Professional Documents
Culture Documents
CompanyABC
Prepared by:
21/08/2012
This document contains intellectual property rights and copyright which are proprietary to Hitachi Data Systems. It is made a vailable only under
the specific terms of the license granted at the time of purchase. It is strictly forbidden to remove the copyright notice, or copy, distribute or
disclose the contents to third parties, in whole or in part, except under written license terms granted by Hitachi Data Systems.
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
Modification History
Document Authorisation by Author
Name/Title Signature Date
Document Location
Machine File Name:
CAVEAT
This document was developed as a result of real customer experiences and information received from interactions with the HDS BA engineers.
This document is provided ‘AS-IS’ without warranty. All solution herein should be fully tested and proven in a test environment before
deployment into mission critical production environments. It is assumed that the following is correct for 8.x releases, however subsequent HNAS
code releases may modify functionality and thus invalidate or enhance some solutions.
Document History
PLEASE NOTE: Before using this document, contact author to ensure accuracy and forward details of any engagement that utilise this
document. A copy of the VISIO diagrams used in this document can also be supplied by the Author. For HDS internal use only.
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
2
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
Table of Contents
1 Introduction ............................................................................................................... 5
1.1 Background ....................................................................................................................................................................... 5
1.2 Topology ............................................................................................................................................................................ 5
1.3 Intended Audience .......................................................................................................................................................... 5
1.4 Related Documents ......................................................................................................................................................... 6
1.5 Customer’s Prime Contact .............................................................................................................................................. 6
1.6 Objectives .......................................................................................................................................................................... 6
1.7 Scope .................................................................................................................................................................................. 6
1.8 Assumptions, Exclusions, Constraints and Dependencies ...................................................................................... 6
2 Permission Principles................................................................................................. 7
2.1 FS-DACL-MODE ................................................................................................................................................................ 7
2.2 POSIX Primary Groups .................................................................................................................................................... 8
2.3 User Masks ........................................................................................................................................................................ 9
2.4 Creator Owner Permissions ......................................................................................................................................... 10
List of Figures
Figure 1: FS DACL Mode default behaviour........................................................................................................................................... 7
Arthur Wasiak
List of Tables
No table of figures entries found.
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
4
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
1 Introduction
The purpose of this document is to provide a solution for hosting the multi protocol application
environments on the HNAS NAS infrastructure.
1.1 Background
CompanyABC has commissioned Hitachi Data Systems to design and deploy a solution that will primarily
serve as a file serving environment.
As the existing infrastructure is on Netapp Filers, some consideration is required during migration of data.
Of particular note is that different mapping structures are employed by HNAS and Netapp Filers. These
include:
In light of these migration considerations and challenges, this document has been commissioned to
examine and resolve any issues arising from migrating and provisioning application to the HNAS.
1.2 Topology
Although the number of application architectures is potentially infinite, from a multi protocol perspective
they can loosely be categorised into 3 broad categories. These are introduced below.
» Application to Application (A2A): Two or more applications, residing on separate servers,
utilise a common shared storage area to pass requests, responses and statuses. A2A tend to
have specific service accounts.
» Application to User (A2U): One or more applications generate an output that is then
consumed by end users. A notable characteristic is that the end users are typically organised
into read only consumption groups.
» User to User (U2U): Two disparate groups require a common access area, where files are
stored in a common repository.
These three categories/topologies will be enumerated and detail in following sections
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
5
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
1.6 Objectives
» Create a standard process for storage configuration and implementation of multi-protocol
application environments (MP)
» Provide guidance on the type of information required to process a migration/provisioning
request for a MP environment
1.7 Scope
The scope, for the purposes of this document is:
» Three broad categorisations of MP application topologies, A2A/A2U/U2U
» Although this is document will provide a framework and generalised steps & commands, a
qualified HNAS administrator will be required to interpret the business requirements and
implement said requirements on HNAS infrastructure.
1.8.2 Exclusions
Excluded from the scope are:
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
6
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
2 Permission Principles
2.1 FS-DACL-MODE
Discretionary Access Control List (DACL) is an access control list that is controlled by the owner of an
object and that specifies the access particular users or groups can have to the object. Put simply, DACLs
are permissions that you can define on a file or folder, granting or denying access (be is read/write/modify
etc).
The default mode of the HNAS is to discard DACLs when a UNIX client creates a file or folder. This is
controlled by the command fs-dacl-mode.
DACL DACL
Allow Group Domain User Full Control - inheritable Allow Group Domain User Full Control - inheritable
(1) Define DACL Allow Group Domain Admins Full Control - inheritable (1) Define DACL Allow Group Domain Admins Full Control - inheritable
This default behaviour poses issues in multiprotocol environments where rich Windows ACLs need to be
inherited by child object, regardless if the object is created by a UNIX user or Windows user.
When a UNIX user creates a file/folder, despite the inheritance flag being set, to allow Domain Admins
access to child object, the HNAS will discard these permissions and replace them with ‘Current Owner’
‘Current Group’ UNIX style permissions. This is for legacy reasons, even though such issues can now be
avoided by utilising the correct FS-DACL-Mode.
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
7
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
DACL DACL
Allow Group Domain User Full Control - inheritable Allow Group Domain User Full Control - inheritable
(1) Define DACL Allow Group Domain Admins Full Control - inheritable (1) Define DACL Allow Group Domain Admins Full Control - inheritable
Whilst the permissions will now carry across, note that the HNAS still performs an interpretation of the
permissions. This interpretation can cause some issues, as seen in the section Creator Owner Permissions,
but the basic effect is now that the ACLs are inherited and the ‘current owner/group’ UNIX notation is
added to the DACL, rather than substituted.
The last part of the FS-DACL-mode command refers to ‘masking-deny-aces’. This parameter was
introduced to fix the issue when UNIX client modifications lead to mid-ACL deny statements. Windows
Explorer expects that any deny entries are placed at the end of an ACL. Setting masking-deny-aces
disabled ensure the result ACLs are windows explorer friendly.
There are additional modes, and there may be use cases for them but they are outside the scope of this
document. The above recommendation should be sufficient to get multiprotocol inheritance to work as
expected.
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
8
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
Application A Application B
Service Account Service Account
Application A Application B
Windows Unix
Read UID\GID
Create File
SID: <creator owner>
< group A> full control
< group B> full control
< group C> full control
…
UID: No mapping for user – set root
GID: WHICH GROUP?? – set root
(can be only one)
WITHOUT SET PRIMARY
(POSIX) Shared Folder
Application B
Application A
Service Account
Service Account
Application A Application B
Windows Unix
1
http://en.wikipedia.org/wiki/Umask
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
9
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
If, however, the mask were set to 0022 the resultant mode would be -rw-r--r--, thereby granting the group
with only read access.
Similarly, the umask for directory and file creation can be defined on the HNAS via:
» umask-directory-set
» umask-directory-show
» umask-file-set
» umask-file-show
In the context of the MP setting being utilised, this will have little impact, but in case future FS-DACL-
MODEs change, set the umask to 0000 on the HNAS EVS:
umask-directory-set 0000
umask-file-set 0000
As the GID has mapped across, the correct “rwx” is observed. There is no equivalent usermapping, so the
default of “---“ is applied.
Problems arise when a UNIX user then modifies the file. Because the ACL needs to be reassessed, and the
user permissions are defined as “---“ or ‘no access’, an implicit DenyACE is inserted, forbidding the user
from accessing their own file. Clearly, this is not ideal.
ACE:
Type : AccessDeniedACEType
Flags : 0x0
Size : 24
Mask : 0x3f = FileReadData/FileListDirectory | FileWriteData/FileAddFile | …
SID : BUILTIN\Current Owner (S-1-5-32-21061)
To avoid such misinterpretation in a simplified user administration model, we introduce explicit owner
access permission such as:
» cacls-add dacl ace 1 type allow fullcontrol who "Creator Owner" flags fd <folder>
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
10
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
11
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
Application B
Application A
Service Account
Service Account
Application A Application B
Windows UNIX
rwx rwx
Shared Folder
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
12
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
Secondary Other
GROUP
AD GRPs
AD Administrative
Users
PRIMARY Mapping
GROUP AD GRP
Application Service
Account
Mapping AD GRP =
Mapping UNIX GRP
Secondary Mapping
GROUP UNIX GRP
Application Service
Account
Secondary
GROUP
Secondary Application
GROUP UNIX GRP
Unix Administrative Users
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
13
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
14
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
Application A
Service Account
Application A
Unix Data Consumers
Windows
rwx ro
Shared Folder
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
15
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
User Group(s)
Mapping
AD GRP
Mapping AD GRP =
Mapping UNIX GRP
Secondary
GROUP UNIX GRP
Application Service
Account
Secondary
GROUP
Secondary Application
GROUP UNIX GRP
Unix Administrative Users
Arthur Wasiak
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
17
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
rwx rwx
Shared Folder
Arthur Wasiak
Secondary Other
GROUP
AD GRPs
User Group(s)
Mapping
AD GRP
Mapping AD GRP =
Mapping UNIX GRP
Mapping
UNIX GRP
Secondary
GROUP
Secondary Other
GROUP UNIX GRPs
User Group(s)
Alternatively, we can examine what the scenario is attempting to achieve. The classic scenario is a
common software repository, where application and build data is stored for reuse across numerous
servers, operating systems and applications.
Given a common software repository, one approach would be to utilise a content management solution,
which allows groups to upload via an application interface such as a web form uploader. The application
can run under the service account, mirroring the A2U topology. Once uploaded, the data is then available
to be mounted or connected to by external servers and can be presented in a read-only mode. This is
demonstrated in the following figure, Common Software Repository.
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
19
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
rw rx rx
CIFS NFS
Uploader rwx
Service Account
Shared Folder
File Store Facility
“Uploader App”
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
20
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
9. If you need to reset the folder permissions to begin from the start, enter the EVS & FS then try:
a. >cacls-del dacl vivolRoot
10. Before proceeding, enter the group level mapping.
a. CORP\ADApplicationGroup = unixappgrp [GID:55555]
11. Create primary group override
a. E.g. primary-group-set "CORP\ADAppUser" "CORP\ADApplicationGroup"
12. Apply the owner and group unix permissions
a. chmod 770 vivolRoot
b. chgrp unixappgrp vivolRoot
c. chmod g+rws vivolRoot
13. Load the required CREATOR OWNER dacl
a. cacls-add dacl ace 1 type allow fullcontrol who "Creator Owner" flags fd vivolRoot
14. Now load additional permissions, such as full control for domain admins and the AD mapping
group
a. cacls-add dacl ace 1 type allow fullcontrol group "CORP\Domain Admins" flags fd
vivolRoot
cacls-add dacl ace 1 type allow fullcontrol group "CORP\ADApplicationGroup" flags fd
vivolRoot
15. Check the permissions
a. security-decode-file vivolRoot
16. Migrate the existing data across via standard CIFS or NFS migration methodologies
a. Note: If rich AD permissions are in use, use the CIFS migration tools
b. To ensure of sub-directories have the correct group set post migration, you can use the
following commands from the UNIX client:
i. chgrp -Rv unixappgrp /mnt/nfs/vivolRootMount/
ii. chmod -R 770 * <- note that this will also define the owner as current user
Please note: As this scenario utilises the primary group override [Step 11 above], such a setting would
need to be defined for each user in this environment, e.g.
» primary-group-set "CORP\john.smith" "CORP\ADApplicationGroup"
» primary-group-set "CORP\peter.griffin" "CORP\ADApplicationGroup"
» primary-group-set "CORP\jane.jones" "CORP\ADApplicationGroup"
» primary-group-set "CORP\lisa.simpson" "CORP\ADApplicationGroup"
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
21
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
22
21/08/2012 0.2
Multiprotocol Application Deployment Guide: CompanyABC
Arthur Wasiak
© Hitachi Data Systems 2012 Hitachi Data Systems and CompanyABC Confidential
23
21/08/2012 0.2