NAS Technology Is Ready For Prime Time.
To offer integrated Unix/NT data sharing, the NAS appliance must be able to distinguish and transparently support the various locking requirements of its clients. For example, Unix clients running NFSv2 and NFSv3 support only advisory record locking, while Windows clients running SMB/CIFS support mandatory file and record locks, as well as advisory cache locks. Only NAS appliances with multi-lingual file system capabilities, integrated with file sharing protocol support, can guarantee that (1) a file can be accessed simultaneously by both NFS and CIFS clients; and (2) the appropriate semantics, as expected by each client, are delivered.
Security Subsystem Support
Because any NAS device is a network-attached, multiuser system, security features are a crucial component. Security is even more critical--and technically challenging--for NAS appliances offering transparent Unix/NT storage and data sharing. These devices must unify both environments' security semantics by managing the distinctions between each environment's identifiers, access rights, and security descriptors.
* Identifiers. Both NT and Unix systems have the concept of users and groups, which are represented internally by unique identifiers. In Unix systems, the user IDs and group IDs come from separate namespaces and may have overlapping or identical values. In NT, each user and group has a unique security ID (SID). An NT security ID can be decomposed into a top-level authority (the "Identifier Authority"), which can be considered as the main grouping, and from one to eight sub-authorities (known as "Relative Identifiers" or RIDs), which can be thought of as departments, branches, etc. In a network, each NT domain (which is a logical grouping of machines sharing the same security database) has its own SID. User and group SIDs in a domain contain the domain SID as a prefix.
* Access Rights and Security Descriptors. Unix systems provide only three basic access rights: read, write, and execute/search. Three sets of access rights are maintained for each object: rights for the individual owner of the object, rights for the group owner of the object, and rights for anyone else attempting to access the object. NT provides a much finer level of control over access rights. Each securable object in the NT system has an associated data structure, containing all of its security information. This structure is known as the security descriptor. The security descriptor includes the SID for the object's owner and two access control lists, each containing a set of mappings between user or group SIDs, and specific access rights allows for that SID. The first list specifies who can and cannot access the object. The second list specifies which users should be audited when accessing the object (i.e., when to log an event). In NT, access rights are divided into three general categories: standard acce ss rights; object-specific access rights; and generic access rights.
Here, again, to effectively support the security subsystems of both NT and Unix, NAS devices must implement a file system able to support two forms of access control: NT-style, based on access control lists (ACLs); and Unix-style, based on read-write-execute permissions for individual owner, group owner, and all others. For multi-user applications with NT and Unix clients, the NAS appliance should allow a file system object to support both NT-style Security Descriptors and Unix-style permissions.
File-Sharing Protocol And File System Semantic Integration
Storing Unix and NT data on a single NAS device is a valuable capability delivered by NAS appliances supporting SMB/CIFS protocols for NT and NFS for Unix. This capability allows IT organizations to attach NAS devices onto the network for additional storage of either Windows/NT or Unix data. However, limiting NAS functionality to only file sharing protocol support will compromise the level of data sharing and the administrative simplicity of the device because that device will not be able to distinguish and support important file system-level, data sharing features. For true NAS data sharing by Unix and NT clients, the NAS appliance must additionally resolve the integration of the file system semantics.
Storage-Centric NAS Operating System
The four important file-system-level integration requirements for NAS data sharing discussed in this article--filenames, attributes, locking, and security--are resolved via operating system capabilities (Unix and Windows/NT), rather than by the file sharing protocols (CIFS/SMB and NFS). Similar to the inability of Beta-formatted video systems to support VHS, NAS devices based on a specific operating system such as Linux face serious technical challenges when attempting to support the operating system features of another such system.
Storage appliances based on a NAS-specific, storage-centric operating system have been designed to address the NAS requirement to support multiple file-sharing protocols and multiple operating system semantics. These devices can transparently share data among multiple file systems, exercise the sophistication to distinguish data at the file system level, and present users with the appropriate interface. They implement a multi-user access and security model that allows simultaneous data sharing by Unix and Microsoft clients without compromising the security of either. They also provide NAS solutions that lower TCO by supporting a diverse set of servers, applications, and clients with minimal administration.
Tim Williams is the president and CEO and Sue Smith is the corporate director of marketing at CrosStor Software, Inc. (South Plainfield, NJ).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Technology Information|
|Publication:||Computer Technology Review|
|Date:||Sep 1, 1999|
|Previous Article:||DISK RESOURCE MANAGEMENT WORKGROUP.|
|Next Article:||XIOtech Is REDI For Storage.|