This blog post is the first in a series covering basic multiprotocol concepts in OneFS. The goal is to offer a simple and clear explanation of how OneFS handles multiprotocol data access. The first blog posts in this series will cover high-level concepts. Subsequent blog posts will dive a little deeper and provide examples.
If you find multiprotocol data access in the Isilon OneFS operating system confusing, you’re not alone. Every network-attached storage (NAS) platform approaches multiprotocol data access differently, and there is no formal industry standard for how to implement multiprotocol access in the file systems. How a vendor handles the integration of permission and security models to enable access to the same file through different protocols varies among the vendors themselves.
So what does multiprotocol mean in OneFS? Essentially, it means ensuring the consistency of secured data access, regardless of protocol. Different users, operating systems, and implementations can write and read the same files on the cluster.
Setting the stage: single protocol vs. multiprotocol
To highlight the benefits of multiprotocol data access, let’s focus, first, on the differences between single protocol access and multiprotocol access.
Single data access protocols are self-contained. Windows users access Windows file servers through the Server Message Block (SMB) or Common Internet File System (CIFS) protocol. UNIX users access file servers through the Network File System (NFS) protocol. When a user connects to a cluster to read and write files, the protocol assesses the files’ security against a set of permissions to determine whether access will be allowed. Each protocol has its own type of file permissions to the user and to the file(s), which prevents a UNIX user from accessing Windows file servers, and vice versa. Each protocol is a closed system.
Multiprotocol access puts the NAS platform in the middle, creating a system where different users can connect to the same file server (or cluster) through different protocols. The multiprotocol NAS platform handles and stores the permissions for each protocol and user.
In OneFS, multiprotocol means that users who connect through NFS, SMB, and other protocols can access the same file and directories. If necessary, you can create a file or a directory that can be accessed only by a Windows or UNIX client. But unlike other file systems or NAS systems—which might maintain protocol permissions separately or rely on user mapping—Isilon OneFS uses a single unified permission model. This is the key to understanding multiprotocol access in OneFS.
The unified permission model is implemented by creating a common access token. The access token is generated when a user connects to the cluster. In OneFS, your identity (or multiple identities from different directory services) is encapsulated into a single token that represents you to OneFS. The access token contains your user identifier (UID), user security identifier (SID), Windows group memberships (SID’s), group identification number (GID’s) from LDAP group memberships, and more. All those identities are rolled into one, contained in the token. This token is then presented directly against the file permissions stored on the OneFS file system.
Here are some highlights:
- Every NAS platform implements multiprotocol differently. No industry standard exists.
- Multiprotocol in OneFS refers to consistent file access regardless of protocol.
- The key to how multiprotocol works in OneFS is the unified permission model.
- An access token in OneFS contains all identities associated with a single user.
- The access token is presented against file permissions stored in OneFS to define file access.
The next blog post in this series will expand on the multiprotocol concepts covered here and will address common questions about generating access tokens, on-disk identities, user mapping, and directory services. Additional posts will address how OneFS stores file and share permissions, POSIX permissions, access control list (ACL) policies, and how to check permissions. The following common multiprotocol commands will also be covered in more detail:
- -ls –le/ls -led
- -ls –len/ls -lend
- isi auth mapping token
Tell us what you think of this article. Was this level of information useful? Do you have questions that you would like us to cover in future blog posts? Let us know by leaving a comment.