What is unified-access ?
Unified file and object access allows use cases where you can access data using object as well as file interfaces. For example: If a user ingests a file from the SMB interface then users with valid access rights can access that file from the object interface. On the other hand, if a user ingests a object from object interface then users with valid access rights can access that file from file interface.
Why this post ?
- Configuration of Spectrum Scale for unified access
- Demo of unified access.
Details of cluster which I'll be using for demo::
[root@vwnode4 ~]# mmlscluster GPFS cluster information ======================== GPFS cluster name: vwnode.gpfscluster GPFS cluster id: XXXX548474453088585 GPFS UID domain: vwnode.gpfscluster Remote shell command: /usr/bin/ssh Remote file copy command: /usr/bin/scp Repository type: CCR Node Daemon node name IP address Admin node name Designation -------------------------------------------------------------------- 1 vwnode0 XX.XX.100.110 vwnode0 quorum-perfmon 2 vwnode1 XX.XX.100.111 vwnode1 quorum-perfmon 3 vwnode2 XX.XX.100.112 vwnode2 quorum-perfmon 4 vwnode3 XX.XX.100.113 vwnode3 manager-perfmon 5 vwnode4 XX.XX.100.114 vwnode4 manager-perfmon
User authentication details
[root@vwnode4 ~]# mmuserauth service list FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KERBEROS false USER_NAME cn=manager,dc=example,dc=com SERVERS XX.XX.46.17 NETBIOS_NAME st001 BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KS_SSL false USER_NAME cn=manager,dc=example,dc=com SERVERS XX.XX.46.17 BASE_DN dc=example,dc=com USER_DN ou=people,dc=example,dc=com USER_OBJECTCLASS posixAccount USER_NAME_ATTRIB cn USER_ID_ATTRIB uid USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER ldapuser3
Configuration of Unified Access
Step 1: Enable
the file-access object capability from any protocol node
[root@vwnode4 ~]# mmobj config change --ccrfile spectrum-scale-object.conf --section capabilities --property file-access-enabled --value true
To validate whether unified access is enable you can check status ibmobjectizer service.
If unified access is enabled ibmobjectizer must be running on exactly one node.
[root@vwnode4 ~]# mmces service list -v --all | grep ibmobjectizer vwnode3: OBJ:ibmobjectizer is running
Step 2: For this demo, I am using unified_mode for authentication.
In unified_mode users from object and file are expected to be common and coming from the same directory service (Note that I have LDAP user authentication configure for both object and file).
Check this for more information.
[root@vwnode4 ~]# mmobj config change --ccrfile object-server-sof.conf --section DEFAULT --property id_mgmt --value unified_mode
Step3: Create policy for unified access.
Following command will create policy with name 'swiftOnFile' with unified access enabled.
[root@vwnode4 ~]# mmobj policy create swiftOnFile --enable-file-access [I] Getting latest configuration from ccr [I] Creating fileset /dev/cesSharedRoot:obj_swiftOnFile [I] Creating new unique index and building the object rings [I] Updating the configuration [I] Uploading the changed configuration
Let's check our freshly created policy for unified access.
[root@vwnode4 ~]# mmobj policy list Index Name Default Deprecated Fileset Functions ------------------------------------------------------------------------------------- 0 SwiftDefault yes my_object_fileset 56921512210 swiftOnFile obj_swiftOnFile file-and-object-access
You can make this policy default, though it is optional.
[root@vwnode4 ~]# mmobj policy change swiftOnFile --default
Demo of Unified Access
Now let's create a container and add a file in it.
I am going to use Swift Explorer for this.
If you are new to Swift Explorer please check my previous post to configure Swift Explorer -
Accessing Spectrum Scale Object Store using Swift Explorer
Create a container :
Upload a file :
Let's check where this file is uploaded on server.
[root@vwnode4 ~]# ls -l /ibm/cesSharedRoot/obj_swiftOnFile/s56921512210z1device1/AUTH_2de13f0dae4747b484ed06bc31b29835/unified_access total 0 -rwxr-xr-x. 1 ldapuser3 ldapuser3 11 Dec 21 09:37 file1.txt
Explanation for path :
Let's export this container with NFS check this file from file interface./ibm/cesSharedRoot -- Mount point for GPFS file systemobj_swiftOnFile -- Policy create CLI creates a directory depending upon your policy names56921512210z1device1 -- 's' followed by policy index followed by fixed suffix 'z1device1'AUTH_2de13f0dae4747b484ed06bc31b29835 -- Unique ID for a tenet with fixed prefix 'AUTH_'unified_access -- Name of container
[root@vwnode4 ~]# mmnfs export add /ibm/cesSharedRoot/obj_swiftOnFile/s56921512210z1device1/AUTH_2de13f0dae4747b484ed06bc31b29835/unified_access/ -c "*(Access_Type=RW,SecType=sys,Squash=NoIdSquash,Protocols=3:4)"
[root@vwnode4 ~]# mmnfs export list Path Delegations Clients ---------------------------------------------------------------------------------------------------------------------------------- /ibm/cesSharedRoot/obj_swiftOnFile/s56921512210z1device1/AUTH_2de13f0dae4747b484ed06bc31b29835/unified_access none *
Let mount it on some other machine --
[root@localhost ~]# mount -t nfs -o vers=3 viknode:/ibm/cesSharedRoot/obj_swiftOnFile/s56921512210z1device1/AUTH_2de13f0dae4747b484ed06bc31b29835/unified_access /mnt/
Let's check our 'file1.txt'
[root@localhost ~]# ls -ln /mnt/ total 0 -rwxr-xr-x. 1 1002 1002 29 Dec 22 11:41 file1.txt [root@localhost ~]# id ldapuser3 uid=1002(ldapuser3) gid=1002(ldapuser3) groups=1002(ldapuser3)
Now try to ingest a file from NFS and try to get it from object interface
[root@localhost ~]# su ldapuser3 bash-4.2$ echo "NFS Create File" > /mnt/nfs_file.txt bash-4.2$ ls /mnt/ file1.txt nfs_file.txt
Let's check this new file from object interface.
You can get more information about unified access here.