Zone-specific authentication providers

Some information about how authentication providers work with zRBAC.

Authentication providers are global objects in a OneFS cluster. However, as part of the zRBAC feature, an authentication provider is implicitly associated with the access zone from which it was created, and has certain behaviors that are based on that association.

  • All access zones can view and use an authentication provider that is created from the System zone. However, only a request from the System access zone can modify or delete it.
  • An authentication provider that is created from (or on behalf of) a non-System access zone can only be viewed or modified or deleted by that access zone and the System zone.
  • A local authentication provider is implicitly created whenever an access zone is created, and is associated with that access zone.
  • A local authentication provider for a non-System access zone may no longer be used by another access zone. If you would like to share a local authentication provider among access zones, then it must be the System zone's local provider.
  • The name of an authentication provider is still global. Therefore, authentication providers must have unique names. Thus, you cannot create two LDAP providers named ldap5 in different access zones, for example.
  • The Kerberos provider can only be created from the System access zone.
  • Creating two distinct Active Directory (AD) providers to the same AD may require the use of the AD multi-instancing feature. To assign a unique name to the AD provider, use --instance.