Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Namespace access protocol configuration


Users and applications have access to the content stored in namespaces through these industry-standard protocols: REST, S3 compatible API, HSwift, WebDAV, CIFS, NFS, and SMTP. By default, when a namespace is created, the REST API is enabled. The other protocols are initially disabled. For any namespace access to occur, at least one protocol must be enabled.

TipWebHelp.png

Tip: For enhanced security, keep unused namespace access protocols disabled.

When you enable a namespace access protocol, you also need to configure it. Each protocol, with the exception of the REST, S3 compatible, HSwift, and WebDAV protocols, has its own set of configuration options. REST, the S3 compatible API, HSwift, and WebDAV share a set of these options. Some configuration options are common to multiple protocols; others are protocol specific.

NoteWebHelp.png

Note: If your system administrator has configured new namespaces to be optimized for cloud protocols only, you cannot configure new namespaces to use CIFS, NFS, WebDAV or SMTP without first disabling cloud optimization for the namespace. If you have already begun ingesting data in the namespace, you cannot disable cloud optimization. For more information about disabling the feature, see the Changing the protocol optimization for a namespace.

To enable and configure the protocols for a namespace, you use the Protocols panel for that namespace in the Tenant Management Console. This panel has separate tabs for each protocol except REST, the S3 compatible API, HSwift, and WebDAV, which share a tab.

RoleWebHelp.png

Roles: To view the Protocols panel, you need the monitor or administrator role. To enable, disable, and configure namespace access protocols, you need the administrator role.

To display the Protocols panel for a namespace:

1.In the top-level menu of the Tenant Management Console, click on Namespaces.

2.In the list of namespaces, click on the name of the namespace you want to configure.

3.In the row of tabs below the namespace name, click on Protocols.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Changing the protocol optimization for a namespace


A namespace can be optimized for all namespace access protocols or for cloud protocols only. Optimization for all protocols is required if clients will be using the WebDAV, CIFS, NFS, or SMTP protocol to access the namespace.

Optimization only for cloud protocols increases the ingest rate for the namespace but also configures the namespace to ingest objects exclusively through the cloud protocols (REST, the S3 compatible API, and HSwift). This setting is recommended if clients will be using only cloud protocols to access the namespace.

Only cloud-optimized namespaces can allow erasure coding. Also, only cloud-optimized namespaces support multipart uploads with the S3 compatible API.

You can change the protocol optimization setting for a namespace from optimized only for cloud protocols to optimized for all protocols only if both of these are true:

The namespace does not contain any objects.

The namespace does not allow erasure coding.

You can change the protocol optimization setting from optimized for all protocols to optimized only for cloud protocols only if the namespace doesn't have any noncloud protocols enabled.

A system administrator can change a tenant from not being able to choose whether namespaces allow erasure coding to being able to do this. After this change occurs, when you enable cloud optimization for a preexisting namespace that was not cloud optimized and that did not allow erasure coding, the namespace is automatically configured to allow erasure coding.

NoteWebHelp.png

Note: You cannot make protocol optimization changes while an HCP system upgrade is in progress.

RoleWebHelp.png

Roles: To view the protocol optimization setting for a namespace, you need the monitor or administrator role. To change the protocol optimization setting for a namespace, you need the administrator role.

To change the protocol optimization setting for a namespace:

1.In the Tenant Management Console, click on the Namespaces section on the top-level navigation menu.

2.On the Namespace page, click on the Namespace you want to optimize.

3.In the namespace, click on the Settings tab.

4.In the namespace left-hand navigation bar, click on Optimization.

5.In the Optimization panel, select Optimized for all protocols or Optimized for cloud protocols only.

6.Click on Update Settings.

If you selected Optimized for cloud protocols only, a confirming message appears.

In the field in the message window, type YES (this is case sensitive) to confirm that you understand the consequences of your action. Then click on Update Settings.

For more information on protocol optimization, see Protocol optimization.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

IP addresses for namespace access


For each namespace access protocol, you have the option of allowing access only from specific IP addresses. For all but NFS, you can also deny access to the namespace from specific IP addresses.

TipWebHelp.png

Tip: For enhanced security, restrict access to namespaces to as few IP addresses as possible.

The Tenant Management Console panels for the namespace access protocols each contain an Allow list and, except for the NFS panel, a Deny list. Each list has an associated field in which you type entries for it.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Adding and removing entries in Allow and Deny lists


To add an entry to an Allow or Deny list:

1.In the field above the list, type the entry you want. For a description of valid entries, see Allow and Deny list handling.

2.Click on Add.

To remove entries from the Allow or Deny list:

To remove a single entry, click on the delete control ( DeleteControl.png ) for that entry.

To remove all entries, click on Delete All.

Changes you make to either list of IP addresses take effect immediately.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Valid Allow and Deny list entries


Each entry in an Allow or Deny list can be one of:

An IP address

A comma-separated list of IP addresses

A range of IP addresses specified as ip-address/subnet-mask (for example, 192.168.100.197/255.255.255.0) or in CIDR format (for example, 192.168.100.0/24)

The CIDR entry that matches all IP addresses is 0.0.0.0/0.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Allow and Deny list handling


IP addresses can be included in neither, one, or both of the Allow and Deny lists for REST, the S3 compatible API, WebDAV, CIFS, and SMTP. They can be included or not included in the Allow list for the NFS protocol. The way HCP handles allowed and denied IP addresses differs depending on the protocol.

Allow and Deny list handling for REST, the S3 compatible API, and WebDAV

For HTTP and WebDAV, you can choose how HCP handles Allow and Deny list entries by selecting or deselecting Allow request when same IP is used in both lists in the HTTP(S) panel. The table below describes the effects of selecting or deselecting this option. Either action takes effect immediately.

Allow Requests When Same IP Is Used in Both Lists

List entries

Selected

Not selected

Allow list: empty
Deny list: empty

All IP addresses can access the namespace through REST, the S3 compatible API, and WebDAV.

No IP addresses can access the namespace through REST, the S3 compatible API, or WebDAV.

Allow list: at least one entry
Deny list: empty

All IP addresses can access the namespace through REST, the S3 compatible API, and WebDAV.

Only IP addresses in the Allow list can access the namespace through REST and WebDAV.

Allow list: empty
Deny list: at least one entry

All IP addresses not in the Deny list can access the namespace through REST, the S3 compatible API, and WebDAV. IP addresses in the Deny list cannot.

No IP addresses can access the namespace through REST, the S3 compatible API, or WebDAV.

Allow list: at least one entry
Deny list: at least one entry

IP addresses appearing in both or neither of the lists can access the namespace through REST, the S3 compatible API, and WebDAV.

Only IP addresses appearing in the Allow list and not in the Deny list can access the namespace through REST, the S3 compatible API, or WebDAV.

Allow and Deny list handling for CIFS

For CIFS, HCP handles Allow and Deny list entries as described in the table below.

List entries

Effect

Allow list: empty
Deny list: empty

All IP addresses can access the namespace through the CIFS protocol.

Allow list: at least one entry
Deny list: empty

Only IP addresses in the Allow list can access the namespace through the CIFS protocol.

Allow list: empty
Deny list: at least one entry

All IP addresses that are not in the Deny list can access the namespace through the CIFS protocol. IP addresses in the Deny list cannot.

Allow list: at least one entry
Deny list: at least one entry

IP addresses that appearing in the Allow list and the Deny list cannot access the namespace through the CIFS protocol.

Allow list handling for NFS

For NFS, if the Allow list in the NFS panel includes one or more IP addresses, those addresses have access to the namespace through NFS and all others don’t. If the list is empty, all IP addresses can access the namespace through NFS.

Allow and Deny list handling for SMTP

For SMTP, HCP handles Allow and Deny list entries as described in the table below.

List entries

Effect

Allow list: empty
Deny list: empty

All IP addresses can access the namespace through the SMTP protocol.

Allow list: at least one entry
Deny list: empty

Only IP addresses in the Allow list can access the namespace through the SMTP protocol.

Allow list: empty
Deny list: at least one entry

No IP addresses can access the namespace through the SMTP protocol.

Allow list: at least one entry
Deny list: at least one entry

Only IP addresses appearing in the Allow list and not in the Deny list can access the namespace through the SMTP protocol.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

User authentication options


The REST, S3 compatible, HSwift, and CIFS protocols have the option to either require user authentication or support both authenticated and unauthenticated (anonymous) access. If a protocol requires authentication, users must present valid credentials in order to use the protocol. If a protocol supports both types of access, users can present credentials but are not required to.

With the REST, S3 compatible, HSwift, or CIFS protocol configured to support both authenticated and anonymous access:

If a user presents credentials, HCP tries to authenticate the user. If the credentials are valid, HCP continues processing the request. If the credentials are invalid, HCP rejects the request.

With REST and CIFS, if a user does not present credentials, HCP continues processing the request.

With the S3 compatible API, if a user presents the clear-text username all_users, HCP continues processing the request. If the user does not present either credentials or all_users, HCP rejects the request.

For more information on authentication, see User authentication.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.