Authorization Providers in VAST Cluster

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

VAST Cluster supports multiple user authorization providers, including external providers and a local provider.

Tip

For more detailed information about how user access is authorized, see Overview of User Management and Authorization.

External Providers

The following external authorization providers can be used to authorize access to files and directories stored on VAST Cluster:

  • Active Directory (AD). Active Directory may store and provide user and group attributes used by NFS and SMB protocols. Active Directory is required to enable SMB access on VAST Cluster.

  • Lightweight Directory Access Protocol (LDAP). LDAP-based directory servers may store and provide POSIX user and group attributes, as used by the NFS protocol. If LDAP is configured, you can also use LDAP netgroups to restrict NFS client hosts' access in the view policy.

  • Network Information Service (NIS). A NIS database can be used as a provider of POSIX user and group attributes, as used by the NFS protocol. If NIS is configured, you can also use NIS netgroups to restrict NFS client hosts' access in the view policy.

Local Provider

In addition to external providers, VAST Cluster features a local provider which enables you to create users manually. Use the local provider to:

  • Add users which are not defined on external providers, including users which specifically need S3 access. (Users which are defined on external providers can be assigned S3 permissions without being added to the local provider.)

  • Add POSIX attributes for a user that is defined on Active Directory but only has SMB attributes there and is not defined in an additional configured external provider. In this case, use the same user name as is used on Active Directory so that the user database associates these attributes with the same user.

  • Add users when you do not have an external provider configured. This is an option for NFS and S3 access.

  • Add users to manually override incorrect or outdated POSIX attributes on external providers.

Local user attributes override any conflicting POSIX attributes (such as group memberships) on external providers. For information about managing users on the local provider, see Local Provider.

Note

The local provider is available for the default tenant only.

Supported Combinations of Providers and Access Protocols

The following combinations are supported per tenant:

Configured Auth Provider(s)

Protocols Supported on the VAST Cluster

Local + Active Directory + LDAP

NFSv3, NFSv4.1, SMB, S3

Local + Active Directory + NIS

NFSv3, NFSv4.1, SMB, S3

Local + Active Directory

NFSv3, NFSv4.1, SMB, S3

Local + LDAP

NFSv3, NFSv4.1 (without Kerberos or ID mapping), S3

Local + NIS

NFSv3, S3

Local only

NFSv3, NFSv4.1 (without Kerberos or ID mapping), S3

Note

The local provider is available for the default tenant only.

If two external authorization providers are connected to one tenant at the same time, one of the two providers is always set as the POSIX Primary provider. The POSIX Primary provider takes precedence over the second provider in case of any conflicts between attribute values when user information is retrieved from the providers.

Related articles