Symptoms

Introduction In OneFS 7.0 and later, there are two SmartLock operation modes available to the cluster, SmartLock compliance mode and SmartLock enterprise mode. SmartLock enterprise mode is the default SmartLock operation mode. SmartLock Compliance Mode protects data in compliance with the regulations defined by U.S. Securities and Exchange Commission (SEC) rule 17a-4.SmartLock Enterprise Mode creates Write-Once Read-Many (WORM) directories on the cluster. This WORM implementation does not meet the requirements of SEC rule 17a-4. SmartLock enterprise mode is used to protect files from accidental modification or deletion but not required by law to do so. This implementation is the same implementation that was available in versions of OneFS prior to 7.0.

Cause

Details The SmartLock operation mode (either compliance mode or enterprise mode) must be set during the initial cluster configuration process. If the cluster is not set to compliance mode, the cluster is automatically set to SmartLock enterprise mode. See Tips for configuring the SmartLock compliance mode below.Once a cluster is set to compliance mode, it cannot be changed to enterprise mode.All clusters that are upgraded from a OneFS version earlier than 7.0 are automatically set to enterprise mode and cannot be changed to compliance mode.In order to set the cluster to SmartLock compliance mode, a SmartLock license is required and must be applied during initial cluster setup.Once a cluster is set to SmartLock compliance mode, the root user account cannot be used to log in to the cluster. A compliance administrator account that is configured during initial cluster configuration must be used. If logged in through the compliance administrator account, administrative tasks can be performed using the sudo program. Many of the commands that require root privileges are still available to the compliance administrator but must be prefaced with sudo. To see the list of commands available to the compliance administrator, open an SSH connection and run the following command from the command prompt: more /usr/local/etc/sudoers Commands specific to the Isilon cluster are contained within ## BEGIN ISILON and ##END ISILON tags. For example: ## BEGIN ISILON # Add admin to sudoers list for SmartLock Compliance. User_Alias ADMINS = compadmin ## END ISILON If a SmartLock license is removed from a cluster that is running in SmartLock compliance mode, root access to the cluster is not restored.Once in SmartLock compliance mode, SmartLock compliance directories can be created with specific WORM retention periods. A file can be committed to a WORM state either manually or automatically by the cluster. A file that has been committed to a WORM state in a compliance directory cannot be modified or deleted before the specified retention period has expired. Committed files cannot be deleted, even by the compliance administrator account. The privileged delete feature is not available in SmartLock compliance mode.

Resolution

Tips for configuring SmartLock compliance mode There are a few extra steps that must be performed when configuring clusters and nodes for SmartLock compliance mode. (For more information, see the appropriate node Installation and Setup Guide.) Create a new cluster in SmartLock compliance mode. When the configuration Wizard appears, press 4 to reboot into SmartLock Compliance mode, as shown in this example: Select an option: [ 1] Create a new cluster [ 2] Join an existing cluster [ 3] Exit wizard and configure manually [ 4] Reboot into SmartLock Compliance modeWizard >>> 4** WARNING ***Root access to this node will be disabled! Are you sure you want to make this node a SmartLock Compliance node? (yes/no): [no] >>> yes Type Yes To confirm disabling root access. The node restarts and returns to the same set of steps.Press 1 to create a new cluster.Follow the prompts to configure the cluster. When prompted, enter your license key for the SmartLock license.Add a node to an existing SmartLock compliance cluster.When the configuration Wizard first appears, press 4 to reboot into SmartLock Compliance mode (see example above).Type Yes to confirm disabling root access (see example above). The node restarts and returns to the same set of steps.Press 2 to join an existing cluster.Follow the prompts to configure the node.

Support Cases