Follow

InfiniBox user management

The InfiniBox management interface is exposed in the form of a comprehensive REST API,GUI and CLI. To prevent unauthorized access to the system configuration and monitoring capabilities, access to the API requires a succesful authentication in the form of providing user and password credentials of a user with a valid role in InfiniBox.

InfiniBox supports multiple types of user repositories which can be used for user authentication and access rights resolution. InfiniBox supports using multiple user repositories concurrently with the ability to define the credentials resolution across the repositories.

Administrative user repository types

  • Local users - User repository defined and managed within the InfiniBox system itself
  • Active Directory (AD) - Microsoft Active Directory of a specific domain (representing multiple AD servers)
  • OpenLDAP - Open LDAP repository stored on an OpenLDAP server

Limits

  • Max number of local users in the system: 50
  • Max number of external user repositories: 10
  • Max number of servers within an OpenLDAP repository: 3

Role Based Access Control 

InfiniBox role-based access-control (RBAC) assigns authenticated users into predefined roles. The access rights of each role is pre-configured, so that the user actions are predictable. InfiniBox supports 4 role types. Each user must have a single assigned role.

Available user roles

Read-only

A read-only user can only make queries for information. This role is sufficient for carrying out monitoring tasks, viewing the system health, events, capacity utilization, etc. Users with this role cannot make any changes to the system. 

Admin

The admin (system administrator) role has permission for all InfiniBox software functionality, including network administration, provisioning pools and entities, and creating other users. For creating other users, see below.

Create users with this user role for Host products and Snap Rotator.

Pool admin

The pool admin has admin rights for specific pools. Within the pool (or pools), the pool admin can provision datasets, map them to hosts, and take snapshots. The pool admin cannot create new pools nor change the definitions of existing pools.

The pool admin has read-only permissions outside their pool.

Technician

The technician role is typically assigned to INFINIDAT technicians that take care of InfiniBox hardware on the customer premises. The technician role has similar permissions with the read-only user, with additional access to hardware-related API, CLI, and GUI commands

The status of the InfiniBox system's physical components are visible to all user roles (admin, pool admin, read-only). However, only the technician has access to commands that are required for hardware maintenance (for example, deactivation of a faulty drive and activation of the replacement drive ).

  • The Technician account cannot be changed by the Admin user.
  • The Technician account can be disabled by the Admin user.

InfiniBox functionality for user roles

InfiniBox functionalityAdminPool AdminRead OnlyTechnician
Pool administration(thumbs up)(error)(error)(error)
Provisioning volumes, filesystems, consistency groups and their snapshots(thumbs up)(thumbs up)(error)(error)
Exporting a filesystem(thumbs up)(thumbs up)(error)(error)
Assigning pools and volumes to a QoS policy(thumbs up)(error)(error)(error)
Host and cluster management(thumbs up)(thumbs up)(error)(error)
Event rules administration(thumbs up)(error)(error)(error)
Provisioning a replica(thumbs up)(thumbs up)(error)(error)
Network management(thumbs up)(error)(error)(error)
Hardware operations(error)(error)(error)(thumbs up)
User management(thumbs up)(error)(error)(error)

User repositories

Local users

InfiniBox provides you with a set of out-of-the-box local users. On top of these out-of-the-box users, you can define more local users. All of the local users have to have one of the available user roles. 

Setting user names and passwords

User names and passwords are case-sensitive.

User names have to conform to the following guidelines:

  • Maximum of 65 Latin characters, numbers, spaces, and the following symbols: "^&'@()[]$=!-#{}%.+~_" (excluding quotation marks).
  • Leading and trailing whitespace characters are stripped.

Passwords have to conform to the following guidelines:

  • Any combination of 1 to 50 ASCII characters (no restriction on lowercase/uppercase/digits/special characters)
  • Leading and trailing whitespace characters are not stripped.

Role management in external user repositories

Unlike the local users repository, external repositories role assignment is done at the group level - i.e. a group from AD or OpenLDAP repository can be assigned one of the access roles. Users belonging to this group will be granted the role of the group.

Defining an Active Directory domain as user repository

Defining an Active Directory domain repository as a user repository in InfiniBox requires the following information: 

  • AD Domain name
  • Repository Name
  • Bind username and password
  • Whether to use LDAPS
  • Users (optional) - to limit InfiniBox access only to some of the repository users, specify these users according to these attributes:
    • User Class, Username Attribute, Users Base DN
  • Groups (optional) - to limit InfiniBox access only to some of the repository user groups, specify these users according to these attributes:
    • Group Class, Group Name Attribute, memberof Attribute, Group Base DN

InfiniBox dynamically discovers all AD domain controllers by issuing a DNS query to the provided AD domain, InfiniBox will then try to use the fastest responding domain controller for its AD queries.

Defining  OpenLDAP server as user repository 

Defining an Active Directory or LDAP server to work with InfiniBox requires the following information:

  • Repository Name
  • OpenLDAP Server(s) ip/hostname
  • Use SSL - select whether to use LDAPS
  • Port
  • Bind username and password
  • Users (optional) - in order to limit InfiniBox access only to some of the repository users, specify these users according to these attributes:
    • User Class, Username Attribute, Users Base DN
  • Groups (optional) - in order to limit InfiniBox access only to some of the repository user groups, specify these users according to these attributes:
    • Group Class, Group Name Attribute, memberof Attribute, Group Base DN

For resiliency, it is highly recommended to define multiple OpenLDAP servers managing the same user repository, so that in case of a unavaliability of one of the OpenLDAP servers, InfiniBox can transparently failover to use others.

Authentication methods

InfiniBox authenticates local users by comparing the username and password that the user provides during the login to InfiniBox to the credentials that are stored on the InfiniBox.

An LDAP / Active Directory user does not authenticate directly to InfiniBox. The user authenticates to LDAP / Active Directory, and the LDAP / Active Directory is defined as an InfiniBox user group. User management is done in the user repository.  

For a broader discussion, see: InfiniBox Security Guide.

User authentication and role resolution process

When the user logs into InfiniBox and types the username and password, the username is resolved in the following order:

  1. InfiniBox checks whether the username belongs to a local user. If it is, InfiniBox checks whether the password matches and the login succeeds
  2. If the username does not belong to a local user, InfiniBox looks for it in the AD and LDAP that are configured to work with InfiniBox. 
    1. If the username belongs to any of the AD or LDAP and belongs to a user group that is allowed to log into InfiniBox, the login succeeds.
    2. The username is assigned with a user role that is determined by the user group that the repository is mapped to.
    3. In case that the username sppears in more than one repository, the username is resolved according to the repository that ranks first in the order of resolution list. The order of resolution is configurable.
  3. The login fails in the following cases:
    1. The username does not belong to any local user, nor any AD or LDAP
    2. The username belongs to an AD or LDAP that is configured to work with InfiniBox, but is not a member of a group that is allowed to work with InfiniBox
    3. The usename is listed as a local user, or belongs to the right group, but the provided password is incorrect 

Authentication and Role resolution diagram

Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Comments