Hello ctodorov,

Is your Isilon cluster brand new deployed with version 9.2 or upgraded from a 8.x or 9.x?

Reason I ask is because I'm facing the exact same API authentication error with brand new 9.2 clusters. I tested the same in 2 clusters that had been upgraded to 9.2 from previous versions, and there API authentication works fine... 

I haven't found a cause yet, but it would be nice to see if you have the same pattern.

Hello fdimatteo,
My cluster is brand new deployed with version 9.2.0. So it confirms your pattern. The same K8s cluster works perfectly fine with CSI ver1.6 and another Isilon with OneFS 8.1.2. Unfortunately it is Isilon-SD and could not be upgraded to newer versions of OneFS (product goes discontinued).
I was thinking that the issue might be the fact I want to use different AZ with zRBAC for CSI instead of system AZ. But now with your question that you have same issue only with new deployed 9.2.x clusters, while it works fine with clusters upgraded from 8.x to 9.x the issue could be else.

I plan to upgrade to 9.2.1 to see if the issue would persist and will post here once it is done.

Thank you so much for that information! It helps a lot!

Do you know if we could expect next version of CSI to be released this week or not? We are little bit on a rush here to verify this setup before deploying it into production. I don't want to enable basic authentication if it is matter of days.

That's awesome news! We downloaded CSI 2.0.0 and start testing it. Will update here once we have some results. Thank you so much for your prompt responses and support!

It is GA for a couple of hours: https://github.com/dell/csi-powerscale 

The doc site is on its way but if you are familiar with existing install process it shouldn't be a pb for you.

Hi again, I confirm that after upgrading to CSI 2.0.0, session based authentication worked and CSI driver was able to authenticate to Isilon on 9.2.0. Thank you again!

I want to use the opportunity to ask how CSI should be configured to use for authentication AD account? When we upgraded to CSI 2.0 we configured it to use (as per above configuration) "isicsi" and got reply "unknown user or password".
I realised that "isicsi" is a user from AD domain and I should put domain prefix to the user in CSI. So tried to put "DEV\\isicsi" (put 2 \\ to escape DEV\isicsi) in helm values.yaml to indicate the domain. But it returned unknown escape character.

At that moment I created local user iscsi on Isilon in the AZ, added it to the CSI role and removed from role AD account. Then tried with CSI and it worked instantly.

So my question is what should be the syntax to use AD account for CSI to authenticate successfully in Isilon API? DOMAIN\\user didn't work, never tried DOMAIN@user though.

We have very strong security requirements and that's the reason to configure CSI to use its own dedicated AZ on Isilon and also need to use AD provided service account to authenticate in Isilon.

Hi Ctodorov,

The AD user works well in my env. I'm running CSI 1.6 though, but the CSI behavior on this point should be same as 2.0. I noticed you were using double slash "\\" in your configuration. Probably you have to change it to "\", i.e. "DOMAIN\user". 

Hi Sean_Zan,

thank you for your reply. I had no enough time to test it with slashes but it instantly worked with DOMAIN@user

So now my instance authenticates using AD domain provided service account towards separate dedicated access zone for CSI on Isilon. I am using custom role created there and assigned domain service account to that role as per CSI documentation. 

The only thing I still miss is that in custom roles it is not possible to give privileges about quota and snapshot. But I am still on 9.2.0. I have to upgrade to 9.2.1 since someone mentioned there it will be also possible to assign these privileges to a custom role.

Hi ctodorov

Roles in non-system zone, cannot have privileges of quota and snapshot. Whether or not the user is an AD user or local user doesn't matter.

Can you check if the user you are using for CSI is in system zone?