.. raw:: html
Glossary
========
.. _glossary-backup-bucket:
|backup bucket|
---------------
All StorageFabric configuration data is encrypted with the
|master encryption key| and stored in the :ref:`glossary-master-bucket` in the cloud.
For increased availability, in the event of failures at the
backend storage provider, a |backup bucket| can also be configured
for StorageFabric configuration data.
If the :ref:`glossary-master-bucket` becomes inaccessible,
StorageFabric components automatically access the configuration
data from the |backup bucket|.
*****
.. _glossary-cloud-bucket:
|cloud bucket|
--------------
A |cloud bucket| is a regular S3 bucket, hosted with either an **on-prem** or a **cloud** storage provider.
Clients' data is stored in |cloud buckets|. However, since StorageFabric
virtualizes your entire storage namespace, StorageFabric clients are not exposed
to provider-side buckets directly. Clients instead use :ref:`Virtual Bucket Names`.
Each :ref:`glossary-data-bucket` is backed by a |cloud bucket|.
*****
.. _glossary-master-bucket:
|master bucket|
---------------
The |master bucket| is a specially designated bucket to store
StorageFabric configuration data.
All StorageFabric configuration data is encrypted with the
|master encryption key| and stored in the |master bucket| in the cloud.
Therefore, storage providers cannot access the data.
Storing configuration data with providers makes StorageFabric
components stateless, making deployment options extremely flexible.
Components can be added and removed easily without affecting
overall availability.
StorageFabric does not require complex on-prem data management using relational databases,
or other heavyweight storage solutions.
All you need to manage is the :ref:`glossary-master-encryption-key`.
Entire deployments can be bootstrapped and restored using the
|master encryption key|.
*****
.. _glossary-sync-time:
Configuration Sync Time
-----------------------
The time between a configuration change made on a :ref:`glossary-configuration-manager` and the propagation
of that change to the :ref:`Gateways`. For details, see :ref:`sync-times-table`.
*****
.. _glossary-master-encryption-key:
|master encryption key|
-----------------------
All StorageFabric configuration data is encrypted with the
the |master encryption key|.
Internally, StorageFabric uses hierarchical keying wherein lower layer
keys are encrypted using higher layer keys. The |master encryption key| is the
root key in the hierarchy.
The |master encryption key| must be kept safe. Losing the |master encryption key| is equivalent to
losing your data.
The |master encryption key| is never communicated to the
outside by StorageFabric components.
*****
.. _glossary-configuration-manager:
StorageFabric Configuration Manager
-----------------------------------
The StorageFabric Configuration Manager is a set of tools, REST APIs, and a web interface
used to configure StorageFabric |proxies|. Configuration data includes information
about cloud providers, buckets, encryption keys, access control, and
client and cloud access keys.
The Configuration Manager facilitates setup and management of information that enables
StorageFabric |proxy| services. For example, the Configuration Manager is used to set up
encryption keys that are then used by StorageFabric |proxies| for transparent
encryption and decryption of applications' data.
*****
.. _glossary-proxy:
StorageFabric |Proxy|
---------------------
The StorageFabric |Proxy| is the single-point-of-access to cloud storage services,
such as Amazon S3, Google Cloud Storage, etc.
The |Proxy| exposes a standard object storage interface to client applications.
|proxy| functionality includes, but is not limited to, the following:
* Transparent data encryption and decryption.
* Client authentication.
* Access control enforcement.
* Transparent caching.
* Data compression.
* Data deduplication.
* Logging and audit trails.
* Data governance enforcement.
*****
.. _glossary-logviewer:
StorageFabric LogViewer
-----------------------
The StorageFabric LogViewer is a web-based graphical interface to access
:ref:`glossary-proxy` statistics and logs.
*****
.. _glossary-internal-scheduler:
StorageFabric Scheduler
-----------------------
:ref:`glossary-internal-scheduler` is a StorageFabric component that
manages internal housekeeping tasks for StorageFabric components.
The scheduler runs on the :ref:`glossary-configuration-manager`
and on :ref:`Gateways `.
*****
.. _glossary-data-bucket:
|data bucket|
-------------
StorageFabric virtualizes your entire storage namespace across all your storage
providers. No matter what the actual bucket names are with storage providers,
StorageFabric clients see a virtual namespace.
Clients upload and download data to and from |data buckets|.
A |data bucket| is identified by its :ref:`glossary-virtual-bucket-name`.
*****
.. _glossary-empty-data-bucket:
Empty |data bucket|
-------------------
A :ref:`Virtual Bucket ` is considered empty if there is no
user data in the bucket. The bucket may contain objects in the :ref:`glossary-special-dir`.
*****
.. _glossary-vfs:
Virtual File System
-------------------
StorageFabric supports Virtual File systems (VFS) using NFS and SMB protocols.
See :doc:`/userguide/tutorials/setting-up-vfs`
*****
.. _glossary-view:
Data View
---------
A Data View is a collection of :ref:`Virtual Buckets`.
To learn more about views, refer to :doc:`How StorageFabric works`.
*****
.. _glossary-view-encryption-key:
View Encryption Key
-------------------
An encryption key that encrypts configuration data for a :ref:`glossary-view`. :ref:`StorageFabric Gateways` have access to the View Encryption Keys only.
Each |proxy| is set up using the View Encryption Key
of the :ref:`glossary-view` that the |proxy| is part of.
*****
.. _glossary-virtual-bucket-name:
Virtual Bucket Name
-------------------
Name of a :ref:`glossary-data-bucket`. This name can be different
from actual bucket name with a cloud provider. Hence it is referred
to as a Virtual Bucket Name. StorageFabric clients use the
virtual bucket name in API requests to a :ref:`glossary-proxy`.
.. note::
In StorageFabric, there is a single global bucket namespace.
Each :ref:`glossary-data-bucket` has a globally unique virtual
name.
*****
.. _glossary-top-level-domain:
|top level domain|
------------------
The base domain where clients can send requests to the
StorageFabric |proxy|.
The StorageFabric |proxy| supports both :ref:`glossary-addressing-style-virtual`
URLs and :ref:`glossary-addressing-style-path` URLs. For example, if the
|top level domain| is |value top level domain|, the bucket name is
|value amazon data bucket| and the file to access in the bucket is
|value example file name| then clients can send requests to the
following URLs:
.. parsed-literal::
|value proxy base url amazon bucket|/|value example file name|
|value top level domain|/|value amazon data bucket|/|value example file name|
A |top level domain| is necessary for:
* Remote clients to access the StorageFabric |proxy|.
* SSL connection between clients and the StorageFabric |proxy|.
*****
.. _glossary-license:
License
-------
A StorageFabric license governs the use of StorageFabric.
A valid license is required to use StorageFabric.
In the absence of a valid license, StorageFabric may
operate with limitations.
To learn more, refer to the document on :doc:`userguide/licenses`.
*****
.. _glossary-licenses-directory:
Licenses Directory
-------------------
Directory on a :ref:`glossary-configuration-manager` from which
:ref:`Licenses ` are automatically loaded.
The default license directory path is ``/etc/storagefabric/licenses/``.
*****
.. _glossary-license-server:
StorageFabric License Server
----------------------------
StorageFabric License Server is a StorageFabric component that keeps
track of the other components in StorageFabric deployments.
This includes snapshot information and historical trends
about the deployed :ref:`Gateways ` and
:ref:`Configuration Managers `.
The license server is not in the data or configuration path
and does not impact StorageFabric functionality or performance.
Depending on your StorageFabric licenses, it may be required to
run a License server in your enterprise. Contact the Virtalica
team for details.
*****
.. _glossary-access-key-id:
Access Key ID
-------------
Authentication to most cloud providers is done using an
Access Key ID and a :ref:`glossary-secret-access-key`. An Access Key ID
acts like a username, uniquely identifying the requester.
*****
.. _glossary-secret-access-key:
Secret Access Key
-----------------
Authentication to most cloud providers is done using an
Access Key ID and a Secret Access Key. A Secret Access Key
acts like a password corresponding to an :ref:`glossary-access-key-id`.
*****
.. _glossary-session-token:
Session Token
-------------
An additional piece of information used by cloud providers for
client authentication, in addition to the :ref:`glossary-access-key-id`
and :ref:`glossary-secret-access-key`. Typically used when the
credentials are temporary, with a brief expiration time.
For more details, see :doc:`./userguide/client-credentials`.
*****
.. _glossary-client:
Client
------
A client is any entity that sends requests to the
StorageFabric |proxy|. Clients are authenticated by the
StorageFabric |proxy| using :ref:`glossary-client-access-keys`.
*****
.. _glossary-user:
User
----
In StorageFabric, user specifically refers to an entity performing
configuration management via the :ref:`glossary-configuration-manager`
web or command line interfaces.
When using the web interface, users authenticate using their username
and password or via single sign-on.
When using the configuration manager REST API, users authenticate
using their :ref:`glossary-client-access-keys`.
*****
.. _glossary-group:
Group
-----
In StorageFabric, a group is a collection of users. :ref:`Users ` in a group can
perform configuration management based on the roles attached to the group.
*****
.. _glossary-cloud-access-keys:
Provider Access Keys
--------------------
The StorageFabric |proxy| authenticates to cloud providers
using an :ref:`glossary-access-key-id` and a :ref:`glossary-secret-access-key`.
An access key ID and secret key combination is referred to
as a Provider Access Key.
*****
.. _glossary-client-access-keys:
Client Access Keys
------------------
A :ref:`glossary-client` authenticates to the StorageFabric |proxy|
using an :ref:`glossary-access-key-id` and a :ref:`glossary-secret-access-key`.
A client access key ID and secret key combination is referred to
as a Client Access Key.
*****
.. _glossary-restoration-command:
Restoration Command
-------------------
By default, StorageFabric components are stateless.
In the event that a component fails or the component setup or initialization
information is lost, all that is needed to set up an identical component
are credentials to access the :ref:`glossary-master-bucket` and the :ref:`glossary-master-encryption-key`.
To make recovery convenient, a command is displayed by
the :doc:`./reference/tools/setup-tools` at completion. Using only this command
and the :ref:`glossary-master-encryption-key`, a
new identical component can be set at a later time, such as for recovery.
*****
.. _glossary-bucket-encryption-key:
Bucket Encryption Key
---------------------
The encryption key used to encrypt each :ref:`glossary-file-encryption-key`
for all files in a |data bucket|.
Each |data bucket| can have multiple encryption keys.
*****
.. _glossary-file-encryption-key:
File Encryption Key
-------------------
The encryption key used to encrypt file data.
*****
.. _glossary-multipart-mode:
Multipart Mode
--------------
There are three provider settings for multipart mode
as described next:
``Disabled``: Multipart is not supported by provider.
``Emulated``: Multipart is not supported by provider. However, StorageFabric
can emulate multipart uploads and downloads. Google is one such provider.
``Native``: Multipart is natively supported by provider.
Amazon S3 and DreamObjects are two providers with native multipart support.
*****
.. _glossary-post-object-mode:
POST Object Mode
----------------
There are three provider settings for POST Object mode
as described next:
``Emulated``: POST is not supported by provider. However, StorageFabric
can emulate POST uploads. StorageGRID is one such provider.
``Native``: POST is natively supported by provider.
Amazon S3 and Google are two providers with native POST support.
*****
.. _glossary-tail-range:
Tail Range Mode
---------------
Indicates whether a storage provider supports HTTP Range request of the type *Last X bytes*.
*****
.. _glossary-encoding-type:
Encoding Type
-------------
Indicates whether a storage provider supports ``encoding-type=url`` argument.
*****
.. _glossary-list-v2:
List V2
-------
Indicates whether a storage provider supports `Version 2 listing `_.
*****
.. _glossary-unsigned-payload-v4:
V4 Unsigned Payload
-------------------
Indicates that Unsigned Payload for V4 instances is supported by the provider.
*****
.. _glossary-signature-v2:
Signature V2
------------
Indicates that requests are signed using the `Version 2 signature `_.
*****
.. _glossary-signed-URL:
Signed URL
----------
`Signed URLs `_ can be used to share objects between
clients using simple URL exchanges.
A signed URL cannot be used to access an object that the signer does not have access to.
*****
.. _glossary-rbac:
Role-Based Access Control
-------------------------
Role-based access control (RBAC) is an approach to managing :ref:`glossary-permissions` for
subjects (users and :ref:`glossary-client-access-keys`). In RBAC, permissions
are grouped under roles. Roles are then assigned to subjects.
*****
.. _glossary-roles:
Roles
-----
A named collection of :ref:`glossary-permissions`.
*****
.. _glossary-permissions:
Permissions
-----------
A permission specifies whether a particular operation is allowed or denied.
*****
.. _glossary-context:
Context
-------
A context is a JSON document that specifies a set of resources.
Under :ref:`glossary-rbac`, contexts are used to specify
the resources for which permissions are to be granted.
*****
.. _glossary-financial-archival:
Financial Archival Mode
-----------------------
Financial Archival Mode enforces different encryption and
data integrity checks for :ref:`Virtual Buckets`.
The Financial archival mode is designed to be
compatible with :ref:`glossary-sheltered-harbor`.
*****
.. _glossary-sheltered-harbor:
Sheltered Harbor
----------------
Sheltered Harbor is a standard developed by the financial
industry to protect consumer data in the event that a
financial institution becomes inoperable.
Under Sheltered Harbor, consumers' account data is archived and stored
in a standard format and can be recovered in the event of outage.
Archived data is regularly monitored to ensure compliance with
the specifications.
For more information, visit `shelteredharbor.org `_.
*****
.. _glossary-assertion:
Assertion
---------
An assertion is a signed document generated by an :ref:`glossary-identity-provider`, that contains
one or more claims.
*****
.. _glossary-claim:
Claim
-----
A claim contains information about users and groups. Claims are contained within :ref:`Assertions `.
*****
.. _glossary-identity-provider:
Identity Provider
-----------------
In StorageFabric, an identity provider refers to a system that
creates, stores, and manages identities within an enterprise.
For example,
`ADFS `_,
`Okta `_, etc.
The identity provider manages user credentials,
and issues signed :ref:`assertions ` containing one or more claims.
*****
.. _glossary-service-provider:
Service Provider
----------------
A service provider relies on signed assertions from an identity provider to log users in and enforce access control.
In StorageFabric the service provider is the :ref:`glossary-configuration-manager`.
*****
.. _glossary-saml:
SAML
----
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging
:ref:`assertions ` (and :ref:`claims `) between
an :ref:`glossary-identity-provider` and a :ref:`glossary-service-provider`. In StorageFabric,
assertions generated by an identity provider must be in SAML format.
*****
.. _glossary-relying-party-trust:
Relying Party Trust
-------------------
In ADFS, a relying party is a trusted entity that will be receiving and
processing :ref:`assertions `. In StorageFabric, the relying party
is the :ref:`glossary-configuration-manager`.
The trust established between the relying party and an :ref:`glossary-identity-provider` is referred
to as relying party trust.
*****
.. _glossary-active-directory:
Active Directory
----------------
Microsoft Active Directory is a set of components
that manage information about network resources such as users, systems, services, etc.
For more information, see `msdn Active Directory documentation `_
*****
.. _glossary-adfs:
Active Directory Federation Services
------------------------------------
Microsoft Active Directory Federation Services (ADFS) is a service that allows
secure sharing of identity information within networks, for example,
single sign on.
For more information, see `msdn ADFS documentation `_
*****
.. _glossary-aws-kms-id:
AWS KMS ID
----------
AWS key ID. See `AWS docs `_
for more information.
In StorageFabric, the full **ARN** should not be used, but only the **UUID**.
For example, if the key ARN is ``arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab``,
then use only ``1234abcd-12ab-34cd-56ef-1234567890ab`` as the AWS KMS ID.
*****
.. _glossary-passthrough-mode:
Passthrough (Plaintext) Mode
----------------------------
If passthrough mode is enabled on a :ref:`glossary-data-bucket`,
StorageFabric |proxies| will not encrypt data stored in the
|data bucket|.
This mode is useful for adding |data buckets| that were
already in use prior to the StorageFabric deployment.
Moreover, data stored in passthrough |data buckets| can directly
be downloaded from the storage provider without using
StorageFabric.
.. note::
Passthrough mode is recommended only for |data buckets| storing
non-sensitive data.
*****
.. _glossary-browser:
StorageFabric File Browser
--------------------------
The :ref:`glossary-browser` is a StorageFabric component that
provides a browser-based interface for users to access their
data.
*****
.. _glossary-dns-inline:
DNS Inline
----------
In Inline DNS resolution mode, :ref:`Gateways `
resolve DNS (for providers) when a client request is received.
|proxies| then cache the DNS entry for the duration of the server
response TTL (time-to-live).
*****
.. _glossary-dns-background:
DNS Background
--------------
In Background DNS resolution mode, :ref:`Gateways ` continue
to resolve the DNS (for providers) in the background, at a frequency dictated by the TTL.
If no client requests are received for 60 seconds, background
resolution is stopped until a new client request arrives for that
provider.
Background mode offers better performance than :ref:`glossary-dns-inline`
when the cloud provider has a low TTL, such as Amazon, which has less than 5 seconds.
:ref:`Gateways ` continue to resolve DNS
in the background. As a result, subsequent client requests don't need
to wait for DNS resolution after the TTL would have expired.
*****
.. _glossary-addressing-style-path:
Path Style Addressing
---------------------
Path-style (or V1) includes the bucket
name in the path of the URL. For example,
``s3://s3.storageprovider.com//key``.
*****
.. _glossary-addressing-style-virtual:
Virtual Host Style Addressing
-----------------------------
Virtual-hosted style (or V2) uses the bucket name
as part of the domain name. For example,
``s3://.s3.storageprovider.com/key``.
*****
.. _glossary-null-bucket:
Null Bucket
-----------
The null bucket is a special :ref:`glossary-data-bucket` similar to ``/dev/null``.
The null bucket can be used to test the network conditions between clients and :ref:`Gateways `,
without consuming storage with a backend provider.
The null bucket is accessible at the endpoint ``/null-bucket`` on :ref:`Gateways `.
Note that the null bucket cannot be accessed using synchronous client credentials.
This feature is available in Release 3.4.0+.
*****
.. _glossary-sanscaler:
SANScaler
---------
SANScaler is a high-performance solution delivering low-latency, redundant enterprise
SAN and NAS on-premise with near-zero physical storage footprint. For more details,
visit ``_.
*****
.. _glossary-data-placement:
Advanced Data Placement
-----------------------
Data Placement is a StorageFabric service that provides transparent and automated data replication,
migration, and caching across :ref:`Virtual Buckets `.
This feature is available in Release 3.5.0+.
For details, refer to :doc:`userguide/data-placement`
*****
.. _glossary-special-dir:
Special Dir
-----------
Within each :ref:`glossary-data-bucket`, StorageFabric maintains state for its internal operations.
This enables StorageFabric to provide key features such as
:ref:`glossary-data-placement`, monitoring, stats,
:doc:`../../userguide/tutorials/configuration-manager/synchronous-client-credentials`, and more.
This internal state is also referred to as the :ref:`glossary-special-dir`.
Location of this internal state within a bucket is specified by the :ref:`glossary-reserved-key`.
*****
.. _glossary-reserved-key:
Reserved Key
------------
StorageFabric stores additional data in a reserved path within
:ref:`Virtual Buckets `.
This key starts with the reserved prefix *zu3KR6gafn4y1LjwwOrQNyV14rkFBhHd3JmpwfMjmz*.
This data is used for StorageFabric's internal operation,
support for emulated multipart mode, stats, and monitoring.
This data is not visible to clients.