Glossary

Backup Bucket

All StorageFabric configuration data is encrypted with the Master Encryption Key and stored in the Configuration Bucket in the cloud.

For increased availability, in the event of failures at the backend storage provider, a Backup Bucket can also be configured for StorageFabric configuration data. If the Configuration Bucket becomes inaccessible, StorageFabric components automatically access the configuration data from the Backup Bucket.

Backend Bucket

A Backend Bucket is a regular S3 bucket, hosted with either an on-prem or a cloud storage provider. Clients’ data is stored in Backend Buckets. However, since StorageFabric virtualizes your entire storage namespace, StorageFabric clients are not exposed to provider-side buckets directly. Clients instead use Virtual Bucket Names. Each Virtual Bucket is backed by a Backend Bucket.

Configuration Bucket

The Configuration Bucket is a specially designated bucket to store StorageFabric configuration data. All StorageFabric configuration data is encrypted with the Master Encryption Key and stored in the Configuration Bucket in the cloud. Therefore, storage providers cannot access the data.

Storing configuration data with providers makes StorageFabric components stateless, making deployment options extremely flexible. Components can be added and removed easily without affecting overall availability.

StorageFabric does not require complex on-prem data management using relational databases, or other heavyweight storage solutions. All you need to manage is the Master Encryption Key. Entire deployments can be bootstrapped and restored using the Master Encryption Key.

Configuration Sync Time

The time between a configuration change made on a StorageFabric Configuration Manager and the propagation of that change to the Gateways. For details, see the full product documentation.

Master Encryption Key

All StorageFabric configuration data is encrypted with the the Master Encryption Key.

Internally, StorageFabric uses hierarchical keying wherein lower layer keys are encrypted using higher layer keys. The Master Encryption Key is the root key in the hierarchy.

The Master Encryption Key must be kept safe. Losing the Master Encryption Key is equivalent to losing your data. The Master Encryption Key is never communicated to the outside by StorageFabric components.

StorageFabric Configuration Manager

The StorageFabric Configuration Manager is a set of tools, REST APIs, and a web interface used to configure StorageFabric Gateways. Configuration data includes information about cloud providers, buckets, encryption keys, access control, and client and cloud access keys.

The Configuration Manager facilitates setup and management of information that enables StorageFabric Gateway services. For example, the Configuration Manager is used to set up encryption keys that are then used by StorageFabric Gateways for transparent encryption and decryption of applications’ data.

StorageFabric Gateway

The StorageFabric Gateway is the single-point-of-access to cloud storage services, such as Amazon S3, Google Cloud Storage, etc. The Gateway exposes a standard object storage interface to client applications.

Gateway functionality includes, but is not limited to, the following:

Transparent data encryption and decryption.
Client authentication.
Access control enforcement.
Transparent caching.
Data compression.
Data deduplication.
Logging and audit trails.
Data governance enforcement.

StorageFabric LogViewer

The StorageFabric LogViewer is a web-based graphical interface to access StorageFabric Gateway statistics and logs.

StorageFabric Scheduler

StorageFabric Scheduler is a StorageFabric component that manages internal housekeeping tasks for StorageFabric components. The scheduler runs on the StorageFabric Configuration Manager and on Gateways.

Virtual Bucket

StorageFabric virtualizes your entire storage namespace across all your storage providers. No matter what the actual bucket names are with storage providers, StorageFabric clients see a virtual namespace. Clients upload and download data to and from Virtual Buckets. A Virtual Bucket is identified by its Virtual Bucket Name.

Empty Virtual Bucket

A Virtual Bucket is considered empty if there is no user data in the bucket. The bucket may contain objects in the Special Dir.

Virtual File System

StorageFabric supports Virtual File systems (VFS) using NFS and SMB protocols.

See the full product documentation

Data View

A Data View is a collection of Virtual Buckets. To learn more about views, refer to the full product documentation.

View Encryption Key

An encryption key that encrypts configuration data for a Data View. StorageFabric Gateways have access to the View Encryption Keys only. Each Gateway is set up using the View Encryption Key of the Data View that the Gateway is part of.

Virtual Bucket Name

Name of a Virtual Bucket. This name can be different from actual bucket name with a cloud provider. Hence it is referred to as a Virtual Bucket Name. StorageFabric clients use the virtual bucket name in API requests to a StorageFabric Gateway.

Note

In StorageFabric, there is a single global bucket namespace. Each Virtual Bucket has a globally unique virtual name.

StorageFabric Gateway Domain

The base domain where clients can send requests to the StorageFabric Gateway. The StorageFabric Gateway supports both Virtual Host Style Addressing URLs and Path Style Addressing URLs. For example, if the StorageFabric Gateway Domain is s3.abccorp.com, the bucket name is amazon-data-bucket and the file to access in the bucket is file.txt then clients can send requests to the following URLs:

amazon-data-bucket.s3.abccorp.com/file.txt
s3.abccorp.com/amazon-data-bucket/file.txt

A StorageFabric Gateway Domain is necessary for:

Remote clients to access the StorageFabric Gateway.
SSL connection between clients and the StorageFabric Gateway.

License

A StorageFabric license governs the use of StorageFabric. A valid license is required to use StorageFabric. In the absence of a valid license, StorageFabric may operate with limitations.

To learn more, refer to the document on the full product documentation.

Licenses Directory

Directory on a StorageFabric Configuration Manager from which Licenses are automatically loaded.

The default license directory path is /etc/storagefabric/licenses/.

StorageFabric License Server

StorageFabric License Server is a StorageFabric component that keeps track of the other components in StorageFabric deployments. This includes snapshot information and historical trends about the deployed Gateways and Configuration Managers.

The license server is not in the data or configuration path and does not impact StorageFabric functionality or performance. Depending on your StorageFabric licenses, it may be required to run a License server in your enterprise. Contact the Virtalica team for details.

Access Key ID

Authentication to most cloud providers is done using an Access Key ID and a Secret Access Key. An Access Key ID acts like a username, uniquely identifying the requester.

Secret Access Key

Authentication to most cloud providers is done using an Access Key ID and a Secret Access Key. A Secret Access Key acts like a password corresponding to an Access Key ID.

Session Token

An additional piece of information used by cloud providers for client authentication, in addition to the Access Key ID and Secret Access Key. Typically used when the credentials are temporary, with a brief expiration time. For more details, see the full product documentation.

Client

A client is any entity that sends requests to the StorageFabric Gateway. Clients are authenticated by the StorageFabric Gateway using Client Access Keys.

User

In StorageFabric, user specifically refers to an entity performing configuration management via the StorageFabric Configuration Manager web or command line interfaces.

When using the web interface, users authenticate using their username and password or via single sign-on.

When using the configuration manager REST API, users authenticate using their Client Access Keys.

Group

In StorageFabric, a group is a collection of users. Users in a group can perform configuration management based on the roles attached to the group.

Provider Access Keys

The StorageFabric Gateway authenticates to cloud providers using an Access Key ID and a Secret Access Key. An access key ID and secret key combination is referred to as a Provider Access Key.

Client Access Keys

A Client authenticates to the StorageFabric Gateway using an Access Key ID and a Secret Access Key. A client access key ID and secret key combination is referred to as a Client Access Key.

Restoration Command

By default, StorageFabric components are stateless. In the event that a component fails or the component setup or initialization information is lost, all that is needed to set up an identical component are credentials to access the Configuration Bucket and the Master Encryption Key. To make recovery convenient, a command is displayed by the the full product documentation at completion. Using only this command and the Master Encryption Key, a new identical component can be set at a later time, such as for recovery.

Bucket Encryption Key

The encryption key used to encrypt each File Encryption Key for all files in a Virtual Bucket. Each Virtual Bucket can have multiple encryption keys.

File Encryption Key

The encryption key used to encrypt file data.

Multipart Mode

There are three provider settings for multipart mode as described next:

Disabled: Multipart is not supported by provider.

Emulated: Multipart is not supported by provider. However, StorageFabric can emulate multipart uploads and downloads. Google is one such provider.

Native: Multipart is natively supported by provider. Amazon S3 and DreamObjects are two providers with native multipart support.

POST Object Mode

There are three provider settings for POST Object mode as described next:

Emulated: POST is not supported by provider. However, StorageFabric can emulate POST uploads. StorageGRID is one such provider.

Native: POST is natively supported by provider. Amazon S3 and Google are two providers with native POST support.

Tail Range Mode

Indicates whether a storage provider supports HTTP Range request of the type Last X bytes.

Encoding Type

Indicates whether a storage provider supports encoding-type=url argument.

List V2

Indicates whether a storage provider supports Version 2 listing.

V4 Unsigned Payload

Indicates that Unsigned Payload for V4 instances is supported by the provider.

Signature V2

Indicates that requests are signed using the Version 2 signature.

Signed URL

Signed URLs can be used to share objects between clients using simple URL exchanges. A signed URL cannot be used to access an object that the signer does not have access to.

Role-Based Access Control

Role-based access control (RBAC) is an approach to managing Permissions for subjects (users and Client Access Keys). In RBAC, permissions are grouped under roles. Roles are then assigned to subjects.

Roles

A named collection of Permissions.

Permissions

A permission specifies whether a particular operation is allowed or denied.

Context

A context is a JSON document that specifies a set of resources. Under Role-Based Access Control, contexts are used to specify the resources for which permissions are to be granted.

Financial Archival Mode

Financial Archival Mode enforces different encryption and data integrity checks for Virtual Buckets. The Financial archival mode is designed to be compatible with Sheltered Harbor.

Sheltered Harbor

Sheltered Harbor is a standard developed by the financial industry to protect consumer data in the event that a financial institution becomes inoperable.

Under Sheltered Harbor, consumers’ account data is archived and stored in a standard format and can be recovered in the event of outage.

Archived data is regularly monitored to ensure compliance with the specifications.

For more information, visit shelteredharbor.org.

Assertion

An assertion is a signed document generated by an Identity Provider, that contains one or more claims.

Claim

A claim contains information about users and groups. Claims are contained within Assertions.

Identity Provider

In StorageFabric, an identity provider refers to a system that creates, stores, and manages identities within an enterprise. For example, ADFS, Okta, etc. The identity provider manages user credentials, and issues signed assertions containing one or more claims.

Service Provider

A service provider relies on signed assertions from an identity provider to log users in and enforce access control. In StorageFabric the service provider is the StorageFabric Configuration Manager.

SAML

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging assertions (and claims) between an Identity Provider and a Service Provider. In StorageFabric, assertions generated by an identity provider must be in SAML format.

Relying Party Trust

In ADFS, a relying party is a trusted entity that will be receiving and processing assertions. In StorageFabric, the relying party is the StorageFabric Configuration Manager. The trust established between the relying party and an Identity Provider is referred to as relying party trust.

Active Directory

Microsoft Active Directory is a set of components that manage information about network resources such as users, systems, services, etc. For more information, see msdn Active Directory documentation

Active Directory Federation Services

Microsoft Active Directory Federation Services (ADFS) is a service that allows secure sharing of identity information within networks, for example, single sign on. For more information, see msdn ADFS documentation

AWS KMS ID

AWS key ID. See AWS docs for more information.

In StorageFabric, the full ARN should not be used, but only the UUID. For example, if the key ARN is arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab, then use only 1234abcd-12ab-34cd-56ef-1234567890ab as the AWS KMS ID.

Passthrough (Plaintext) Mode

If passthrough mode is enabled on a Virtual Bucket, StorageFabric Gateways will not encrypt data stored in the Virtual Bucket.

This mode is useful for adding Virtual Buckets that were already in use prior to the StorageFabric deployment. Moreover, data stored in passthrough Virtual Buckets can directly be downloaded from the storage provider without using StorageFabric.

Note

Passthrough mode is recommended only for Virtual Buckets storing non-sensitive data.

StorageFabric File Browser

The StorageFabric File Browser is a StorageFabric component that provides a browser-based interface for users to access their data.

DNS Inline

In Inline DNS resolution mode, Gateways resolve DNS (for providers) when a client request is received. Gateways then cache the DNS entry for the duration of the server response TTL (time-to-live).

DNS Background

In Background DNS resolution mode, Gateways continue to resolve the DNS (for providers) in the background, at a frequency dictated by the TTL. If no client requests are received for 60 seconds, background resolution is stopped until a new client request arrives for that provider.

Background mode offers better performance than DNS Inline when the cloud provider has a low TTL, such as Amazon, which has less than 5 seconds. Gateways continue to resolve DNS in the background. As a result, subsequent client requests don’t need to wait for DNS resolution after the TTL would have expired.

Path Style Addressing

Path-style (or V1) includes the bucket name in the path of the URL. For example, s3://s3.storageprovider.com/<bucketname>/key.

Virtual Host Style Addressing

Virtual-hosted style (or V2) uses the bucket name as part of the domain name. For example, s3://<bucketname>.s3.storageprovider.com/key.

Null Bucket

The null bucket is a special Virtual Bucket similar to /dev/null. The null bucket can be used to test the network conditions between clients and Gateways, without consuming storage with a backend provider.

The null bucket is accessible at the endpoint /null-bucket on Gateways.

Note that the null bucket cannot be accessed using synchronous client credentials.

This feature is available in Release 3.4.0+.

SANScaler

SANScaler is a high-performance solution delivering low-latency, redundant enterprise SAN and NAS on-premise with near-zero physical storage footprint. For more details, visit https://sanscaler.io/.

Advanced Data Placement

Data Placement is a StorageFabric service that provides transparent and automated data replication, migration, and caching across Virtual Buckets.

This feature is available in Release 3.5.0+.

For details, refer to the full product documentation

Special Dir

Within each Virtual Bucket, StorageFabric maintains state for its internal operations. This enables StorageFabric to provide key features such as Advanced Data Placement, monitoring, stats, the full product documentation, and more. This internal state is also referred to as the Special Dir. Location of this internal state within a bucket is specified by the Reserved Key.

Reserved Key

StorageFabric stores additional data in a reserved path within Virtual Buckets. This key starts with the reserved prefix zu3KR6gafn4y1LjwwOrQNyV14rkFBhHd3JmpwfMjmz. This data is used for StorageFabric’s internal operation, support for emulated multipart mode, stats, and monitoring. This data is not visible to clients.