Base directory guidelines

A base directory defines the file system tree that is exposed by an access zone. The access zone cannot grant access to any files outside of the base directory. Assign a base directory to each access zone.

Base directories restrict path options for several features such as SMB shares, NFS exports, the HDFS root directory, and the local provider home directory template.

Data isolation is required within an access zone. It is recommended that you create a unique base directory path that is not identical to or does not overlap another base directory, except for the System access zone. For example, do not specify /ifs/data/hr as the base directory for both the zone2 and zone3 access zones. Or if /ifs/data/hr is assigned to zone2, do not assign /ifs/data/hr/personnel to zone3.

OneFS supports overlapping data between access zones for cases where your workflows require shared data. However, the added complexity to the access zone configuration might lead to future issues with client access. For the best results from overlapping data between access zones, it is recommended that the access zones also share the same authentication providers. Shared providers ensures that users will have consistent identity information when accessing the same data through different access zones.

If you cannot configure the same authentication providers for access zones with shared data, ensure the following:

  • Select Active Directory as the authentication provider in each access zone. This causes files to store globally unique SIDs as the on-disk identity, eliminating the chance of users from different zones gaining access to each other's data.
  • Avoid selecting local, LDAP, and NIS as the authentication providers in the access zones. These authentication providers use UIDs and GIDs, which are not guaranteed to be globally unique. This results in a high probability that users from different zones will be able to access each other's data.
  • Set the on-disk identity to native, or preferably, to SID. When user mappings exist between Active Directory and UNIX users or if the Services for Unix option is enabled for the Active Directory provider, OneFS stores SIDs as the on-disk identity instead of UIDs.