With NFSv4.1, Qumulo customers will be able to delegate fine-grained permissions control to end-users, improving the experience for scalability, interoperability, security, and ease of management.
In 2021, Data security and privacy are chief concerns — especially in financial information services (FIS), life sciences, and higher education. Storage Administrators of these enterprises have increasingly become concerned about:
- Knowing exactly who is accessing your data storage system
- Controlling what data they are allowed to access and modify
What is the Network File System (NFS) Protocol?
The NFS protocol was invented in the 1980’s to solve the problem of providing a local file system experience to users of file data that was actually stored remotely across the network. The protocol provides a specification for remote procedure calls (RPCs) that mimic the same internal file system APIs used in file-based applications – like read data, write data, lookup directory, set permissions, etc. Operating Systems like Unix, Solaris, BSD, and Linux-based distributions such as Ubuntu, RedHat, CentOS, Fedora, and Debian all ship with a built-in NFS client allowing these systems to connect and present a mount point to users and applications without the need to install custom drivers or vendor-specific software.
What is NFSv4.1?
Qumulo historically has only provided support for version 3 of the NFS protocol. While we currently provide strong authentication and access control via SMB to Windows and Mac users, NFSv3 lacks strong authentication mechanisms for Linux/POSIX users, and no ability to directly use fine-grained permissions via Windows-like ACL (Access Control Lists).
The story changes with NFSv4.1. The version of the NFS protocol is able to support strong cryptographic authentication mechanisms via Kerberos, as well as defense from man-in-the-middle attacks, and encryption over the wire. NFSv4.1 also provides a method to view and modify Windows-like ACLs for fine-grained permissions control on files and directories. This means that IT managers can delegate data access control to a project owner/end user so the project owner can give specific individuals access. The data is only accessible to collaborators who are added to the ACL by the project owner/end user.
Conversely, the traditional way to do this via POSIX NFSv3 is more complex. In order to add a new user, the IT manager must identify everyone in a group who wants to share data. They then must create and manage the group in their directory service (i.e. LDAP). This creates a bottleneck for collaboration. It also creates a management nightmare as the number of different permutations of users that need to collaborate grows over time. NFSv4.1 solves this problem for IT, the project owner, and end users.
How to help solve the secure file data access and collaboration problem for customers
To help customers simplify and secure data collaboration amongst large and diverse groups of users, Qumulo has built a whole new NFSv4.1 protocol stack to support workloads and customers that need stronger security than what is currently provided by NFSv3. Qumulo supports Network File System protocol version 4.1 in the latest version of Qumulo® Core. Support for NFSv4.1 is included in Qumulo Core version 4.3.0 at no additional cost.
“The key advantage Qumulo brings in our support of this new version of NFS – like all of our file access protocols – is that it is built into the Qumulo Core, our software, which means it is optimized for performance, reliability, and security from the ground up, scales linearly as customers expand their systems, and runs uniformly no matter where customers deploy Qumulo,” said Ben Gitenstein, Vice President of Product at Qumulo.
Managing permissions across protocols in a single namespace can be challenging, especially when a change to one protocol is not automatically replicated to others. Qumulo offers cross-protocol permissions (XPP) support to automatically manage complex permissions across protocols. NFSv4.1 supports XPP out-of-box, eliminating the complexity of managing multiple security contexts across NFSv4.1 in addition to SMB, NFSv3, and our other supported protocols. This allows customers to bring workgroups together so that any user can work on any file from any platform without maintaining file permissions.
“Our customers need to serve all of their file workloads from one namespace and with one simple management experience,” explains Gitenstein. “Increasingly, those organizations have adopted NFSv4.1 in order to take advantage of its more robust security, better performance over dispersed networks like the cloud, and simpler management. That’s why we brought NFSv4.1 to Qumulo Core.”
To learn more about XPP, including “what is an access control list?” read: Managing Multi-Protocol File Data Access Workflows with Cross-Protocol Permissions by Jacqueline Kong, a software engineer and member of technical staff at Qumulo.
Collaborate with seamless file access to your data across Linux, Windows, and Mac applications
Qumulo cloud customers can immediately take advantage of NFSv4.1 on any of their workloads in AWS, Google Cloud, or Microsoft Azure. NFSv4.1 is ideal for cloud environments with additional complexities of networking security groups, load balancers, and higher latency. NFSv4.1 uses only one network port, as opposed to 3-5 for NFSv3, simplifying cloud network configuration. The protocol also batches more work together in a single request, which helps with data transfer throughput on high-latency links.
Qumulo’s superior scalability means Qumulo Core 4.3 and later with support for NFSv4.1 enables the creation of the largest multi-protocol file namespace possible for active storage compared with any competing platform or any cloud service provider (CSP) offering.
“Qumulo’s simple and straightforward system architecture makes it very well suited for us,” said Clint Miller, Chief Technology Officer of Igniter Media. “We have a small team, so ease of use is important and saves valuable time. We much prefer to keep our operations smooth and simple.”
Compared with NFSv3, the NFSv4.1 protocol provides a more secure door for interacting and accessing data. To make it even more secure and performant, we built the protocol from scratch, in the Rust programming language, as a feature of our distributed, scale-out, NAS. We had to do this primarily because NFSv4.1 is a stateful protocol, and taking an off-the-shelf implementation and trying to glue it to our system would result in wonkiness whenever we failed over a node, or tried to implement locking across a shared-nothing distributed system.
Rust, as compared to C, also provides some memory safety guarantees by forcing our programmers to be careful about how memory is shared and accessed across different parts of the system. It results in Qumulo’s engineers being able to rapidly deliver code with high confidence in correctness and memory safety, meaning your data is safer on a Qumulo system versus others.
Also, by implementing NFSv4 inside of Qumulo Core at the code level, we avoid messy abstractions which add significant processing overhead, kernel context switching, and data copying. These inefficiencies are unavoidable when you just plop a third-party protocol implementation in front of a storage system, and near impossible to optimize.
Finally, the advantage of Qumulo having its own implementation versus that of a third party means we are not susceptible to serious security issues in open source or other implementations that require a fire drill to fix. This provides peace of mind when major CVEs are disclosed.
It’s Your Data. Access It However You Want.
Our customers don’t need to worry about whether an application is in the cloud, on premises, or a legacy application– users can access the Qumulo file system through any number of doors to get the data they need for collaboration including SMB, HTTP, REST, NFS3 and, now NFSv4.1.
NVSv4.1 comes standard with a Qumulo software subscription and incremental software releases are available to customers every two weeks. Qumulo’s continuous innovation/continuous delivery (CI/CD) release cycle ensures customers don’t have to wait for new features. The NFSv4.1 protocol will support all features available on Qumulo’s NFSv3 implementation, plus ACLs and Kerberos network protocol authentication.
