Follow

InfiniBox user management

The InfiniBox management interface is comprised of REST API, GUI, and CLI. To prevent unauthorized access to the system configuration and monitoring capabilities, access to these interfaces is restricted to users with valid roles in InfiniBox who successfully authenticate using user and password credentials.

InfiniBox supports multiple types of user repositories that can be used for user authentication and access rights resolution. InfiniBox supports using multiple user repositories concurrently with the ability to define credential resolution across the repositories.

Administrative user repository types

  • Local users - User repository defined and managed within the InfiniBox system itself
  • Active Directory (AD) - Microsoft Active Directory of a specific domain (representing multiple AD servers)
  • OpenLDAP - Open LDAP repository stored on an OpenLDAP server

Limits

  • Maximum number of local users in the system: 50
  • Maximum number of external user repositories: 10
  • Maximum number of servers within an OpenLDAP repository: 3

Role-Based Access Control 

InfiniBox role-based access control (RBAC) assigns authenticated users into predefined roles. The access rights of each role is pre-configured, so that the user actions are predictable. InfiniBox supports five role types. Each user must have a single assigned role.

Available user roles

READ_ONLY

A read-only user can only make queries for information. This role is sufficient for carrying out monitoring tasks, and viewing the system health, events, capacity utilization, etc. Users with this role cannot make any changes to the system. 

InfiniDoors optionally can have an installed Touchscreen. The Touchscreen displays information regarding system performance and capacity gauges.

The Touchscreen is installed with a predefined local user with the following attributes:

  • Role: READ_ONLY
  • Username: tablet
  • Password: auto-generated, non-trivial and unique for each InfiniBox system

The tablet user can be disabled (or deleted), similar to any other local user.

For more information, see InfiniDoor Touchscreen.

TECHNICIAN

The technician role is typically assigned to Infinidat technicians that take care of InfiniBox hardware on the customer premises. The technician role has permissions similar to the read-only user, with additional access to hardware-only related API, CLI, and GUI commands. 

The status of the InfiniBox system's physical components are visible to all user roles (admin, pool admin, read-only). However, only the technician has access to commands that are required for hardware maintenance. For example, deactivation of a faulty drive and activation of the replacement drive.

  • The technician account cannot be changed by the Admin user, including the account password
  • The technician account can be disabled by the Admin user
  • Administrators govern access to the technician account by enabling/disabling it, and by controlling the support console

POOL_ADMIN

The pool admin has admin rights for specific pools. Within the pool (or pools), the pool admin can provision datasets, map them to hosts, and take snapshots. The pool admin cannot create new pools nor change the definitions of existing pools.

Pool admins have read-only permissions outside their pools.

ADMIN

The admin (system administrator) role has permissions for all InfiniBox software functionality, including network administration, provisioning pools and entities, and creating other users. For creating other users, see below.

Create a user with this user role for Host products and Snap Rotator.

INFINIDAT

The Infinidat role is specifically for Infinidat level 3 support engineers. This account is used solely for the purpose of supporting customers. The Infinidat user has the combined permissions of the Admin and Technician users, with additional access to internal commands.  

  • The Infinidat account, including the account password, cannot be changed by the Admin user.
  • The Infinidat account can be disabled by the Admin user.
  • Admins govern access to the Infinidat account by enabling/disabling it, and by controlling the support console.

Predefined users

The following predefined user accounts can be changed by the Admin user:

  • infinidat - this user is assigned the Infinidat role
  • technician - this user is assigned the Technician role
  • tablet - this user is assigned the Read-Only role

These accounts can be enabled/disabled by the Admin user. The tablet user account can be deleted if it is not needed.

The passwords for the infinidat and technician predefined accounts are not owned and cannot be changed by the customer.

InfiniBox functionality for user roles

InfiniBox functionalityAdminPool AdminRead OnlyTechnician
Pool administrationΧΧΧ
Provisioning volumes, filesystems, consistency group, and their snapshotsΧΧ
Exporting a filesystemΧΧ
Assigning pools and volumes to a QoS policyΧΧΧ
Host and cluster managementΧΧ
Event rules administrationΧΧΧ
Provisioning a replicaΧΧ
Network managementΧΧΧ
Hardware operationsΧΧΧ
User managementΧΧΧ

User repositories

Local users

InfiniBox provides you with a set of out-of-the-box local users. On top of these out-of-the-box users, you can define more local users. Each local users must have one of the available user roles. 

Setting user names and passwords

User names and passwords are case-sensitive.

User names must conform to the following guidelines:

  • A combination of 1 to 65 Latin characters, numbers, spaces, and the following symbols: "^&'@()[]$=!-#{}%.+~_" (excluding quotation marks)
  • Leading and trailing whitespace characters are stripped

Passwords must conform to the following guidelines:

  • A combination of 1 to 50 ASCII characters, with no restriction on lowercase/uppercase/digits/special characters
  • Leading and trailing whitespace characters are not stripped

Role management in external user repositories

Unlike the local user repository, external repository role assignment is done at the group level. This means that each group from AD or the OpenLDAP repository can be assigned one of the access roles. All users belonging to a group are granted the role of the group.

Defining an Active Directory domain as user repository

You can define an Active Directory domain repository as a user repository in InfiniBox. For detailed instructions, see Defining an Active Directory for for InfiniBox Management.

The following information is required:

  • AD Domain name
  • Repository Name
  • Whether to use LDAPS
  • Bind username and password
  • Groups (optional) - to allow members of specific repository user groups to access InfiniBox, provide the following attributes of these groups:

InfiniBox dynamically discovers all AD domain controllers by issuing a DNS query to the provided AD domain. InfiniBox then tries to use the fastest responding domain controller for its AD queries.

Defining OpenLDAP server as user repository 

You can define an LDAP server as a user repository in InfiniBox. For detailed instructions, see Defining an OpenLDAP server for InfiniBox Management.

The following information is required:

  • Repository Name
  • OpenLDAP Server(s) IP/hostname
  • Whether to use LDAPS
  • Port
  • Bind username and password
  • Groups (optional) - to allow members of specific repository user groups to access InfiniBox, provide the following attributes of these groups:

For resiliency, it is highly recommended to define multiple OpenLDAP servers that manage the same user repository. If one of the OpenLDAP servers becomes unavailable, InfiniBox can transparently failover to use a different one.

Authentication methods

InfiniBox authenticates local users by comparing the username and password that the user provides during the InfiniBox login to the credentials that are stored on the InfiniBox.

An LDAP / Active Directory user does not authenticate directly to InfiniBox. The user authenticates to LDAP / Active Directory, and the LDAP / Active Directory is defined as an InfiniBox user group. User management is done in the user repository.  

For a broader discussion, see: InfiniBox Security Guide.

User authentication and role resolution process

When a user logs into InfiniBox and provides their username and password, the user credentials are resolved in the following order:

  1. InfiniBox checks whether the username belongs to a local user. If it does, InfiniBox checks whether the password matches. If it does, the login succeeds.
  2. If the username does not belong to a local user, InfiniBox looks for it in the AD and LDAP user repositories defined in InfiniBox. 
    If the username belongs to an AD or LDAP, and it belongs to a user group that is allowed to log into InfiniBox, the login succeeds.
    1. The user role assigned to the user is determined by the user group that the repository is mapped to.
    2. If the username appears in more than one repository, the username is resolved according to the repository that ranks first in the order of resolution list. The order of resolution is configurable.

The login fails in the following cases:

  • The username does not belong to any local user, nor any AD or LDAP defined in InfiniBox.
  • The username belongs to an AD or LDAP that is defined in InfiniBox, but is not a member of a group that is allowed to work with InfiniBox.
  • The username is listed as a local user, or it belongs to the correct group, but the provided password is incorrect.

Authentication and Role resolution diagram

Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Last edited: 2022-01-31 10:52:26 UTC

Comments