Administration Guides

Active Directory Managed Quotas Overview

Home

    Overview

    To simplify quota administration  this feature allows Active Directory groups to be used to detect quotas that should be automatically applied to users or directories based on group membership or apply group quotas on a share.

    Overview diagram

    This capability allows quota templates to be created in Eyeglass based on Gold, Silver and Bronze labels or a custom label name and define hard, soft or advisory quotas. No direct connection to AD is required with all user group AD membership retrieved using the PowerScale API’s.

    Quota Types 

    1. User Quotas
    2. Group Quotas
    3. Quota Enforcement type: Soft, Hard, Advisory
    4. Directory quotas are included in reporting but cannot be managed by AD group feature.

    Active Directory Groups used to target where to apply quotas or How to apply Quotas 

    Eyeglass quota templates can be configured to create automatic detection and apply quotas.  This feature is configured with Eyeglass CLI to create the templates. The running jobs icon will show the detection job and apply quota job running on its schedule.  The schedule is managed by the CLI commands (see the CLI guide here).   Once configured Eyeglass will run a special quota job that detects AD group membership and reviews quotas applied to clusters and updates user quotas to add, or update quota to match AD group membership based on the template definitions.

    NOTE:  Deleting quotas is disabled and requires manual delete to avoid accidental AD group change causing delete of quotas.  Options exist to handle quota deletion,  see CLI guide on options to handle different scenario's . The default settings do not delete quotas.

    NOTE: If a user has quota increased by being a member of a template AD group, and then added to a template AD group that would lower the quota.  Eyeglass will not lower the quota.  This ensures that the user does not end up with blocked writes from a reduced quota.  It also allows a higher quota to be manually changed on the cluster without risk of Eyeglass changing the quota to a lower value.

    The admin guide covers all the IGLS cli command to configure the features.  This guide covers configuration, planning and some example cli commands.

    AD Group Modes on Templates

    A template has an AD group mode that determines how the AD group will be viewed when evaluating when to create a quota for a user.

    1. Quota Template User mode Enabled - an AD groups user membership are used to create an PowerScale user quota on all shares that have the AD group assigned to share permissions
    2. Quota Template Group mode Enabled - An PowerScale Group quota will be applied on shares that have the AD group assigned to  share permissions 


    AD Group membership and quota creation Schedules

    AD Group membership task once enabled (see IGLS commands in the CLI guide), will evaluate all AD groups created in quota templates to determine users that should have new quota created or updates to existing quotas.  The default schedule is every 12 hours.  This can be changed.

    The quota updates are done on a different schedule and is determined by how quota inventory is configured.

    1. Default quota inventory collection occurs during normal configuration replication jobs that run every 5 minutes by default.  This means that quotas will be created based on the last execution of the AD group membership task approximately 5 minutes after the AD group task completes.  Recommendation: for < 1000 quotas use default configuration
    2. If quota inventory schedule has been configured for large quota collection, this task runs collection once per day by default.  This means quota creation step for AD managed quotas will now follow the quota collection schedule as well.  Recommendation: For faster quota creation after AD group membership changes, align the quota inventory (default once per day) and the AD group task (default 12 hours) to new values.   If not change to the defaults is done, then quota updates will occur once per day.


    AD Groups for Security Versus Quota assignment Best Practice.

    AD groups used for securing access to shares can be used in quota templates.  This is when all users that have access to the share should have a quota applied.  NOTE: if some users that have access to the share based on an AD security group require a different quota value, this can be accomplished with a second quota template in Eyeglass.  

    Note:  the highest quota value will be applied for any given user if a conflict exists between the quota templates when more than one AD group tier template matches a given user.

    Recommendation:  Use AD security groups already present on shares when possible to simplify management of quotas

    AD group for security and for quota AD group can be different if only a subset of the users require a quota.  This is possible by creating the new quota template AD group and assigning to the share.  The share permission should be equal to the security group and best practice is to place the AD group at end of the share list so it is evaluated last.

    Recommendation: Create second AD group for quota only detection and auto creation when a share requires only a subset of users to have a quota applied.  You can also use the security group as the default quota setting and then create a second higher quota limit AD group for those users that require a higher quota limit from the default.


    Use Cases:

    User Home Directory Automatic Quota Assignment - User Quota Mode


    1. Create a template and enable the AD group User mode to apply a User quota to the members of the Active Directory Group named in the template.  
    2. Assign the AD group to the share permissions list of one or more shares (you will need to apply everyone full control or read\write Share level permissions or at a minimum the same security access as the users security AD group applied to the share ). Best Practice:  Move the share permission to the bottom of the share permission list so it is evaluated last.
    3. Supports shares with %U variable expansion feature on PowerScale or normal share names.
    4. Eyeglass will retrieve the user group membership on an scheduled interval (see IGLS command for changing this default schedule 'igls admin schedule') and will create or update user quota's on all shares that have the Active Directory group applied to share permissions from the template created on step 1.

    Migrating from Linked Quotas to AD managed quotas

    PowerScale user quota's allows an everyone  feature that auto creates a user quota for all ad users in a domain under a path and links this user quota to a parent quota allowing simply edits to all linked quotas to a new value.

    The problem is all users get the same quota assigned and unlinking the quota is the only way to override a quota for a specific user or group of users.

    AD managed eyeglass quotas allows AD groups to offer different quotas to users on the same path or across multiple paths and even across clusters.

    These steps allow migrating from a parent quota with links to child user quotas to Superna Eyeglass AD managed quotas.

    1. Create a template in Eyeglass to define a quota definition
    2. Create more than one template and assign different AD users to each group.
    3. Apply the AD groups to the share permissions list of the share where you want the user quotas applied.
    4. Optional apply the AD group to other shares on the same cluster or different clusters managed by Eyeglass.
    5. Eyeglass will now verify the AD groups and start to apply quotas, if a user quota already exists linked to a parent quota that was already in use.  Eyeglass will unlink the quota and apply the quota definition defined in Eyeglass.
    6. This provides a seamless transition to AD managed quotas and can be staged with only a subset of the users by creating a group with limited number of users in the AD group.
    7. Both AD managed and parent linked quotas on the same path can co-exist.

    Group Share Automatic Quota Assignment - Group Quota

    1. Create a template and enable the AD group Group mode.   This will locate all the shares with the AD group specified in the template and apply a group quota using the same AD group.
    2. The user to group task does not require users in the group and the quota apply task can apply the group quota on the next scheduled update.  This can be controlled using the igls admin schedule command).
    3. NOTE:  If using a single group share and then using ACL's on subfolders to secure the group space.   Then create a <share name>$ to hide the share and set access to read only or Deny.  This share will not be used by users to connect to the group space.  The AD template group applied to this share is a marker for Eyeglass to apply the group quota
    4.  


    How to Configure Group Quota Templates

    1. All CLI commands required to create templates, modify and delete templates and changing schedules of the two tasks required for this feature is located here.

    How to Monitor Cluster Storage Monitor AD managed Quota Evaluation Results 

    1. Login to Eyeglass over ssh
    2. tail -f /op/superna/sca/logs/csm.log
    3. This log will show the evaluation of AD groups and missing quotas and if quota updates ares skipped.
    © Superna LLC