Role Based Access Control (Appliance Mode)

This chapter on configuring RBAC Users only applies to KumoScale in Appliance mode. It does not apply to Managed mode.

Configuring RBAC Users

You may want to allow other users to have access to the storage nodes. To do that, you may configure RBAC users either locally, or via an LDAP server. The minimal number of users in the local configuration is one (1), the admin_cli user. You may choose to configure additional users which will be members of different authentication groups (roles). Each authentication group provides different privileges. This step may be executed at any time.

KumoScale software allows administrators to create separate roles for users, with a selected set of actions each role can invoke. A role is a collection of privileges limited to a defined operational/functional area of KumoScale software. Users can invoke a storage action only if their role is authorized for that action.

KumoScale software allows using one of two modes for authentication of each REST API command:

  • Username and password created by the administrator (admin_cli). These may be created and authenticated locally or via an LDAP server
    (see LDAP Server Authentication).
  • JavaScript™ Object Notation (JSON) Web Tokens (JWT), which may be issued by any user.

When configuring local users, the administrator may configure up to thirty-two (32) users, each associated with a role: storage, network or monitor. Once the user is created, the password may be changed using the appropriate CLI or REST API command. Only the user is allowed to change his/her own password; the administrator cannot change the password for anyone but admin_cli.

Username Requirements

  • Up to sixteen (16) alphanumeric characters.
  • Must be unique.

Local usernames are not case-sensitive.

Password Requirements

Password requirements are defined according to the OS password policy. Password characters do not appear on the screen. Users will be prompted with corrective information if they enter a password that does not meet requirements.

 

RBAC User Roles

KumoScale defines four user roles. Each role has different privileges:

 

Role Name

Role Description/Privileges

Admin

The administrator of the appliance.

·         Can execute all operations.

·         Can create and delete users.

·         Only a single user can function in this role.

Storage

Authorized to do storage operations.

·         Should be knowledgeable in orchestration (e.g., Kubernetes CSI driver, Ansible playbooks, etc.).

Storage_Expert

Authorized to do storage operations with access to extended APIs. Extended APIs include support for creating and managing volumes and snapshots.

·         Should be knowledgeable in orchestration (e.g., Kubernetes CSI driver, Ansible playbooks, etc.).

Network

Authorized to do network operations.

·         This should be a network administrator.

Monitor

Authorized to only observe information.

·         Should be knowledgeable about telemetry/monitor servers.

 If the administrator (admin_cli) password is forgotten, administrators must contact a KIOXIA support engineer to reset the password. In this case, contact your local KIOXIA support representative for assistance 

Generating a Token

Any user may generate a token for self-use, which can be entered in each REST command (or once per CLI session). The generate-token command has an expiration parameter (in seconds – for REST API, or hours – for CLI):

  • Default (and minimum) value – one hour.
  • Maximum – 30 days.

LDAP Server Authentication

LDAP authentication requires configuring an LDAP server.

  • add/modify/remove LDAP commands configure server access. KumoScale software supports integration to a single LDAP server.
  • The certificate-upload command should be used by administrators to upload LDAP certificate files to establish a secure connection (working with LDAP TLS or LDAPS).
  • The set-auth-mode command is used to set the authentication mode to LDAP.

Usernames and passwords are configured via the LDAP server for REST APIs only.

 

Next: Authentication