General access and security questions

BenH's picture

Please forgive me as a new user to the forum and one who has virtually no experience with XSAN and only beginner experience as a storage administrator.

I actually work with a software development company and we have a customer who is using the XSAN product and is having some issues with our software. At this point, my team has not yet been in direct contact with the customer, but I am trying to understand what I can about how XSAN functions.

This site has been great in helping me to understand the current state of the marketplace and some interesting technical information - though I am far from competent on anything at this point.

I will probably have some ongoing questions, but right now I have three questions that I hope someone here can help me with. Please respond to even one if that's all you can!

1) Can someone more fully explain the "Golden Triangle"? I see numerous references, but no comprehensive explanation.

2) My second question revolves around the following Apple KB article: - "Xsan 2: ACEs on Xsan volumes may appear as hexadecimal code"

The article states:

If a Mac is unable to resolve Access Control List (ACL) entries on an Xsan volume, the user or group name in the Access Control Entry (ACE) is replaced by a transient Globally Unique Identifier (GUID). When viewing the ACL in Xsan Admin, Server Admin, or the command line "ls" utility, the expected user or group will be replaced with a hexadecimal code similar to the text in this example:

drwxrwx---+ 3 root wheel 2048 Oct 15 00:09 /Volumes/MyXsanVolume
0: FFFFEEEE-DDDD-CCCC-BBBB-AAAA82000000 allow list,search,readattr,readextattr,readsecurity
1: group:ETS-W2K3\xsan_admins allow list,search,readattr,readextattr,readsecurity

The transient GUID is a placeholder that does not represent any user or group, so the affected ACEs will not be enforced./quote

If I am reading this article correctly, it would seem to indicate that if a client Mac system can't resolve the user specified in an ACE in the ACL that the specified ACE will not be processed?

What would this mean that if I set up an ACL something like:
GroupA- Deny
GroupB - Full Control

If GroupA cannot be resolved, would it default to giving members of this group access?

In other words - is it possible to have a "fail open" scenario where a user in an unresolvable group will be provided access where the ACL either specifically or indirectly denies them.

3) Can someone point me to some definitive resources on how XSAN functions for me to learn more about this? I'm not interested in the hardware setup as much as information on how ACLs work and how the identity mapping is done. Especially in regards to how uids, sids, (and possibly guids?) are used when working with OD and AD.