Overview
Attribute-Based Access Control (ABAC) lets you authorize user access based on attributes set for users in an authentication and authorization provider.
With VAST Data implementation of Attribute-Based Access Control (ABAC), users are assigned ABAC attributes (in Active Directory), and files are assigned ABAC tags (per view on a VAST cluster). A user is granted access to an ABAC-tagged file when one of the user's ABAC attributes matches an ABAC tag of the file. The type of access - read-only or read/write - is determined based on the value set for the user's ABAC attribute in Active Directory.
In case of a conflict between ABAC access resolution and the access granted by the file's ACL, the most restrictive setting applies. For example, if an ACL allows access for a user but the user does not have the required ABAC attributes, access is denied. Similarly, if ABAC grants access to the user while the ACL does not allow user access, the access is denied.
VAST Cluster supports ABAC for NFSv4.1 with Kerberos authentication and SMB with Kerberos or NTLM authentication. For NFSv3 and S3, ABAC is not supported. As of VAST Cluster 5.1, ABAC is supported for views controlled with the SMB and Mixed Last Wins security flavors.
Any files and directories within an ABAC-tagged view inherit the ABAC tags from the view. If a view is created under an ABAC-tagged view, the child view inherits the ABAC tags from the parent view.
The following rules and limitations apply to ABAC-tagged views:
Once assigned, you cannot edit or remove the ABAC tags of a view. Assigning new ABAC tags to an existing view or directory (storage path) is not allowed.
After a child view inherits ABAC tags from the parent view, you cannot update or remove the ABAC tags on the child view.
If you create a view for a directory that already exists, ABAC tags from the existing directory are assigned to the newly created view. In this case, there can be a delay between the view creation time and the time when the view's ABAC tags can be displayed.
If a user does not have any ABAC permissions, the user still can mount a NFSv4.1 export or map a SMB share to a local drive, but the user is not allowed to perform any operations on the files or directories.
The following features and capabilities cannot be used together with ABAC-tagged views:
When using NFSv4.1, it is not allowed to create hardlinks in views that have ABAC tags.
A directory under which an ABAC-tagged view exists, cannot be moved to the Trash folder.
Bulk permission updates are not available for ABAC-tagged views.
Lifecycle rules cannot be set for files or directories with ABAC tags.
To configure ABAC:
Defining Values for ABAC Attributes
VAST Cluster expects that ABAC attributes that are assigned to users in Active Directory, have either of the following values specified:
A value that grants read-only access.
When this value is specified in the user's ABAC attribute entry in the authorization provider, this user is allowed to perform operations that require read-only access (such as NFSv4.1 READDIR) on objects that have an ABAC tag matching the user's ABAC attribute.
A value that grants read/write access.
This value must be set in the user's ABAC attribute entry to allow for read/write access.
To define a set of values for ABAC attributes in VAST Cluster:
In VAST Web UI, use the ABAC read only and ABAC read-write fields in the Active Directory settings (User Management -> Active Directory -> choose to create or edit an Active Directory configuration -> go to the Attribute mapping tab).
In VAST CLI, run an
activedirectory createoractivedirectory modifycommand with the--abac-read-only-value-nameand/or--abac-read-write-value-nameoptions specified.
By default, a value of ro is used to grant read-only access, and a value of rw is used to grant read/write access.
To view current settings in VAST CLI, run an activedirectory list or activedirectory show command and find the Read-Only-Value and Read-Write-Value in the command output.
Tip
For a complete list of operations that require a read-only or read/write ABAC attribute value, see Protocol Operations and ABAC Attribute Values.
Configuring Users with ABAC Attributes in Active Directory
You assign ABAC attributes and their values to users in Active Directory, outside VAST Cluster.
The following rules and limitations apply:
VAST Cluster supports only Active Directory as a provider which contains ABAC attributes. NIS or LDAP providers cannot be used with VAST implementation of ABAC.
ABAC users may reside in multiple domains. Storing ABAC attributes in the Active Directory Global Catalog is not required.
An ABAC provider can include up to 2048 users with ABAC attributes and up to 128 ABAC attribute names defined.
Each ABAC attribute name can be up to 50 characters.
Working with Multiple ABAC Attributes
If a view has more than one ABAC tag assigned and a user is missing one of the matching ABAC attributes, permissions are resolved in the most restrictive way.
Consider the following example:
A view named MyAssets has two ABAC tags, engineering and marketing. Users are configured as follows:
Marta has two matching ABAC attributes that grant read/write access to both engineering and sales information:
engineering=rwandmarketing=rw.Jim is configured to have read/write access to engineering resources and read-only access to marketing information:
engineering=rwandmarketing=ro.Karen is assigned
engineering=rwandmarketing=ab, where the latter grants unknown access typeabto marketing information.Sofia has no matching ABAC attributes assigned.
As a result of this configuration:
Marta can view and modify resources on the MyAssets view.
Jim can view the resources but cannot modify them.
Karen and Sofia cannot view or modify the resources.
Attaching the ABAC Provider to a Tenant
In VAST Cluster, attach the Active Directory provider that includes users with ABAC attributes to a VAST cluster tenant as follows:
In VAST Web UI, go to Element Store -> Tenants and choose to create or modify a tenant. In the Create Tenant or Update Tenant dialog that opens, go to the Providers tab and select the ABAC provider in the Active Directory dropdown.
In VAST CLI, run the
tenant createortenant modifycommand with the ABAC provider specified on the--ad-provider-idoption.
If a tenant has multiple authentication and authorization providers, only one of them can be the ABAC provider.
The same ABAC provider can be used for multiple tenants.
Creating an ABAC-Tagged View
In VAST Cluster, create a view and assign ABAC tags to the view.
Note
ABAC tags can be assigned by VMS users with a role that grants Edit permissions for the Security and Logical realms.
An ABAC-tagged view cannot have NFSv3, S3 Bucket, S3 Endpoint or Database listed among its access protocols.
If NFSv4.1 is enabled on the view:
Kerberos authentication is required.
Root squashing needs to be disabled.
Up to 20 ABAC tags can be defined per view. ABAC tags are case-sensitive and can include up to 50 alphanumeric characters, hyphens (-), colons (:), plus signs (+), and underscores (_).
To assign ABAC tags when creating a view:
In VAST Web UI, go to Element Store -> Views and click the Create View button. In the Create View dialog that opens, go to the Attribute-Based Access Control (ABAC) tab and enter a comma-separated list of ABAC tags in the Attribute field.
Tip
For a complete view creation procedure, see Creating Views.
In VAST CLI, run the
view createcommand with the--abac-tagsoption specified.
Note
When creating an ABAC-tagged view, VAST Cluster always creates a new directory for the newly created view even if the corresponding option has not been specified.
Protocol Operations and ABAC Attribute Values
The following table shows which access protocol operations require that a user has an ABAC attribute value that grants read/write or read-only access to an ABAC-tagged view.
ABAC Attribute Value | NFSv4.1 | SMB |
|---|---|---|
A value for read/write access ( |
|
|
A value for read-only access ( |
|
|