ECS 2.0 – Add users and assign roles

Table of Contents

Introduction

This article describes the types of users supported by ECS and the roles to which they can be assigned.

It introduces the main concepts around ECS users and roles:
In addition, it shows you how you can set up an authentication provider and perform the mapping of domain users into a namespace:
Back to Top

Understanding users and roles in ECS

ECS defines different user types and roles to determine access to ECS management facilities and to the object store.

The main concepts relating to users and roles are described in the following topics:

Back to Top

Users in ECS

ECS requires two types of user: management users, who can perform administration of ECS, and object users, who access the object store to read and write objects and buckets using the supported data access protocols (S3, EMC Atmos, OpenStack Swift, and CAS).

Management users can access the ECS Portal. Object users cannot access the ECS Portal but can access the object store using clients that support the ECS data access protocols.

Management users and object users are stored in different tables and their credentials are different. Management users require a local username and password, or a link to a domain user account. Object users require a username and a secret key. Hence you can create a management user and an object user with the same name, but they are effectively different users as their credentials are different.

In addition, management and object user names can be unique across the ECS system or can be unique within a namespace. This is referred to as user scope and is described in: User scope: global or namespace.

Details of the supported user types are provided in the following sections:
Back to Top

Management Users

Management users can perform the configuration and administration of the ECS system and of tenants configured in ECS.

Management users can be local users whose credentials are stored by ECS and are authenticated by ECS against the locally held credentials, or they can be domain users defined in Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and authenticated against users held in those systems. You can find out more about domain and local users in Domain and local users.

Management users are not replicated across geo-federated VDCs.

Back to Top

Object users

Object users are end-users of the ECS object store and access it through object clients using the ECS supported object protocols (S3, EMC Atmos, Openstack Swift, and CAS).

Object users are defined by a username and a secret key that can be used to access the object store. Usernames can be local names or can be domain-style user names that include a "@" in their name.

A management user can create an object user account and can assign a secret key to the object user account when the account is created or at any time thereafter. When created by a management user, the object users secret key is distributed by email or other means.

For domain users, a secret key can be obtained by the object user using the ECS self-service capability, using a client that talks to the ECS REST API (object users do not have access to the ECS portal). You can read more about domain users in: Domain and local users, and you can refer to Obtain secret key to access object storage for information on creating a secret key.

Object users are global resources, so an object user created at a VDC can be given privileges to read and write buckets, and objects, within the namespace to which they are assigned, from any VDC.

Back to Top

Root user

The root user is available at system initialization and is pre-assigned to the System Admin role.

The root user should only be used for initial access to the system. On initial access, the root user password should be changed at the Settings > Password page and one or more new System Admin accounts should be created.

From an audit perspective, it is important to know which user carried out changes to the system, so root should not be used, and each System Admin user should have their own account.

Back to Top

User roles

ECS defines roles to determine the operations that a user account can perform at the ECS Portal or when accessing ECS using the ECS Management REST API. Management users can be assigned to administration roles in ECS and can be either local users or domain users.

The following management roles are defined:
Back to Top

System Admin

The System Admin role can configure ECS and specify the storage used for the object store, how the store is replicated, how tenant access to the object store is configured, and which users have permissions on an assigned namespace.

The System Admin can also configure namespaces and perform namespace administration, or can assign a user who belongs to the namespace as the Namespace Admin.

The System Admin has access to the ECS Portal and system administration operations can also be performed from programmatic clients using the ECS Management REST API.

Because management users are not replicated across site, a System Admin must be created at each VDC that requires one.

Back to Top

Namespace Admin

The Namespace Admin is a management user who can access the ECS Portal to configure users and buckets for their namespace. Namespace Admin operations can also be performed using the ECS Management REST API.

A Namespace Admin can only be the administrator of a single namespace.

Because authentication providers and namespaces are replicated across sites (they are ECS global resources), a domain user who is a Namespace Admin can log in at any site and perform namespace administration from that site.

Local management accounts are not replicated across sites, so a local user who is a Namespace Admin can only log in at the VDC at which the management user account was created. If you want the same username to exist at another VDC, the user must be created at the other VDC. As they are different accounts, changes to a same-named account at one VDC, such as a password change, will not be propagated to the account with the same name at the other VDC.

Back to Top

Domain and local users

ECS provides support for local and domain users.

Local users are user accounts whose credentials are stored by ECS. Both management users and object users can be defined locally to ECS. In the case of object users, the credentials are global resources and are available at all ECS VDCs.

Local users make it very simple to start using ECS, however, the use of AD/LDAP enables an existing user database to be leveraged and allows a large number of users to be given access to the object store without having to create accounts for them.

Domain users are users defined in an Active Directory AD/LDAP database and ECS must talk to the AD or LDAP server to authenticate user login request. ECS uses a construct called an authentication provider to supply the credentials it needs to talk to the AD/LDAP server and to specify the domains and groups that should be made available to ECS.

Domain users are defined in the form user@domain.com and ECS will attempt to authenticate user names in that form using the authentication providers that have been configured. User names without @ will be authenticated against the local user database.

Domain users assigned to management roles can be authenticated against their AD/LDAP credentials to allow them to access ECS and perform ECS administration operations. Administration operations can be performed from the ECS Portal or using the ECS Management API.

Domain users can also be assigned as object users. To save the administrative overhead of manually creating large numbers of object user accounts in ECS, a self-service capability is provided that allows ECS to authenticate domain users and automatically add them as object users and assign a secret key to them.

To make use of this, a domain user must be mapped into a namespace and ECS provides a mechanism for mapping domain users into a namespace based on their domain and group membership and on attributes associated with their account.

Back to Top

User scope: global or namespace

The scope of object users depends on the user scope that has been set. The setting affects all users, in all namespaces across all federated VDCs

The user scope can be either GLOBAL or NAMESPACE. In global scope, object user names are unique across all VDCs in the ECS system. In namespace scope, object user names are unique within a namespace, so the same object user account names can exist in different namespaces.

The default setting is GLOBAL. If you intend to use ECS in a multi-tenant configuration and you want to ensure that tenants are not prevented from using names that are in use in another namespace, you should change this default configuration to NAMESPACE.
Note Image

The user scope setting must be made before the first object user is created.


Setting the User Scope

The user scope can be set using the PUT /config/object/properties API and passing the user scope in the payload. An example of a payload that sets the user_scope to NAMESPACE is shown below.
PUT /config/object/properties/

<property_update>
    <properties> 
        <properties>	
            <entry>            
            <key>user_scope</key>
            <value>NAMESPACE</value>        
            </entry>
    </properties> 			
</property_update>

Back to Top

Working with the users at the ECS Portal

The ECS Portal provides a Manage > Users page to enable local users to be created and assigned as object users for a namespace. It also enables system administrators to create local management users and assign them to administration roles and to assign domain users to administration roles.

The Manage > Users page provides two sub-pages:

The Management Page is only accessible if you are a System Admin (or root user) for ECS.

Object Users View

The Object Users view provides an Object Users table that lists the local users that have been created, the namespace to which the users have been assigned, and the actions that can be performed on the user.

If you are a System Admin you will see the object users for all namespaces. If you are a Namespace Admin, you will only see the users belonging to your namespace.

The Object Users view is shown below.

The Object Users table provides access to the following information and operations.
The Object Users pane additionally provides access to the the following controls:

Management Users View

The Management Users view provides a Management Users table that lists the management users that have been created and the actions that can be performed on the user. This page is only visible to users with the System Admin role.

The Management Users view is shown below.

The Management Users table provides access to the following information and operations.
In addition, the Management Users view provides the following controls:

Back to Top

Add a new object user

You can create new local users and configure them to use the supported object access protocols. Once created, you can edit a user configuration by adding or removing access to an object protocol, or by creating a new secret key for the user.

Before you begin

  • If you are an ECS System Admin, you can assign users for any namespace.
  • If you are a Namespace Admin, you can assign users for the namespaces for which you are the administrator.
  • If you want your domain users to be enabled as object users you should refer to Add a domain user as an object user.
  • When assigning a password for a Swift user, the user will be added to the Swift Admin group.
    Note Image

    Do not use the ECS Portal to perform this operation if you want users to be assigned to different Swift groups.


You can refer to Working with the users at the ECS Portal for information about the Manage > Users page.

Procedure

  1. At the ECS Portal, select Manage > Users.
    The Object Users Page is shown by default and displays the Object Users table which lists the local users that have been created and the namespace to which they are assigned.
  2. Select New Object User.
    The New Object User page is displayed.
  3. Enter a name for the user.
    This is a name for a local user that will be created.
    You can use domain-style names that include "@". For example, "some.name@emc.com". However, this is a convenience to enable you to keep names unique and consistent with AD names, authentication is performed using a secret key assigned to the username, not through AD or LDAP.
  4. Select the namespace to which the local user will be assigned.
    Once you have selected the namespace, you can Save the user and return later to edit the user and assign a secret key to access an object protocol. Alternatively, you can select Add Passwords and specify passwords or secret keys to access the ECS object protocols.
  5. To set up secret keys for the user, select Add Passwords.
  6. For each of the object protocols that you want to use to access the ECS object store, enter or generate a key for use in accessing the S3, Swift, or CAS, and save the key.
    Select Add Password to save the key.
  7. Specify a password for each of the object interfaces that you want the user to be able to access.
    For S3 and CAS you can generate the password.
  8. The secret keys and passwords are saved automatically and you can click the Close button to return to the Users page.
Back to Top

Add a domain user as an object user

You can configure domain users so that they can access ECS and generate secret keys for themselves and, by doing so, add themselves as object users.

Before you begin

Procedure

  1. Ensure an authentication provider that connects to the appropriate AD/LDAP system has been configured.
    Adding an authentication provider must be performed by a System Admin and is described in Add an authentication provider.
  2. Map domain users into the namespace as described in Map domain users into a namespace.
    This can be performed by the Namespace Admin.
  3. Allow users to create secret keys using the instructions in Obtain secret key to access object storage.
Back to Top

Create a local management user or assign a domain user to a management role

You can add a local management user and assign a local management user or a domain user to a management role from the ECS Portal. Management users are required to perform system-level administration (VDC administration) and namespace administration. Where a user is no longer needed to perform administration operations, you can remove the role assignment.

Before you begin

  • You must be a System Admin to create a local management user or assign a management role.
  • The ECS root user has the System Admin role by default and can perform the initial assignment of a user to the System Admin role.
  • If you want to assign a domain user to a management role, you must first ensure that an authentication provider has been added. See Add an authentication provider.
  • If you want to assign a Namespace Admin, you must create a management user using the operation defined here and perform the role assignment at the portal Namespace page (see Configure a namepace for a tenant). The user will not be able to log in until they have been assigned to the Namespace Admin role (or the System Admin role).

You can refer to Working with the users at the ECS Portal for information about the Manage > Users page.

Procedure

  1. At the ECS Portal, select Manage > Users.
    The Object Users Page is displayed by default and you need to change to the Management Users page.
  2. Select Management Users.
    The Management Users page is displayed which shows any users that have currently been assigned and provide a New Management User button.
  3. Select New Management User.
    The New Management User pages is displayed which enables you to create a local user and assign the new user to the management role, or assign a domain user to the management role.
  4. Select Local User or AD/LDAP User.
    For a local user you will need to define a password; for a domain user, the user and password credentials that ECS will use to authenticate a user are held in AD/LDAP, so you don't need to define a password.
  5. Enter the name the user.
    If you have selected AD/LDAP, the user must exist and have been made available by adding an authentication provider to ECS.
    If you select local user, a new local management user will be created
  6. If you want to assign the user to the System Admin role, select Yes at the System Administrator selector.
    If you are creating a management user who will be assigned to the Namespace Admin role for a namespace, you should leave this as No.
    If you select Yes, but at a later date you want to remove System Administrator privileges from the user, you can edit the user settings and change this to No.
  7. If you have not selected System Admin because you intend to assign the user to the Namespace Admin role, you must check the "In order to log in, non-System Admin users..." box.
    The "In order to log in, non-System Admin users..." box acknowledges that the user will not be able to log in until assigned to the Namespace Admin role.
  8. Select Save.
Back to Top

Create a namespace administrator

You can assign a local or domain user as a Namespace Admin.

Before you begin

  • You must be a System Admin to create a management user and assign a user to the Namespace Admin role.

You can refer to Working with the users at the ECS Portal for information about the Manage > Users page.

Procedure

  1. If you want to assign a local management user to the Namespace Admin role, you need to create a management user as described in Create a local management user or assign a domain user to a management role.
    If you want to assign a domain user to the Namespace Admin role, you do not need to explicitly assign the user to a management role.
  2. At the Manage > Namespace page.
    1. Select the Edit action for the namespace.
    2. Add the user to the Namespace Admin field. If there is more than one Namespace Admin, their usernames should be a comma separated list.
      A user can only be assigned as the Namespace Admin for a single namespace.
    3. Save the namespace.
    You can read more about configuring a namespace in: Configure a namepace for a tenant.
Back to Top

Working with the authentication providers at the ECS Portal

The ECS Portal provides a Manage > Authentication page to enable authentication providers to be added.

The Authentication Provider Page is only accessible if you are a System Admin (or root user) for ECS.

The Authentication Provider Page provides an Authentication Provider table that lists the authentication provider that have been created. An example is shown below.

The table provides access to the following information and operations.
The Authentication Provider Page additionally provides access to the following controls:
Back to Top

Add an authentication provider

User authentication for domain users is performed using one or more authentication providers added to ECS. An authentication provider is a construct that enables ECS to connect an AD/LDAP server and identifies the domains and groups that the AD/LDAP should make available to ECS.

Before you begin

  • To add an authentication provider you must be assigned to the System Admin role in ECS. The root user has the System Admin role.
  • You need access to the authentication provider information listed in Authentication provider settings. Note especially the requirements for the Manager DN user.

Procedure

  1. At the ECS Portal, select Manage > Authentication > New Authentication Providers.
  2. Enter values for the attributes. Refer to Authentication provider settings
  3. Save.
  4. To verify the configuration, add a user from the authentication provider at Manage > Users > Management Users, then try to log in as the new user.
Back to Top

Authentication provider settings

You need to provide certain information when adding or editing an authentication provider.

Back to Top

Considerations when adding authentication providers

When you configure ECS to work with Active Directory, you must decide whether to manage several domains in a single authentication provider, or to add separate authentication providers for each domain.

The decision to add a single authentication provider, or multiple, depends on the number of domains in the environment, and the location on the tree from which the manager user is able to search. Authentication providers have a single search_base from which searches are conducted. They have a single manager account who must have read access at the search_base level and below.

Use a single authentication provider for multiple domains if you are managing an Active Directory forest and:
  • the manager account has privileges to search high enough in the tree to access all user entries
  • the search will be conducted throughout the whole forest from a single search base, not just the domains listed in the provider.
Otherwise, configure an authentication provider for each domain.

Note that even if you are dealing with a forest and you have the correct privileges, you might not want to manage all the domains with a single authentication provider. You would still use one authentication provider per domain when you need granularity and tight control on each domain, especially to set the search base starting point for the search. Since there is only one search base per configuration, it needs to include everything that is scoped in the configuration in order for the search to work.

The search base needs to be high enough in the directory structure of the forest for the search to correctly find all the users in the targeted domains.

  • If the forest in the configuration contains ten domains but you target only three, do not use a single provider configuration, because the search will unnecessarily span the whole forest, and this may adversely affect performance. In this case, use three individual configurations.
  • If the forest in the configuration contains ten domains and you want to target ten domains, a global configuration is a good choice, because there is less overhead to set up.
Back to Top

Understanding the mapping of users into a namespace

Domain users can be added to ECS using authentication providers. To make users available as namespace users they need to be mapped into the namespace.

The authentication provider makes users belonging to specified domains and whitelisted groups available to ECS and they can be assigned to system roles.

To associate users with a namespace and make them eligible to be object users for the namespace, you must associate the domain to which the users belong with the namespace and, if necessary, apply finer grained filtering based on the groups that belong to the domain and the attributes that have been assigned to the domain users. A domain can be mapped to a single namespace or can provide users for multiple namespaces.

The ECS Portal and the ECS Management REST API provide the ability to specify mappings when a new namespace is registered and provide support for updating the mappings for all namespaces. Creating a namespace is an operation that requires System Admin privileges; modifying a tenant and performing user mappings operations can be performed by a Namespace Admin.

The user mappings assigned to different namespaces must not overlap, so if the Accounts namespace maps users from the same domain as the HR namespace, it must provide additional mappings to differentiate its users. In the example below, the Accounts namespace uses the corp.sean.com domain but maps users with specific attributes, in this case, those with their Department attribute set to Accounts in Active Directory.

User mappings for a tenant using AD attributes

The example below shows the use of multiple mapping criteria. All members of the corp.sean.com domain who belong to the Storage Admins group and have their Department attribute set to Accounts AND Company set to Acme, OR belong to the Storage Admins group and have their Department set to Finance, will be mapped into the namespace.

Using multiple mapping criteria

Back to Top

Map domain users into a namespace

The ECSportal provides the ability to map users into a namespace based on the AD/LDAP domain, groups, and attributes associated with users.

Before you begin

  • An authentication provider must have been registered with ECS and must provide access to the domain from which you want to map users.
  • The administrator of the AD must have configured the groups or users in AD before mapping the users from the ECS Portal.
  • If you are using attribute mapping, each user must have the appropriate attribute value set in AD.

    You should understand the concepts associated with user mapping, described in Understanding the mapping of users into a namespace.

Procedure

  1. At the ECSportal, select Manage > Namespace.
  2. In the Namespaces table, click on the Edit action for the namespace to open it for editing.
  3. If a domain hasn't already been specified, click Add to add a mapping and enter the domain name in the Domain field.
  4. Specify any groups that you want to use to map users into the namespace.
    The group or groups that you specify must exist in AD.
  5. If you want to use attributes to map users into the namespace enter the name of the attribute and the value or values for the attribute. If you do not want to use attributes to map users into the namespace, click the delete button to remove the attribute fields from the current mapping.
    For users to be mapped into the domain, the attribute value set for the user must match the attribute value specified in ECS.
  6. Save the namespace settings.
Back to Top