如何在用于存储不同区域数据的NAS上隔离工作节点访问? [英] How to segregate worker node access on a NAS used to store data for different regions?
问题描述
我的组织正在运行RServer的POC(版本9.0)。
我们有5个物理服务器 - x1标头节点,x4个工作节点。
My organisation is running a POC of RServer (version 9.0). We have 5 physical servers – x1 header node, x4 worker nodes.
每个工作节点都有自己的专用服务a / c从我们的AD组配置。 <跨度>&NBSP;
这些a / c用于运行RServe9.0.0.0 Windows服务。
我们必须为工作人员创建专用服务a / c,以便每个人都可以从我们为用户设置的单独NAS中读取/写入,以便将他们的数据保存为持久性文件<跨度>群组。
我们的组策略禁止将服务器添加到AD组 - 安全性必须更精细。
Each worker node has its own dedicated service a/c provisioned from our group AD. These a/c are used to run the RServe9.0.0.0 Windows service. We had to create dedicated service a/c for the workers so that each one could be given access to read/write from a separate NAS that we have set-up for users to save their data as persistent files. Our group policy prohibits servers from being added to AD groups – security has to be at a more granular level.
我们的用户将在其上执行的分析环境将涉及从SAS和Teradata加载大量数据集。
为避免用户针对这些环境运行和重新运行大型查询,我们决定用户应以.XDF格式将数据保存在NAS上。
The analysis that our users will be performing on the environment will involve them loading significantly large datasets from SAS and Teradata. To avoid users running and re-running large queries against these environments we made the decision that our users should save their data on the NAS in .XDF format.
用户对我们环境的访问是使用我们在appsettings.json文件中配置的组自己的LDAP身份验证实现的。
在此文件中,我们还为管理员,贡献者和读者角色配置了自定义AD组。
访问我们环境的所有用户都是通过Contributor角色完成的。
User access to our environment is implemented using our group’s own LDAP authentication which we have configured in the appsettings.json file. In this file we have also configured our custom AD groups for Admin, Contributor and Reader roles. All users that access our environment do so via the Contributor role.
用户使用RGUI或RStudio通过本地工作站的远程连接访问环境。跨度>&NBSP;
在远程连接期间,用户的凭据将根据我们的组AD和我们配置的角色进行验证。
Users access the environment via a remote connection from their local workstation using RGUI or RStudio. It is during the remote connection that the user’s credentials are validated against our group AD and the roles that we have configured.
作为一个大型组织,我们有用户在不同地区工作。
我们还制定了群组数据保护政策,禁止某个地区的用户查看与其他地区相关的数据。
Being a large organisation we have users that work in different regions. We also have group data protection policies that prohibit users from one region seeing the data that relates to other regions.
我们面临的挑战就是这样。 如上所述,我们希望我们的用户将他们的分析数据保存为NAS上的持久文件(最好是.XDF)。
但是,当使用工作节点的服务a / c实现对NAS的访问时,我们很难看到如何实现对专用区域文件夹的用户访问。
所有员工显然都需要访问所有NAS。
The challenge we have is this. As stated above, we would like for our users to save their analysis data as persistent files (preferably .XDF) on the NAS. However, we are struggling to see how we can implement user access to dedicated regional folders when access to the NAS is implemented using the service a/c for the worker nodes. All workers obviously need access to all of the NAS.
任何人都可以建议我们应该如何做到这一点,或者提供一些替代方法供我们考虑?
Can anyone advise how we should be doing this, or maybe offer some alternative approaches for us to consider?
例如。 是否可以拥有多个贡献者角色(例如Region-1,Region-2)和特定于ring-fence的工作节点来执行仅分配给某些角色的用户的计算?
这样我们可以将工作人员的服务a / c分配给NAS上的区域文件夹的相关AD组。
For example. Is it possible to have multiple Contributor roles (e.g. Region-1, Region-2) and ring-fence specific worker nodes to execute only the compute of users assigned to certain roles? That way we could assign the service a/c for the workers to the relevant AD groups for regional folders on the NAS.
推荐答案
Hi,
所有工作节点都需要访问所有区域NAS,因为来自headernode的请求可以路由到任何工作节点。
All worker nodes needs access to all regional NAS because the request from headernode can be routed to any worker node.
我能想到的一个解决方案是每个区域有一个节点。 1:1映射。
one solution that I could think of is to have one node per region. 1:1 mapping.
" 用户访问专用区域文件夹"
我们不是以上声明,而是提供用户访问区域专用R服务器节点的权限。就像让我们说来自华盛顿的用户访问端点http:// washingtonIP。我们还可以使用LDAP过滤器来限制仅来自华盛顿用户的登录。
Instead of above statement, we provide user access to regional dedicated R server nodes. Like let's say user from Washington access the endpoint http://washingtonIP. We can also use the LDAP filter to restrict logins only from washington users.
这篇关于如何在用于存储不同区域数据的NAS上隔离工作节点访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
