File and Object Storage

IBM Spectrum Scale™ Authentication for File Access - Overview

By Archive User posted Wed July 12, 2017 02:09 PM

  
There will be a series of articles under this topic with this one being the Overview or Introduction to Authentication. I will soon speak about each authentication types, examples, commands and common issues we may see.

So lets start with basics:

What is Authentication:


The objective of authentication is to verify the claimed identity of users and components. This means, we must confirm that we are indeed whom we claim to be. This is usually done by having the user enter a valid user name and credential before access is granted. The password is confidential to the user and hence with a successful authentication, we can confirm the claimed identity of the user.

What is UNIX Authentication?
In a UNIX system or a UNIX based appliance, the user uses their user name and a credential (such as password, private SSH key) to log on to system.
The workstation looks up the user’s UID in local files or an external directory service such as LDAP and then verifies the received credential.
After a user is successfully logged on to a UNIX server, they are trusted on this server and also by all other servers that trust this server.

What is Windows Authentication?
A user logs on using their user name to log on to its Windows workstation.
The workstation looks up the user's SID in the local Windows registry or on the Windows domain controller and then verifies the received credential.
After a user is successfully logged on to a Windows server, that user is trusted on this server.

Identification:


The objective of identification is to identify users and infrastructure components which is the basis of Authorization. So, every user or group is associated with a unique identifier. A User is representated by a unique UID while Group is represented by a unique Group ID. Other ways include keys and finger prints (such as a public ssh key) and digital certificates (such as a certificate of the web server).

We just saw that with successful Authentication, a user is able to log into the system. However, we still need to check if he/she has the Authorization to the data he/she is trying to access? For this, the ACLs or Access Control List is checked and accordingly user is given access to data.

ACL or Acess Control List, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. ACLs are stored with each user and group being represented by their unique UIDs and GIDs.

User Names and User Id (UIDs)
Now in a UNIX system or UNIX based appliances User IDs are used to indentify a User on the system. Each user is associated with a User id. This ID is usually a 32Bit integer value.
When a user logs on to a UNIX system, the operating systems looks up their UID and then uses this UID for further representation of the user.

Group names and Group IDs (GIDs)
UNIX systems use groups to maintain sets of users which have the same permissions to access certain system resources.
Similar to User names and UIDs, a UNIX system also maintains group names and group identifiers (GIDs).
A UNIX user might be a member of one or more groups, where one group is the primary or default group.

Both User names and Group names along with respective User IDs and Group IDs are stored in local /etc/passwd or /etc/group file. Or they can be stored on an external directory server such as Microsoft Active Directory - Services for Unix (SFU), Lightweight Director Access Protocol (LDAP) or Network Information Service (NIS)

SID
Windows and SMB client systems reference all operating system entities as resources. For example, users, groups, computers, and so on.
Each resource is represented by a security identifier (SID). This is a 128 bit Integer value.

Resource names and SIDs are stored locally in the Windows registry or in an external directory service such as Active Directory or LDAP.

ID Mapping



Like discussed earlier, ACLs for a file/folder is stored for each user/group with their UID/GID.
In Unix, these are 32 bit integer value.
When an NFS client tries to access data, NFS clients on UNIX appliance will also have similar UID/GID. The respective UID and GIDs are checked and accordingly access is given or denied.

For Windows system, each user or group is represented by SID which is 128 bit integer value. So, when data written from a CIFS share is required to be accessible from an NFS share, the UIDs and GIDs should match else NFS clients will not be able to access data.

For example, user John on Windows having an SID like: S-1-5-21-3922795712-4076380459-2191511802-1304 writes to a CIFS share. When the same user, John, tries to access from NFS share, he is denied access. John on Unix has UID 130412 for example.

Both these IDs do not match. Infact, there cannot be a 1:1 mapping of an SID and UID. Hence, a need for ID Mapping arises.

In short, to support data access from UNIX system to Microsoft Windows clients (SMB protocol) and to allow interoperability, that is, to share data among UNIX and Windows clients (SMB and NFS protocols), the system must map Windows SID to a UNIX UID/GID. This process is referred to as ID mapping and the map is referred to as ID map.

The ID mapping can be done either internally in the system or in an external authentication server.

Directory services

Directory services allows to store and maintain User and Group information centrally on an external server.
These servers can be:

Microsoft Active Directory (AD) - Active Directory (AD) is a Microsoft created technology introduced from Windows 2000 onwards. It provides the following key network services:
- Directory Service
- Kerberos based authentication
- DNS naming

Services for UNIX (SFU) - Services for UNIX (SFU) is a Microsoft Windows component that provides interoperability between Microsoft Windows and UNIX environments.

Lightweight Directory Access Protocol (LDAP) - Lightweight Directory Access Protocol (LDAP) is a directory service access protocol over a TCP/IP network. LDAP is a lightweight alternative to traditional Directory Access Protocol (DAP), therefore it is called LDAP. An LDAP directory is usually structured hierarchically, as a tree of nodes. Each node represents an “entry” within the LDAP database. A single LDAP entry can consist of multiple attribute-value pairs, and is uniquely identified by a distinguished name.

Network Information Service (NIS) - Network Information Service is a directory service protocol for centrally storing configuration data of a computer network. NIS protocols and commands were originally defined by Sun Microsystems, but the service is now widely implemented. Originally called Yellow Pages or YP, some of the binary names still start with “yp”. The NIS information is stored in NIS maps, typically providing the following information:
- Password-related data similar to data stored in /etc/passwd
- Group related data similar to data stored in /etc/group
- Network configuration such as netgroups

Authentication in IBM Spectrum Scale™



To enable read and write access to directories and files for the users on the IBM Spectrum Scale™ system, you must configure user authentication on the system.
Only one user authentication method, and only one instance of that method, can be supported.
The following authentication services can be configured with the IBM Spectrum Scale™ system for file protocol access:
- Microsoft Active Directory (AD)
- Lightweight Directory Access Protocol (LDAP)
- Network Information Service (NIS) for NFS client access
- User defined



The following steps are involved in the user authentication for file access:
1. User tries to connect to the IBM Spectrum Scale™ system by using their credentials.
2. The IBM Spectrum Scale™ system contacts the authentication server to validate the user.
3. The IBM Spectrum Scale™ system contacts the ID map server that provides UIDs and GIDs of the user and user group to verify the identity of the user.
4. If the user credentials are valid, the user gains access to the system.

ID Mapping in IBM Spectrum Scale™



IBM Spectrum Scale™ stores all user data on GPFS file systems, which use UIDs and GIDs for access control.
IBM Spectrum Scale™ uses Linux default access control mechanism by comparing the received UID and GID with the UIDs and GIDs stored in GPFS.
For CIFS access, IBM Spectrum Scale™ needs to map SIDs to UIDs and GIDs to enforce access control. The UIDs and GIDs used by the NFS clients must match the UIDs and UIDs stored inside GPFS.

The following methods are used to map Windows SID to UNIX UID and GID:
Internal ID mapping method
Automatic ID mapping is generated when AD-based authentication is used. At this time, AD server is used only for authentication. The ID Maps are stored in the IBM Spectrum Scale™z System.

Automatic ID mapping method uses a reserved ID range to allocate ID based on the following logic.
A user or group in AD is identified by SID, which includes a component that is called RID. Whenever a user or group from an AD domain accesses IBM Spectrum Scale™, a range is allocated per AD domain. UID or GID is then allocated depending upon this range and the RID of the user/group.
For Example: S-1-5-21-3922795712-4076380459-2191511802-1304. Here:
S – String is SID
1 – Revision Level
5 – Identifier Authority Value
21-3922795712-4076380459-2191511802 – Domain or Local Computer Identifier
1304 – Relative ID (RID)

More information on how the Auto ID Map is generated can be found here: https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html

In Short, The idmap_autorid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs that is more deterministic than idmap_tdb and easier to configure than idmap_rid. The mappings of which domain is mapped to which range is stored in autorid.tdb

The Unix ID for a RID is calculated with this formula:
ID = IDMAP UID LOW VALUE + DOMAINRANGENUMBER * RANGESIZE + RID

Correspondingly, the formula for calculating the RID for a given Unix ID is this:

RID = ID - IDMAP UID LOW VALUE - DOMAINRANGENUMBER * RANGESIZE

Here, we pass the IDMAP UID LOW VALUE, RANGESIZE to the command when we configure AD using command, "# mmuserauth service create". RID is taken from the last part of SID of the incoming user.

DOMAINRANGENUMBER is number of slice allocated to each domain.

So, at the very first access of a user from a domain, an AUTO IDMap is generated. At this time a DOMAINRANGENUMBER is assigned to the domain in a sequential manner. So, the first domain gets value 0, second domain that tries to access will get 1 and so on.

With all the values in place, the UID or GID is then generated using the above formula.

External ID mapping methods
In this case, the UID or GID of a user or group is created and stored in an external server.
The external server administrator is responsible for creating or populating the UID/GID for the user/group in their respective servers.
The IBM Spectrum Scale™ system supports the following servers for external ID mapping:
- LDAP server, where the UID or GID is stored in a dedicated field in the user or group object on the LDAP server.
- AD server with RFC2307 schema extension defined. The UID or GID of a user or group that is defined in AD server is stored in a dedicated field of the user or group object.

Authentication and ID Mapping Schemes supported by IBM Spectrum Scale™ System



Configuring Authentication with Plain AD


Configuring Authentication with NIS


Configuring Authentication with LDAP


Note:
  • The ID mapping option that is given in this table is only applicable for file access.

  • Ignore the ID mapping details if you are looking for the supported configurations for object access.

  • In User-defined mode, customer is free to choose the authentication and ID mapping methods for file and object and manage on their own. That is, the authentication needs to be configured by the administrator outside of the IBM Spectrum Scale™ commands  and ensure that it is common and consistent across the cluster.

  • NFS V3 with SMB protocol access on the same export (multiprotocol access) is not supported.



  • We will see more on each of these Authentication types, steps to configure and verify in the next articles to come.


    #NFSProtocol
    #cognitivecomputing
    #ibmstorage
    #IBMSpectrumScale
    #IBMSpectrumScale
    #SMBProtocol
    #HeterogeneousSystem
    #Softwaredefinedinfrastructure
    #Softwaredefinedstorage
    #Authentication
    #MultiprotcolAccess
    #softwaredefinedstorage
    0 comments
    10 views

    Permalink