Overview of user management

To operate and set up the VSP One SDS Block storage cluster, you must register with VSP One SDS Block as a user.

For example, in REST APIs, you must specify your user ID and password ("<user-ID>:<password>") in the Authorization header for the request header encoded in Base64.

In the case of CLI, specify the user Id in the --user option and enter your password interactively.

Creating users and user groups

A user's operation privilege is determined by the roles set for the user group to which the user belongs. For example, only a user who belongs to a user group having the VpsSecurity role can create users. Ask a system administrator to create initial user groups and users that have the VpsSecurity role.

CAUTION:

Be careful not to lose the passwords of valid users having the VpsSecurity role. If the passwords of all valid users having the VpsSecurity role are lost, ask a system administrator to change the passwords.

The only operation a user who is created can perform initially is to change the password. After changing the password, the user can perform any operations allowed for the given role. Ask a system administrator about password policies.

A user can be registered for more than one user group.

You can create new user groups.

Roles and available operations

The following table lists the roles and available operations. Create users according to the system operation guidelines.

Role	Available operations
VpsSecurity	Managing users, obtaining session information
VpsStorage	Deleting compute node information, registering or deleting compute node initiator information, registering or deleting compute node paths, allocating volumes to compute node paths or releasing connections between volumes and compute node paths, obtaining compute port information Creating, deleting, expanding, or editing settings of volumes Obtaining, deleting, or restoring snapshots Obtaining information about volume capacity or volume performance Obtaining VPS usage status
VpsMonitor	Obtaining compute port information Obtaining information about volume capacity or volume performance Obtaining VPS usage status

Role

Available operations

VpsSecurity

Managing users, obtaining session information

VpsStorage

Deleting compute node information, registering or deleting compute node initiator information, registering or deleting compute node paths, allocating volumes to compute node paths or releasing connections between volumes and compute node paths, obtaining compute port information

Creating, deleting, expanding, or editing settings of volumes

Obtaining, deleting, or restoring snapshots

Obtaining information about volume capacity or volume performance

Obtaining VPS usage status

VpsMonitor

Obtaining compute port information

Obtaining information about volume capacity or volume performance

Obtaining VPS usage status

Note:

No role-based execution restriction is applied to the following operations:
- Verifying, creating, and deleting your own session
- Obtaining a message to be displayed in the warning banner during CLI Basic authentication
- Obtaining versions of APIs
- Obtaining information about individual job
- Obtaining your own user information
- Changing your own password
A user who has the VpsSecurity, VpsStorage, or VpsMonitor role can perform the following operations:
- Obtaining volume information
- Obtaining S-VOL and P-VOL information
- Obtaining compute node information
- Obtaining compute node initiator information
- Obtaining compute node path information
- Obtaining volumes and compute node connection information
A user who has the VpsStorage or VpsMonitor role can perform the following operation:
- Obtaining compute port information

Basic authentication and session authentication

To perform a storage cluster operation through a REST API, for example, send an authentication request to VSP One SDS Block with credentials specified in the Authorization header for the request header.

VSP One SDS Block supports two authentication methods: basic authentication and session authentication.

In basic authentication, a user ID and a password are used as credentials. In basic authentication, authentication is performed for each request.

In session authentication, a token is used as credentials, and authentication can be omitted for a period of time. Therefore, session authentication is useful in application-based automatic operations. A token is obtained by running a REST API or CLI for generating a session. For how to generate a token, see Generating a session. The storage system deletes sessions in some cases. For details, see Overview of session management. Specifically, for automatic operation by an application, note that you must generate a session again once the session is deleted.

User authentication settings and system requirements

The settings that are applied to user authentication are called user authentication settings. User authentication settings contain password complexity, password expiration time, lockout, and session parameters. System administrators set those values and VPS administrators can obtain them. See Editing user authentication settings.

Using an external authentication server

When linkage with an external authentication server is configured by the system administrator, authentication can be performed by using the user information registered in the external authentication server.