To operate and set up the VSP One SDS Block storage cluster, you must register with VSP One SDS Block as a user.
For example, in REST APIs, you must specify your user ID and password ("<user-ID>:<password>") in the Authorization header for the request header encoded in Base64.
In the case of CLI, specify the user Id in the --user option and enter your password interactively.
(Bare metal)(Cloud) In the console interface, enter your user ID and password interactively.
Built-in user groups and built-in user
Six user groups (built-in user groups), such as SecurityAdministrators and ServiceAdministrators, are pre-registered in VSP One SDS Block. admin is registered as the built-in user.
Item |
Description |
---|---|
User ID |
admin |
User object ID |
admin |
Password |
hsds-admin You will be requested to change the password when you first log in to the system. |
User group ID to which the user belongs |
SystemAdministrators |
Object ID of the user group to which the user belongs |
SystemAdministrators |
The following figure illustrates the initial states of users and user groups. More than one role defining an operation privilege (Storage, Service, Security, etc.) is set for each user group.
A built-in user group cannot be deleted. No set roles can be changed. Also, a built-in user cannot be deleted.
(Bare metal)(Cloud) Built-in users can use the console interface.
States after setup is completed
After setup is completed, a user required for system operation is created each for SecurityAdministrators and ServiceAdministrators groups. For the user ID, user object ID, and password of each created user, ask the administrator who created these users. Then, change the password as required.
Also, the admin user is disabled after setup is completed. You can enable it if required.
Creating users and user groups
A user's operation privilege is determined by the roles set for the user group to which the user belongs. For example, only a user who belongs to a user group having the Security role can create users.
Also, when the multi-tenancy function is used, it is possible to limit the targets that a user can operate by a scope that is set to the user group to which the user belongs. For details about a scope, see Configuring multi-tenancy (Virtual machine)(Bare metal) in this manual.
The only operation a user who is created can perform initially is to change the password. After changing the password, the user can perform any operations allowed for the given role. Note that the password of a user who is created during setup has been changed.
A user can be registered for more than one user group.
You can create new user groups.
Roles and available operations
The following table lists the roles and available operations. Create users according to the system operation guidelines.
When multi-tenancy configuration is used, roles for VPS administrators (VpsSecurity, VpsStorage, or VpsMonitor) are provided in addition to the roles shown in the table further on in this section. For details about multi-tenancy configuration, see Configuring multi-tenancy (Virtual machine)(Bare metal) in this manual.
Be careful not to lose the password of the valid user having the Security role. If the passwords of all valid users having the Security role are lost, account management and other operations required for system operation cannot be performed.
Role |
Available operations |
---|---|
Security |
Audit log file creation and downloading, CHAP authentication, user management, acquisition of session information, event log setting, audit log setting, external authentication server linking, whitelist setting, server certificate importing, setting of a message to be displayed in the VSP One SDS Block Administrator login window and in CLI basic authentication, authentication setting for the compute port for the target operation, and encryption management |
Storage |
License management, volume management, snapshot management, compute node management, compute node initiator information and path information registration and deletion, volume and compute node connection and disconnection, compute port setting, storage pool capacity expansion, storage node capacity management, drive management, performance and capacity information acquisition, drive data relocation suspension and resumption, etc. |
RemoteCopy |
Remote copy management (remote path, group journal, and remote copy pair by Command Control Interface (CCI) |
Monitor |
Performance and capacity information acquisition, storage node capacity management information acquisition, license information acquisition, etc. |
Audit |
Audit log file creation and downloading (To log in to the VSP One SDS Block Administrator, roles other than Audit are required.) |
Service |
Storage node management (maintenance, addition, removal, etc.), storage cluster stop, storage software update, etc. |
Resource |
VPS creation, edition, and deletion For users with the Resource role to use the VSP One SDS Block Administrator, it is recommended to allocate the Monitor role. This allows for reference within the range that is allowed for the Resource role. |
-
No role-based execution restriction is applied to the following operations:
-
Verifying, creating, and deleting your own session
-
Obtaining a message to be displayed in the VSP One SDS Block Administrator login window and in the warning banner during CLI basic authentication
-
Obtaining versions of APIs
-
Obtaining information about individual jobs
-
Obtaining information about storage cluster master (primary)
-
Network settings for the storage cluster
-
Obtaining your own user information
-
Changing your own password
-
-
A user who has the Security, Storage, RemoteCopy, Monitor, Service, or Resource role can perform the following operations:
-
Obtaining storage pool information
-
Obtaining information about drives
-
Obtaining storage node network settings
- Obtaining remote iSCSI port information
- Obtaining remote path group information
-
-
A user who has the Storage, RemoteCopy, Monitor, or Resource role can perform the following operation:
-
Obtaining license information
-
-
A user who has the Security, Storage, RemoteCopy, Monitor, Service, Audit, or Resource role can perform the following operations:
-
Obtaining the health status
-
Obtaining information about protection domains
-
Obtaining information about storage clusters
-
Obtaining information about storage nodes
-
Obtaining information about fault domains
-
Obtaining information about control ports and internode ports
-
Obtaining time settings of storage clusters
-
-
A user who has the Security, Storage, RemoteCopy, Monitor, Service, Resource, VpsSecurity, VpsStorage, or VpsMonitor role can perform the following operations:
-
Obtaining volume information
-
Obtaining S-VOL and P-VOL information
-
Obtaining compute node information
-
Obtaining compute node initiator information
-
Obtaining compute node path information
-
Obtaining volumes and compute node connection information
-
-
A user who has the Security, Storage, Monitor, Service, Resource, VpsStorage, or VpsMonitor role can perform the following operation:
-
Obtaining compute port information
-
Basic authentication, session authentication, and ticket authentication
To perform a storage cluster operation through a REST API, for example, send an authentication request to VSP One SDS Block with credentials specified in the Authorization header for the request header.
VSP One SDS Block supports three authentication methods: basic authentication, session authentication, and ticket authentication.
In basic authentication, a user ID and a password are used as credentials. In basic authentication, authentication is performed for each request.
In session authentication, a token is used as credentials, and authentication can be omitted for a period of time. Therefore, session authentication is useful in application-based automatic operations. A token is obtained by running a REST API or CLI for generating a session. For how to generate a token, see Generating a session.
Ticket authentication is an alternative method used when basic authentication and session authentication cannot be performed due to storage node stoppage or a failure.
When performing ticket authentication, specify the user name and password when issuing the ticket at the same time. See Authentication scheme of the VSP One SDS Block REST API Reference and Master command options of the VSP One SDS Block CLI Reference for how to specify the ticket, user name and password.
See Managing authentication tickets for the method of issuing and destroying discarding authentication tickets.
In case authentication is not possible with an authentication ticket, verify the following:
-
Whether the user name and password is the same as the one used when the authentication ticket is issued.
-
Whether the authentication ticket has expired.
-
Whether the user who issued the authentication ticket had a role required for each operation to be performed by using the authentication ticket.
-
Whether the authentication ticket is not the one issued by another storage cluster.
-
Whether the authentication ticket is not discarded after being issued.
If the authentication ticket has been discarded, issue an authentication ticket again. If an authentication ticket cannot be re-issued (due to storage cluster stoppage or other reason), contact customer support.
Upper limit of generated sessions and deleting them
The number of sessions that can be generated is limited. If this limit is exceeded, commands become unavailable. When the multi-tenancy function is not used, the upper limit of the number of sessions that can be generated is 64. When the multi-tenancy function is used, the upper limit of the number of sessions that can be generated is 64 for users that do not belong to a VPS, and 436 for users that belong to a VPS.
If this upper limit is already reached when requesting authentication, 503 Service Unavailable is returned.
A session is deleted by the user (manually), or when the token expires or the session has timed out (automatically). Also, the session of a user is deleted when the user is edited or deleted, the password is changed, the user is deleted from the user group, or the group to which the user belongs is edited.
When a session is deleted, the user must create a session.
User authentication settings and system requirements
The settings which are applied to user authentication are called user authentication settings. User authentication settings include password complexity, password expiration time, lockout, and session parameters. The setting values can be changed. See Editing user authentication settings.
The following table lists the system requirements.
Item |
Requirement |
Remarks |
---|---|---|
Maximum number of users |
32 |
Including the built-in user and the users on the external authentication server. |
Maximum number of user groups |
32 |
Including the built-in groups and the groups on the external authorization server. |
Maximum number of user groups to which a user can belong |
8 |
|
Number of characters and character types available for a user ID |
(Bare metal)(Cloud) The following restrictions apply to users who are permitted to use the console interface:
|
|
Number of characters and character types available for a password |
Number of characters: 1 to 256 Usable character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), symbols (! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ¥ ] ^ _ ` { | } ~) |
The minimum password length can be set in the user authentication setting. The user authentication default setting is 8. |
Number of characters and character types available for a user group ID |
Number of characters: 1 to 642 Usable character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), symbols (! # $ & % ' - . @ ^ _ ` { } ~) |
|
1. The maximum number of characters for a user name on the external authentication server that can be linked with VSP One SDS Block is 64. 2. The maximum number of characters for a user group name on the external authentication server that can be linked with VSP One SDS Block is 64. |
About console interface users (Bare metal)(Cloud)
If you use a REST API or CLI to perform the following operations regarding the users who are allowed to use the console interface, the information is applied by the internal processing that runs in one-minute cycle, and event log KARS20067-I is output. Therefore, it takes a certain amount of time until the entire information is applied.
-
Creating a user
-
Editing the user information
-
Deleting a user
-
Changing your own password
-
Adding a user to a user group
-
Removing a user from a user group
-
Editing the user group information
No event log will be output when you perform the following operations on users who are authorized to use the console interface:
-
You edited information of a user, but the user is still disabled (isEnabled is "false").
-
You edited information of a user and enabled the user, but requiresInitialPasswordReset in the user authentication settings is true.
-
You added or removed a user to or from a user group, but the users role is not changed.
-
You edited information of a user group, but the roles of the users belonging to the user group are not changed.
Using an external authentication server
When an external authentication server is linked, authentication can be performed by using the user information registered in the external authentication server. Only an OpenLDAP or Active Directory (AD) external authentication server can be linked.