Isilon - 配置 Identity Management (身份管理)和Authorization(授权)
Roel-based access control
名词;
RBAC:Role-based access control
ZRBAC: zone-aware RBAC;
命令查看role和privileges
//查看有哪些 角色 isilon01-1# isi auth roles list Name --------------- AuditAdmin BackupAdmin BasicUserRole SecurityAdmin StatisticsAdmin SystemAdmin VMwareAdmin --------------- Total: 7 isilon01-1# // 查看某个角色有哪些权限(privileges) isilon01-1# isi auth roles view SystemAdmin Name: SystemAdmin Description: Administer all aspects of cluster configuration that are not specifically handled by the SecurityAdmin role. Members: admin Privileges ID: ISI_PRIV_LOGIN_CONSOLE Permission: r ID: ISI_PRIV_LOGIN_PAPI Permission: r …… // 查看有哪些权限 isilon01-1# isi auth privileges --verbose ID: ISI_PRIV_LOGIN_CONSOLE Description: Log in from the console Name: Console Category: Login Permission: r -------------------------------------------------------------------------------- ID: ISI_PRIV_LOGIN_PAPI Description: Log in to Platform API and WebUI Name: Platform API Category: Login Permission: r ……
privilege
查看所有权限
isilon01-1# isi auth privileges ID Description ------------------------------------------------------------------------------------------------ ISI_PRIV_LOGIN_CONSOLE Log in from the console //就是ssh登录的权限 ISI_PRIV_LOGIN_PAPI Log in to Platform API and WebUI //PAPI和web登录的权限,PAPI也是基于https ISI_PRIV_LOGIN_SSH Log in from ssh ISI_PRIV_SYS_SHUTDOWN Shutdown the system ISI_PRIV_SYS_SUPPORT Run system diagnostic tools ISI_PRIV_SYS_TIME Change the system time ISI_PRIV_SYS_UPGRADE Upgrade the system ISI_PRIV_AUTH Configure identities, roles and authentication providers //可以让非system zone administrator来创建,修改他们zone的authentication providers ISI_PRIV_AUTH_GROUPS User groups from authentication provider ISI_PRIV_AUTH_PROVIDERS Configure Auth providers ISI_PRIV_AUTH_RULES User mapping rules. ISI_PRIV_AUTH_SETTINGS_ACLS Configure ACL policy settings ISI_PRIV_AUTH_SETTINGS_GLOBAL Configure global authentication settings ISI_PRIV_AUTH_USERS Users from authentication providers ISI_PRIV_AUTH_ZONES Configure access zones ISI_PRIV_RESTRICTED_AUTH Configure identities with the same or lesser privilege ISI_PRIV_RESTRICTED_AUTH_GROUPS Configure identities with the same or lesser privilege ISI_PRIV_RESTRICTED_AUTH_USERS Configure identities with the same or lesser privilege ISI_PRIV_ROLE Create new roles and assign privileges ISI_PRIV_ANTIVIRUS Configure antivirus scanning ISI_PRIV_AUDIT Configure audit capabilities ISI_PRIV_CERTIFICATE Configure cluster TLS certificates ISI_PRIV_CLOUDPOOLS Configure and manage Cloudpool accounts, access and settings ISI_PRIV_CLOUDPOOLS_ACCOUNTS Cloud storage account information and settings. ISI_PRIV_CLOUDPOOLS_CERTIFICATES Cloud storage account certificates ISI_PRIV_CLOUDPOOLS_POOLS Cloudpools based on cloud accounts ISI_PRIV_CLOUDPOOLS_PROXIES Proxies for cloud storage access ISI_PRIV_CLOUDPOOLS_SETTINGS Cloud storage settings ISI_PRIV_CLUSTER Configure cluster identity and general settings ISI_PRIV_CLUSTER_MODE Set cluster mode ISI_PRIV_CONFIGURATION Configuration export/import ISI_PRIV_DATAMOVER Configure DataMover ISI_PRIV_DEVICES Add and remove nodes and drives ISI_PRIV_EVENT View and modify system events ISI_PRIV_FILE_FILTER Configure File Filtering based on file types ISI_PRIV_FILE_FILTER_SETTINGS File Filtering service and filter settings ISI_PRIV_FTP Configure FTP server ISI_PRIV_GET_SET View and set per-file OneFS metadata ISI_PRIV_HARDENING Harden cluster security profile ISI_PRIV_HDFS Setup HDFS Filesystem, service, users and settings ISI_PRIV_HDFS_FSIMAGE_JOB_SETTINGS HDFS FSImage job settings ISI_PRIV_HDFS_FSIMAGE_SETTINGS HDFS FSImage service settings ISI_PRIV_HDFS_INOTIFY_SETTINGS HDFS Inotify service settings ISI_PRIV_HDFS_PROXYUSERS Proxy users and members ISI_PRIV_HDFS_RACKS HDFS virtual rack settings ISI_PRIV_HDFS_RANGERPLUGIN_SETTINGS Settings for the HDFS ranger plugin ISI_PRIV_HDFS_SETTINGS HDFS Service, protocol and ambari server settings ISI_PRIV_HTTP Configure HTTP server ISI_PRIV_IPMI Configure remote IPMI management settings ISI_PRIV_JOB_ENGINE Schedule cluster wide jobs ISI_PRIV_KEY_MANAGER Configure key management settings ISI_PRIV_LICENSE Activate OneFS software licenses ISI_PRIV_MONITORING Register applications monitoring the cluster ISI_PRIV_NDMP Configure NDMP server ISI_PRIV_NETWORK Configure network interfaces ISI_PRIV_NFS Setup NFS Service, exports and configure settings ISI_PRIV_NFS_ALIASES Aliases for export directory names ISI_PRIV_NFS_EXPORTS NFS Exports and permissions ISI_PRIV_NFS_SETTINGS NFS export and other settings ISI_PRIV_NFS_SETTINGS_EXPORT NFS export and user mapping settings ISI_PRIV_NFS_SETTINGS_GLOBAL NFS global and service settings ISI_PRIV_NFS_SETTINGS_ZONE NFS zone related settings ISI_PRIV_NTP Configure NTP ISI_PRIV_PAPI_CONFIG Configure the Platform API and WebUI ISI_PRIV_PERFORMANCE Configure performance resource accounting ISI_PRIV_QUOTA Monitor and enforce administrator defined storage limits ISI_PRIV_QUOTA_QUOTAMANAGEMENT Quota to manage, track and limit storage of a identify or directory ISI_PRIV_QUOTA_QUOTAMANAGEMENT_EFFICIENCYRATIO Ratio of logical space to physical space used ISI_PRIV_QUOTA_QUOTAMANAGEMENT_REDUCTIONRATIO Ratio of logical space to physical space post data reduction ISI_PRIV_QUOTA_QUOTAMANAGEMENT_THRESHOLDSON Threshold size type to enforce the limits on ISI_PRIV_QUOTA_QUOTAMANAGEMENT_USAGE_FSPHYSICAL Filesystem physical usage size ISI_PRIV_QUOTA_REPORTS Quota and usage reports ISI_PRIV_QUOTA_SETTINGS Quota reporting and notification settings ISI_PRIV_QUOTA_SETTINGS_MAPPINGS Quota email mapping settings ISI_PRIV_QUOTA_SETTINGS_NOTIFICATIONS Quota notification rule and schedule settings ISI_PRIV_QUOTA_SETTINGS_REPORTS Scheduled and manual reporting settings ISI_PRIV_QUOTA_SUMMARY Quota based counts and statistics ISI_PRIV_REMOTE_SUPPORT Configure remote support ISI_PRIV_S3 Setup S3 Buckets and configure settings ISI_PRIV_S3_BUCKETS S3 buckets and ACL ISI_PRIV_S3_MYKEYS S3 key management ISI_PRIV_S3_SETTINGS S3 global and zone settings ISI_PRIV_S3_SETTINGS_GLOBAL S3 global and service settings ISI_PRIV_S3_SETTINGS_ZONE S3 zone related settings ISI_PRIV_SMARTPOOLS Organize pools and enforce policies based on pools. ISI_PRIV_SMARTPOOLS_FILEPOOL_DEFAULT_POLICY Default filepool policy ISI_PRIV_SMARTPOOLS_FILEPOOL_POLICIES To define filepools based on files and actions. ISI_PRIV_SMARTPOOLS_FILEPOOL_TEMPLATES preconfigured templates for typical work flows ISI_PRIV_SMARTPOOLS_STATUS Status of storage pools ISI_PRIV_SMARTPOOLS_STORAGEPOOL Configure and view storage pools ISI_PRIV_SMARTPOOLS_STORAGEPOOL_NODEPOOLS Pool of storage from group of nodes ISI_PRIV_SMARTPOOLS_STORAGEPOOL_NODETYPES Cluster node type ISI_PRIV_SMARTPOOLS_STORAGEPOOL_POOLDETAILS Storage pools details and usage ISI_PRIV_SMARTPOOLS_STORAGEPOOL_POOLDETAILS_USAGE Usage details of storage pool ISI_PRIV_SMARTPOOLS_STORAGEPOOL_SETTINGS Storage and action settings for Smartpools ISI_PRIV_SMARTPOOLS_STORAGEPOOL_TIERS Storage tiering ISI_PRIV_SMARTPOOLS_STORAGEPOOL_UNPROVISIONED Unprovisioned drives and lnn ISI_PRIV_SMB Setup SMB Service, shares and configure settings ISI_PRIV_SMB_SESSIONS Active SMB sessions ISI_PRIV_SMB_SETTINGS View and manage SMB settings ISI_PRIV_SMB_SETTINGS_GLOBAL SMB global and service settings ISI_PRIV_SMB_SETTINGS_SHARE SMB filter and share Settings ISI_PRIV_SMB_SHARES SMB shares and permissions ISI_PRIV_SNAPSHOT Manage Snapshots, aliases, schedules and settings ISI_PRIV_SNAPSHOT_ALIAS Aliasing for snapshots ISI_PRIV_SNAPSHOT_LOCKS Locking of snapshots from deletion ISI_PRIV_SNAPSHOT_PENDING Upcoming snapshot based on schedules ISI_PRIV_SNAPSHOT_RESTORE Restoring directory to a particular snapshot ISI_PRIV_SNAPSHOT_SCHEDULES Scheduling for periodic snapshots ISI_PRIV_SNAPSHOT_SETTING Service and access settings ISI_PRIV_SNAPSHOT_SNAPSHOTMANAGEMENT Manual snapshots and locks ISI_PRIV_SNAPSHOT_SUMMARY Snapshot summary and usage details ISI_PRIV_SNMP Configure SNMP server ISI_PRIV_STATISTICS View file system performance statistics ISI_PRIV_SWIFT Configure Swift ISI_PRIV_SYNCIQ Configure and manage data replication using policies, jobs, certificates and settings ISI_PRIV_SYNCIQ_CERTIFICATES_SERVER Server certificates for secure replication ISI_PRIV_SYNCIQ_CERTIFICATES_TARGET Target cluster certificates ISI_PRIV_SYNCIQ_JOBS Ongoing data replication jobs ISI_PRIV_SYNCIQ_POLICIES Policies and scheduling for data replication between clusters. ISI_PRIV_SYNCIQ_POLICY_SOURCENETWORK Network of replication source cluster ISI_PRIV_SYNCIQ_REPORTS SyncIQ policy and job reports ISI_PRIV_SYNCIQ_RULES SyncIQ Performance rule limits and schedules ISI_PRIV_SYNCIQ_SETTINGS SyncIQ service, policy and report settings ISI_PRIV_SYNCIQ_SETTINGS_DEFAULT_POLICY_SETTINGS SyncIQ default policy settings ISI_PRIV_SYNCIQ_SETTINGS_DEFAULT_POLICY_SETTINGS_RESTRICT_TARGET_NETWORK SyncIQ default policy restrict target network settings ISI_PRIV_SYNCIQ_SETTINGS_GLOBAL_SETTINGS SyncIQ global settings ISI_PRIV_SYNCIQ_SETTINGS_GLOBAL_SETTINGS_CLUSTER_CERTIFICATE_ID SyncIQ cluster certificate for global settings ISI_PRIV_SYNCIQ_SETTINGS_GLOBAL_SETTINGS_ENCRYPTION_REQUIRED SyncIQ encryption for global settings ISI_PRIV_SYNCIQ_SETTINGS_GLOBAL_SETTINGS_PREFERRED_RPO_ALERT SyncIQ preferred RPO alert for global settings ISI_PRIV_SYNCIQ_SETTINGS_GLOBAL_SETTINGS_RPO_ALERTS SyncIQ RPO alert for global settings ISI_PRIV_SYNCIQ_SETTINGS_REPORT_SETTINGS SyncIQ report settings ISI_PRIV_SYNCIQ_SETTINGS_REPORT_SETTINGS_REPORT_MAX_AGE SyncIQ report max age settings ISI_PRIV_SYNCIQ_SETTINGS_REPORT_SETTINGS_REPORT_MAX_COUNT SyncIQ report max count settings ISI_PRIV_SYNCIQ_SETTINGS_SERVICE SyncIQ service settings ISI_PRIV_SYNCIQ_TARGET_POLICIES SyncIQ target policies for the cluster ISI_PRIV_SYNCIQ_TARGET_REPORTS SyncIQ target reports and details ISI_PRIV_VCENTER Configure VMware vCenter ISI_PRIV_WORM Configure WORM directories ISI_PRIV_IFS_BACKUP Backup files from /ifs ISI_PRIV_IFS_RESTORE Restore files to /ifs ISI_PRIV_IFS_WORM_DELETE Perform privileged delete on WORM committed files ISI_PRIV_ESRS_DOWNLOAD Schedule file downloads through ESRS ISI_PRIV_NS_TRAVERSE Traverse and view directory metadata ISI_PRIV_NS_IFS_ACCESS Access /ifs via RESTful Access to Namespace service -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total: 145 isilon01-1#
1、如果zone是被 system zone admins创建,那么只有这个sysadmin zone admins可以修改和删除; local zone admin只能查看和添加access zone;
2、如果zone是被 nosystem zone admins创建,那么 zone admin和nosystem zone admin都可以查看,修改和删除
3、ISI_PRIV_AUTH 权限,可以enable 这个acccess选项;
User Identity Mapping
集群连接有四个交互层。第三层是身份分配(identity assignment)。该层非常简单,并且基于身份验证层的结果。
Identity Management
1、当cluster收到authentication请求时,lsassd搜索配置的 authentication source,来匹配传入的标识;
如果身份验证成功,OneFS就生成访问令牌,这是一个内部使用的令牌,相当于OneFS identity;OneFS根据这个identity来判断user或group 允许或拒绝访问 文件和文件夹;
2、authentication Prociders使用OneFS 首先验证user identity(用户身份),之后用户被授权(authorized)来访问cluster资源;
3、lsassd进程,是在authentication protocols(SMB,NFS,FTP等)和authentication providers(AD,NIS等)之间运行,用来检查user identity的数据仓库和 file access;
Primary Identities(主要身份)
OneFS支持三种主要身份(identity)类型:UID、GID和SID。
UIDs and GIDs from Local, NIS, LDAP providers range from 1 to 65k.
1、UID,是user identifier,唯一的标识用户;
UNIX-based系统使用UIDs来进行 identity management;
2、SID,security identifier,唯一的标识 以 domain identifier开头,以32位的Relative Identifier(RID)结尾的 用户或组;
SID是AD中的 用户和组的主要标识;
大多是SIDs格式为 : S-1-5-21-<A>-<B>-<C>-<RID>; <A>-<B>-<C>标识 domain或system,<RID>表示domain中的对象;
3、GID,group identifier,是给UNIX使用来表示group;
Secondary Identities
Secondary identifiers are names, such as usernames;
1: Windows为所有对象提供了一个不区分大小写的namespace,但指定了一个以dees Active Directory域为目标的前缀。注意:UNIX的用户和组是的区分大小写的名称空间。例如,Sera 和 sera可以表示不同的对象。
2: Kerberos和NFSv4定义了要求所有名称的格式与电子邮件地址相似的主体。例如,给定username sera 和domain dees.lab 。那么dees\sera和 sera@dees.lab在Active Directory中是有效名称。使用OneFS,每当提供name作为标识符(identitier)时,都会请求UID、GID或SID的正确主标识符。
Authorization(授权)
windows主要采用ACL
UNIX主要采用POSIX mode bits
isilon01-1# ls -l total 38 drwxr-x--- 2 admin admin 74 Aug 6 20:33 admin drwxr-xr-x 4 root wheel 31 Aug 6 20:12 ftp drwx------ 2 test Isilon Users 206 Aug 7 14:58 test isilon01-1#
总共会有10个“-”,第一个表示文件类型,如该文件是文件(-表示),文件夹(d表示),连接文件(l表示),
后面9个按照三个一组分,分别表示:User or owner权限,组权限,Others or everyone权限
POSIX in the WebUI
windows ACL
在 Windows host: Properties > Security tab > Advanced > Edit window
在Windows环境中,ACL定义文件和目录访问权限。
使用Windows时,请注意规定Windows权限行为的重要规则。
首先,如果用户没有在ACL中分配的权限,则该用户无权访问该文件或文件夹。
其次,权限可以显式分配给文件或文件夹,并且可以从父文件夹继承。
默认情况下,创建文件或文件夹时,它继承父文件夹的权限。如果移动文件或文件夹,它将保留原始权限。在Windows客户端上,如果“Permissions”对话框中的复选框不可用,则将继承该权限。可以显式分配权限。显式权限覆盖继承的权限。要记住的最后一条规则是,拒绝权限优先于允许权限。但是,显式允许权限会覆盖继承的拒绝权限。
OneFS上设置ACL:
windows client仅处理ACL,它不会处理UNIX权限。 从windows client查看文件权限时,OneFS必须将UNIX权限转换为ACL;
浙公网安备 33010602011771号