robin //指Client connection balancing policy,还有Connection count,Throughput,CPU Usage SC Zone: isilon01.lab.com SC DNS Zone Aliases: - SC Failover Policy: round_robin //指IP failover policy,还有Connection count,Throughput,CPU usage SC Subnet: subnet0 SC TTL: 0 Static Routes: - NFSv3 RDMA RRoCE only: No isilon01-1#
浙公网安备 33010602011771号