3PAR HP SA TRAINING:

VIRTUAL DOMAINS

© Copyright 2010 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice. HP Confidential
COURSE OBJECTIVES
– At the end of this presentation you should be able to:
• Understand the concepts of Virtual Domains
• Understand User’s Privileges for Domains
• Create a Domain
• Create a Domain Object
• Manage Domain Objects
• Remove a Domain
• Learn to Demo Virtual Domains in a Lab Exercise

2 HP Confidential | October 2010

WHAT ARE 3PAR VIRTUAL DOMAINS?
Multi-Tenancy with Traditional Storage Multi-Tenancy with 3PAR Domains

• Admin A • Admin B • Admin C • Admin A • Admin B • Admin C

• App A • App B • App C • App A • App B • App C
• Dept A • Dept B • Dept C • Dept A • Dept B • Dept C
• Customer A • Customer B • Customer C • Customer A • Customer B • Customer C

Domain A
Domain B

Domain C

Separate, Physically-Secured Storage Shared, Logically-Secured Storage

3 HP Confidential | October 2010

 WHEN DO YOU SELL VIRTUAL DOMAINS?
Centralized
Centralized Storage
StorageAdmin
Admin Self-Service
Self-Service Storage
StorageAdmin
Admin
with
with Traditional
Traditional Storage
Storage with
with 3PAR
3PAR Virtual
Virtual Domains
Domains

End Users Provisioned

(Dept, Storage
Customer)

Virtual
Provisioned
Domains
Storage

Centralized Centralized
Storage Storage
Administration Administration

Physical Storage Physical Storage

Consolidated Consolidated
Storage Storage

4 HP Confidential | October 2010

 HOW DO YOU SELL VIRTUAL DOMAINS?
Traditional Physical 3PAR Virtual Domains
Separation

Secure, Physical segregation

with separate physical ports,
Secure, Logical segregation
Security cache, and disk capacity—
with shared physical ports,
1. Implementation either within a monolithic
cache, and disk capacity
array, or with multiple
modular arrays

High utilization using a

Low utilization from the
policy-based approach that
Resource Utilization upfront, manual dedication of
requires no upfront physical
2. physical resources
dedication of resources

High, predictable levels of

Low, unpredictable levels of
storage service levels with
storage service levels with
Storage Service Levels even the even distribution of
resources confined to
3. workloads across all system
physical partitions
resources

5 HP Confidential | October 2010

 HOW DO YOU SELL VIRTUAL DOMAINS?
Secure,
Secure, Segregated
Segregated Storage
Storage with
with
Multiple
Multiple Modular
Modular Arrays
Arrays

 3 Arrays (2 incremental)  1 Array

 $80K ($40K per array x 2) incremental

 $0 incremental HW cost
HW cost
 $70K ($35K per array x 2) incremental
 $18K incremental SW cost
SW cost
 $4K ($2K per array x 2) incremental floor
 $0 incremental floor space lease cost
space lease cost

Total Cost = $154K Total Cost = $18K

* Assumptions: 1 array per secured storage. $75K cost per dual-controller array (hw, base sw, no capacity). Virtual Domains SW for 30TB.

Savings Example of 3 Secured, Storage Domains

6 HP Confidential | October 2010
 VIRTUAL DOMAINS OVERVIEW
– Requires a 3PAR license
– Allows fine-grained access control on an InServ
– Up to 1024 domains or spaces within an InServ
– Each User may have privileges over one or more domains (up to 32 domains
or all domains)
– Each domain can be dedicated to a specific application
– System provides different privileges to different users for Domain Objects with
no limit on max # Users per Domain

7 HP Confidential | October 2010

3PAR DOMAIN CONCEPTS
– Domain Types
– User Classes
– User Privileges
– The Default and Current Domains
– Domain Object and Domain Association Rules

8 HP Confidential | October 2010

DOMAIN TYPES
– Domain Type “No”
• Containsobjects that does not belong to any specified domains
• Example, an existing InServ that previously did not use Domains belong to the “No”
domain

– Domain Type “All”

• Users belonging to Super user class have privileges over the entire system.
• Users belonging to the Edit user class in the “all” domain can create and edit CPGs,
hosts, Remote Copy groups, and assign CPGs and hosts to “Specified” domains

– Domain Type “Specified”

• Created by the domain administrator
• Contain objects specific to the domain
• Example: Domain A user (“edit” or “browse”) can access objects in Domain A but not
any objects in domain B

9 HP Confidential | October 2010

3PAR DOMAIN TYPES & PRIVILEGES
– Super User(s) – Edit User(s) (set to “All” Domain)
• Domains, Users, Provisioning Policies • Provisioning Policies

“Engineering” Domain Set

“All” Domain

“No” Domain Domain “A” (Dev) Domain “B” (Test)

• Unassigned • CPG(s)
elements • Host(s)

• User(s) & respective user

level(s)

Unassigned VLUNs
elements VVs & TPVVs
VCs & FCs & RCs
Chunklets & LDs

10 HP Confidential | October 2010

3PAR DOMAIN USER CLASSES
– Users in the “all” domain, depending on user privilege, can access all objects
within the domain.
– The privilege (for the special “all” keyword) may be:
• super allows access to all system functions
• service allows access to limited functions for service
• edit
• browse

– For a specified domain the privilege may be:

• edit
• Browse

– Remember, “all” is used in the “createuser” and “setuser“ CLI commands to

denote special privileges over the entire system

11 HP Confidential | October 2010

 3PAR DOMAIN USER PRIVILEGES (1 OF 2)

12 HP Confidential | October 2010

 3PAR DOMAIN USER PRIVILEGES (2 OF 2)
– An InServ user can view and work on objects in all assigned domains that they
have privileges over
– User can specify which domain for each operation
– A default domain can be assigned to a user if that is the predominant domain
that the user will be working with
– The InServ Administrator (super) can set a default domain for a user (CLI)
– When the user logs in, the current domain is set to the default domain
– The user can use the CLI “setclienv currentdomain” to override the current
domain
• The domain is implicitly defined for all operations by that user!

13 HP Confidential | October 2010

THE DEFAULT AND CURRENT DOMAINS
– Existing InServ users can be modified the following ways:
• Administrative actions:
− Users can be added to domains
− Users can be removed from domains
− Users can be set to work in a default domain
• User initiated actions:
− Users can be set to work in a current domain
− This can be different than their default domain

– To change domains, GUI (IMC) users simply select a new domain from a
menu of available domains

14 HP Confidential | October 2010

DOMAIN OBJECTS
– Basic Domain Objects:
• CPGs
• Hosts
• Remote Copy Groups

– Derived Domain Objects:

• Virtual Volumes (VV)
• VV sets
• VLUNs
• Hosts (including Paths)
• Host sets

– Objects are domain specific, for example, cannot export VVs to host outside of
their assigned domain

15 HP Confidential | October 2010

OBJECT AND DOMAIN ASSOCIATION RULES
– Objects can belong to only one domain or to a domain set
– Objects derived from a CPG inherit the domain of that CPG
– VVs can only be exported to the hosts belonging to the VVs domain
– A VLUN inherits the domain of the VV and host from which the VLUN was
exported

16 HP Confidential | October 2010

CREATE A VIRTUAL DOMAIN
– Via GUI:
– Actions → Security → Domains → Create domain

17 HP Confidential | October 2010

CREATE A DOMAIN OBJECT

You can specify a Domain when working with hosts, CPGs, and VVs

18 HP Confidential | October 2010

MANAGING DOMAIN OBJECTS (1 OF 2)
– When you have “super” user permissions…
• You can:
− Move domain objects from one domain to another
− Remove domain associations entirely

19 HP Confidential | October 2010

MANAGING DOMAIN OBJECTS (1 OF 2)
– A “super” or “edit” user for “all” domain have privileges for:
• CPGs
• Hosts

– A domain “edit” user can only create VVs in their domain:

• To a CPG created by the “super” user

– A domain “edit” user will export VLUNS to a host:

• That is assigned by a “super” user to a specific domain

20 HP Confidential | October 2010

REMOVING A DOMAIN
– Before you remove a Domain, you must first remove All Objects from the
Domain
– All the users with explicit privileges over the Domain must first have their
privileges revoked

21 HP Confidential | October 2010

DEMONSTRATION OF
VIRTUAL DOMAINS IN
THE LAB

Lab Time −
You are Ready!

22 HP Confidential | October 2010

USING INFORM VIRTUAL DOMAINS – LAB
1. At the end of this lab using InForm Domains you will have:
 Created domain users
 Created a domain
 Created CPGs for domains
 Created VVs using as a domain user
 View Domain Summary and Capacity info in the Security menu
 Move domain objects

2. Log into an InServ with 2.3.1 InForm OS as a “super” user (IMC 4.1).

3. Create a Domain.

23 HP Confidential | October 2010

USING INFORM VIRTUAL DOMAINS - LAB
4. Create an “edit” level domain user for the domain created in step 2.

5. Create two CPGs for the domain. One CPG should be R5 & R1 or FC and
NL for variation. Your “growth warning” or “growth limits” should be
whatever “contract” you have with your domain user.

6. Associate a host to the domain created in step 2 and logout.

7. Log back in as the domain user created in step 4. Create a VV from the R5
CPG. Then create a VV from the R1 CPG.

8. Look at the Domain membership of these different Objects not only from the
Security -> Domains menu (Summary and Capacity views) but also view
those Objects in the Hosts and Provisioning menus.

24 HP Confidential | October 2010

USING INFORM VIRTUAL DOMAINS – LAB
9. Refresh your GUI & look at the VVs created in step 7. What do you have to
do to get domains displayed in your output?
10. Log in as a super user.
11. Create a new domain. Call it whatever you want.
12. For the domain user created in step 4, give them edit privileges to this
domain.
13. Move all objects from the domain created in step 4 to the new domain.
14. Create another user in the new domain and give them “browse” privileges.

25 HP Confidential | October 2010

USING INFORM VIRTUAL DOMAINS – LAB
15. View the users who now have domain membership.

16. What hosts are now in the new domain? What VVs are in the new domain?

17. Log in as the user created in step 14 and view your InServ world.

18. Can this user see the other domain?

19. What can the “browser” user see vs. the “edit” user?

20. What do these domain users see that’s different than the “super” user?

26 HP Confidential | October 2010

 THANK YOU

27 HP Confidential | October 2010

VISUAL EXAMPLE OF SECURED, STORAGE
DOMAINS
Instruments all aspects Integration
of the system... Interoperates with
SNMP-based
operations centers and
•Logical:
SMI-S clients
– Application
– Volume(s)
Performance
– VLUNs Department 1
- MB/s, IOPS
– Logical Disks - Path Loads
- Service times
- Cache Hits
•Physical: Department 2 - Histograms

– Storage Pool
– Controller nodes Capacity
– Cache memory Department 3 - Free space
– Drives - Consumed space
- Raw capacity
– Ports - Usable capacity
- CPG capacity

28 HP Confidential | October 2010

LDAP LOGIN: AUTHENTICATION AND
AUTHORIZATION
Management 3PAR InServ LDAP Server
Workstation
1 2
3
6
4
5

Step 1 : User initiates login to 3PAR InServ via 3PAR CLI/GUI or

SSH

Step 2 : InServ searches local user entries first.

Upon mismatch, configured LDAP Server is checked

Step 3 : LDAP Server authenticates user.

Step 4 : InServ requests User’s Group information

Step 5 : LDAP Server provides LDAP Group information for user

Step 6 : InServ authorizes user for privilege level based on User’s

group-to-role mapping.
29 HP Confidential | October 2010