This post is more than 5 years old
1 Rookie
•
62 Posts
0
1128
Authentication Source and Quotas
Help me understand why I'm seeing this, I assume I'm doing something wrong because this doesn't make sense. Up until now, I've only had AD and NIS as authentication sources (but I'm still not using AD, so basically just using NIS), and when I added quotas to user's home folders, the owner matches up to what NIS sees. I have an access zone for NIS and this content. To date, everything seems normal... quotas are assigned to correct owners based on what NIS has.
I just added an OpenLDAP authentication source which will have about 50 or so users eventually specific to our high performance computing cluster. This must remain separate so I also created another access zone specific to OpenLDAP and this content. However, my System access zone can see both NIS and OpenLDAP now. When I went to create user quotas specific for these users, there obviously is a UidNumber conflict between NIS and OpenLDAP because it's reporting the "linked user" of those home folders being from the NIS source. When I purposely created a user in OpenLDAP with a UidNumber of 50,000 it reports the correct OpenLDAP user.
Can anyone explain what I'm doing wrong and how I should be doing this? I'm keeping the authentication sources separated by access zones for the content, but what's up with the quotas? Obviously I could just pick high UidNumbers for my OpenLDAP users, what would happen if I had two sources (say two distinct LDAP servers) with thousands of established users with overlapping UidNumbers and needed quotas for the users from each source?
Thanks for the help.
Peter_Sero
1.2K Posts
0
August 25th, 2017 07:00
Are quotas listed correctly when you use an explicit "--zone ..." specification with "isi quota ..." ?
Ryan_CSULB
1 Rookie
1 Rookie
•
62 Posts
0
August 25th, 2017 08:00
Peter, I created these via the WebGUI, I see from your suggestion the switch on the CLI that seems to suggest assigning a quota to a zone (and doesn't appear to be an option in the WebGUI... I'm running OneFS 8.0.0.4 btw). Right now when I list with the --zone switch specifying my zone, every quota on the system is still listed but you are right, the linked user persona changes. I suppose it knows this simply from the location of the files based on the access zone definition?
I tried wiping out my HPC quotas and specifically creating them with the --zone switch. I think I expected that when I listed them with the --zone azHPC switch, it would just show me the quotas for HPC but it still showed everything, only with the correct personas for that access zone (of course, the other non-zone directories no longer show the correct personas).
My question now is, what's the point creating quotas with the --zone switch? Should I go back and fix my other quotas to include that switch or does it matter? It seems listing the quotas with the --zone switch shows you all quotas but the personas from the perspective of the zone you specified. I can't figure out why that would be useful. It seems a better use of that switch would be to show just the quotas from that particular zone. Thanks for the help.
Peter_Sero
1.2K Posts
0
August 30th, 2017 09:00
Ryan, you're right, the --zone should better be used for strict filtering rather than just UID mapping.
And the Access zone is never derived from the path alone.
To makes thing worse, the "isi quota report" feature which creates XML files is zone-unaware
and runs in the System zone.
I can't see an effect of the --zone switch when creating default-user setting,
but obviously it is needed to get specific usernames right when creating or modifying
individual quotas.
Best practice seems to always specify the correct zone for a given path,
although logically it may appear redundant.
On the better side, it is hard to see how any conflict can arise from a user's perspective
when using the same UID for different usernames in different access zones,
other than:
- confusion with user quotas queried or reported in the System zone or a "wrong" zone
- seemingly combining quota accounts for distinct users when user quotas
are defined on a directory higher up the tree, enclosing multiple Access zone roots.
Let me know if I am missing something here.
Consider working with your account team to request an enhancement of Access zone handling.
-- Peter
Ryan_CSULB
1 Rookie
1 Rookie
•
62 Posts
0
August 31st, 2017 11:00
Peter, thanks... appreciate the confirmation. Yes, I'll see about an enhancement request. So far, I've been able to keep my directory layout very clean with no cross-over between zones so functionally the quotas should be valid. But yes, it's a bit weird to look at the WebGUI report and see other personas. Thanks again.