Accounts and Users Management¶
Managing Accounts¶
Object Storage Accounts are a collection of containers and are typically associated with a tenant. VPSA Object Storage Account Management allows you to view/configure account properties, permissions, and storage usage, and see lists of users associated with the account.
Creating account (zios_admin)¶
When the system is first built, a default account is created called zios_admin account. At that point only the VPSA Object Storage Admin has access to this account. In order to provision object storage to customers, the VPSA Object Storage Admin needs to create accounts.
To create additional accounts, first select the accounts entity in the Main Navigation Panel (left panel) under Account Management, and then click the Create button in the top toolbar above the account pane.
In the dialog that opens, give a name to the new account and click Add. The new account will be added.
Viewing Accounts Properties (VPSA Object Storage Admin and Account Admin)¶
The following properties and information can be viewed:
Properties - the following account properties are displayed in the account pane in the Account Management > Account view.
Note
Parameters marked with (*) in table below are only available to VPSA Object Storage Administrators.
Property
Description
ID
An internally assigned unique ID
Name
The name of the Account
Status (*)
Normal / Deleting / Deleted, awaiting cleanup
Enabled (*)
Yes/No
Public URL
The URL that identifies this account. To be used by the REST API
Containers
Number of containers in the selected Account
Objects
Number of objects stored in the selected Account
Used Capacity
Amount of written data in the Account
Capacity Updated at
Date when capacity was measured
Policies
Show statistics per each policy (e.g. 2-way protection) used by this account. Details include:
Containers: Number of containers this account keeps in this policy
Objects: Number of objects this account keeps in this policy
Used Capacity: Capacity consumed by this account keeps in this policy
Users - lists of users per account are displayed in the users pane in the Account Management > Users view.
Permissions - account permissions are displayed in the details pane, permission tab in the Account Management > Account view. For more information on account permissions, see Setting Account Permissions (Account Admin).
Quotas - quotas can be set on the storage capacity available to an account. For more information, see Account Quota Management (VPSA Object Storage Admin or Account Admin).
Capacity Metering - provide live metering of the capacity usage associated with the selected account as shown below.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Used Capacity
Total storage capacity consumed in the selected account
Containers
Total numbers of containers belonging to the selected account, by storage policy
Objects
Total numbers of objects belonging to the selected account, by storage policy
Frontend Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account as shown below.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Bandwidth (MB/s)
Total throughput (in MB) of read and write commands issued to proxy for the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Account Quota Management (VPSA Object Storage Admin or Account Admin)¶
If needed, a VPSA Object Storage Admin or Account Admin can set an account level/container level quota.
Note
Once enabled, It will take up to 10 minutes for the quota management to be activated.
Account Level Quota Management (VPSA Object Storage admin only)
Navigate to Account Management > Account.
Select the desired account and open the Quotas tab in the bottom Details tab.
To enable account level quotas, enter the desired account level quota capacity limitations and click Update.
Note that once enabled, the actual capacity usage will also be available in the same tab.
Container Level Quota Management
In the console view, select the desired container in the top pane, and open the Quotas tab in the bottom Details tab.
To enable container level quotas, enter the desired container level quota capacity limitations and click Update.
Note that once enabled, the actual capacity usage will also be available in the same tab.
Deleting account (VPSA Object Storage Admin)¶
To delete an account, navigate to Account Management > Account, select the account to be deleted, and click Delete in the top toolbar.
Note
Deleting an account is an irreversible operation, and requires double confirmation
Note
Once an account is deleted, all account user data is removed. However account billing information still exists in the system for usage report generation. Click Cleanup in top toolbar to completely remove it from the system.
Disabling an account (VPSA Object Storage Admin)¶
To disable an account, navigate to Account Management > Account, select the account to be deleted, and click Disable in the top toolbar.
Note
Disable/Enable button toggles as the account state changes.
Note
Once an account is disabled, the account is no longer available for read or write operations. However, VPSA Object Storage maintains the account definitions (users, access rights, etc.), as well as all the containers and objects.
Self Service Account Creation (Account Admin)¶
In addition to creation of a new account by the VPSA Object Storage Admin as described in Creating account (zios_admin), a user can be given permission to create his own account. In this case, a user will request creation of a new account via a provided URL. The VPSA Object Storage Admin will receive and must then approve the request. The account will then be created and the user who initiated the request will become the Account Admin.
The detailed procedure for account self-creation is as follows:
Use the GUI URL received from VPSA Object Storage Admin to access the following login screen.
Click Create new account and enter the following information:
Name for the new Account
Your username as the Account admin
Your email address
Select a password
Note
While account name and the username for a given user are unique across the VPSA Object Storage, the same email address can be used for multiple users. This is useful in cases the same entity needs visibility to more than a single account.
Click Create Account. This will create an Account creation request that will go to the VPSA Object Storage Admin for approval. Once approved, You will automatically become the Account Admin of your new account.
The user initiating the request will receive and automated email response confirming the request.
The VPSA Object Storage Admin will receive an email informing him about the pending request:
The VPSA Object Storage Admin should open the GUI, select Users in the Main Navigation Panel (Left Panel) under Account Management, select the pending Account request, and either Approve or Deny it.
Upon approval, the new account will be created, the account admin will be defined with the given credentials, and receive email notification with the following information:
VPSA Object Storage Account Management & Console URL
VPSA Object Storage API Endpoint URL
Account Name
User Name
Managing Users¶
Understanding User Roles¶
The VPSA Object Storage support the following roles:
VPSA Object Storage Admin - responsible for the administration of the VPSA Object Storage. This is the user that created the VPSA Object Storage in the Zadara Provisioning Portal.
VPSA Object Storage Admin - Read Only - dedicated read-only role for cross-accounts monitoring and reporting purposes. The Read-Only role is available for the zios_admin account only. A Read-Only user will have access to the VPSA Object Storage RestAPI, however he will not have data access. The user role is designated for monitoring and reporting purposes, such as:
Performance monitoring
Capacity monitoring
Usage reports & billing automation
Account Administrators - responsible for the administration of his account.
Account Member - can perform object storage operations according to the given permissions within the limits of that account.
User Information¶
Information about currently logged-in users is displayed by clicking the user name in upper right corner of GUI.
The following User’s properties are displayed:
Property |
Description |
---|---|
Account Information |
|
Username |
The login ID of the User |
User’s email address |
|
Account |
The account where the user belongs |
User ID |
An internally assigned unique ID |
Account ID |
An internally assigned unique ID |
Multi-Factor Auth. |
Indication if this user has Multi-Factor authentication activated |
Authentication |
|
S3 Access Key |
To be used by client using the S3 interface |
S3 Secret Key |
To be used by client using the S3 interface |
Region |
Region name |
API Token |
Token to be used for authentication by the REST API The token expires in 24 hours. Good practice is for every script to start with a new token. See API guide: http://zios-api.zadarastorage.com |
Connectivity - Front End Network |
|
API Endpoint |
The effective Front End private address for REST API for all IO requests |
V3 Auth Endpoint |
The effective Front End private address for REST API auth requests |
Account URL |
The Front End private network URL that identifies this user’s account. To be used by the REST API. |
Connectivity - Public Network |
|
Public IP |
Public IP of the VPSA Object Storage (see: Assigning Public IPs (VPSA Object Storage Admin)) |
Public API endpoint |
The public address for REST API for all IO requests |
Public V3 Auth Endpoint |
The public address for REST API auth requests |
Public Account URL |
The public network URL that identifies this user’s account. To be used by the REST API |
Note
The connected user can reset his Object Storage Access/Secret keys. The existing access and secret keys will be revoked.
Creating User (VPSA Object Storage Admin, Account Admin)¶
To create a new user in a VPSA Object Storage account:
Within the VPSA Object Storage console, navigate to Account Management > Users.
From top toolbar over Users pane, click Create.
In the Add User dialogue which opens, enter the following:
Username
Email
Role
Note
Everything an Account admin does, is within the context of that Account. So, when an Account admin creates users, there is no need to select an Account.
Note
Users with VPSA Object Storage Admin role can only be created in the zios_admin account.
Click Add User. The new user will receive email with the following information:
VPSA Object Storage Account Management & Console URL
VPSA Object Storage API Endpoint URL
Account Name
User Name
Assigned User Role
Temporary Password
Note
The new user should use the temporary password for the first login, and then change the password after logging on.
Viewing Users Properties (VPSA Object Storage Admin, Account Admin)¶
To view user properties in a VPSA Object Storage account:
Within the VPSA Object Storage console, navigate to Account Management > Users. User properties are displayed in the top pane of the console.
To view additional properties in the lower details pane, select a single user from the displayed list in the top pane.
The following user properties are displayed:
Property |
Description |
---|---|
Name |
The login ID of the User |
User’s email address |
|
ID |
An internally assigned unique ID |
Enabled |
User is active or not. Disabled user can’t login and can’t perform any operation |
Multi-Factor Auth. |
Indication if this user has Multi-Factor authentication activated |
Role |
VPSA Object Storage Admin, Account Admin, Member |
Account Name |
The account where the user belongs |
Account ID |
An internally assigned unique ID |
Notify on Events |
Specify is this user want to get email notifications for events |
Deleting users (VPSA Object Storage Admin, Account Admin)¶
To delete a user in a VPSA Object Storage account:
Within the VPSA Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user to be deleted and click Delete from the top toolbar.
In the Confirm Deletion dialogue which opens, click Yes. Note the deletion process may take a few minutes.
Disabling/Enabling users (VPSA Object Storage Admin, Account Admin)¶
A disabled user cannot login to the GUI or perform any operation via the REST API. However the system remembers the user with all the properties and permissions. Once users are enabled, they can resume operations as before.
To disable a user in a VPSA Object Storage account:
Within the VPSA Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user to be disabled and click Disable from the top toolbar.
In the Confirm Action dialogue which opens, click Yes. Note the process may take a few minutes.
Note
To enable a user who has been disabled, repeat the process above and select Enable from the toolbar instead of Disable.
Reset password (VPSA Object Storage Admin, Account Admin)¶
VPSA Object Storage Admins and Account Admins can reset Users’ passwords. When resetting a password, the User will receive an email with a temporary password that they will have to change at the next login.
To reset a user password in a VPSA Object Storage account:
Within the VPSA Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user whose password is to be reset and click Reset Password from the top toolbar.
In the Confirm Password Reset dialogue which opens, click Yes.
The user will receive an email with a temporary password.
Note
Users who have forgotten their password do not need to refer to the admin to reset their password. They can click the Forgot Password link on the login screen.
Change Role (VPSA Object Storage Admin, Account Admin)¶
An Account Member can be changed to an Account Admin, and vice versa. Users under the system zios_admin account can be promoted to VPSA Object Storage Admin only by someone who currently has the VPSA Object Storage Admin role.
To change a user role in a VPSA Object Storage account:
Within the VPSA Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user whose role is to be disabled and click Change Role from the top toolbar.
In the Change Role dialogue which opens, enter the new user role and click Change Roles.
Multi-Factor Authentication¶
It is a common practice to protect access in case of compromised password. For this purpose, the VPSA Object Storage supports Multi-Factor Authentication (MFA) using the Authenticator mobile application. Each user can turn Multi-Factor Authentication on/off for . The VPSA Object Storage Admin can force Multi-Factor Authentication on all users.
To use the MFA, install Authenticator mobile app (e.g. Google Authenticator) from Google Play or Apple AppStore on your mobile device.
Important
In case the VPSA Object Storage administrator requires MFA to be set for all Object Storage account, it is required by all system users to enable MFA for their account in the next login, this setting cannot be disabled for a specific user.
Enabling Multi-Factor Authentication¶
In the VPSA Object Storage console, click on user name on top, right corner of screen. Current user property details will be displayed.
For Multi-Factor Authentication, click Activate or Deactivate. Close the properties dialog, and logout.
The next time you login, a confirmation screen will open with a QR code. Scan the code with your mobile device, and enter the token.
From now on, during every login, you will be asked to enter the MFA token from the Authenticator app on your mobile device.
Important
The mobile device that runs the Authenticator app is needed for login. In case the device was lost or replaced, the user must ask the VPSA admin to reset their MFA settings. VPSA admin must contact Zadara support to reset the MFA.
Enforcing Multi-Factor Authentication¶
VPSA administrator can force MFA for all users. In setting/Security click Edit on the Multi-Factor Authentication, select the checkbox and Save. This setting change does not have immediate effect. Next time each user will login, the MFA token from the mobile device Authenticator app be required.
Note
When MFA enforcement is removed, the users with MFA configured are still required to use the temporary code when logging in. However each user can change his settings in the user properties as described above.
Remote Authentication¶
An external identity provider (Openstack Keystone) can be used as the authentication engine for the Object Storage. This integration will expose Zadara’s Object Storage service directly to the Openstack dashboard (Horizon); the Object Storage will be available immediately to all Openstack registered users.
The following section will provide an overview of this capability along with the required steps to properly integrate Keystone (the OpenStack identity service) with Zadara VPSA Object Storage.
Openstack version: Train and later
Openstack Prerequisites¶
Creating Openstack Object-Store Service¶
$ openstack service create --name=vpsa-obs --description "Zadara Object Storage" object-store
The expected output is a confirmation the service was created, similar to the following:
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Zadara Object Storage |
+-------------+----------------------------------+
| enabled | True |
+-------------+----------------------------------+
| id | 74b0f72dcf3f4c7eb50462122c1d40cc |
+-------------+----------------------------------+
| name | vpsa-obs |
+-------------+----------------------------------+
| type | object-store |
+-------------+----------------------------------+
Creating Object-Store Endpoints¶
The Object Store service endpoints should direct Openstack users to use the VPSA Object Storage, the URL in the following examples (https://vsa-0000004e-zadara-iop-01.zadara.com) should be replaced with the actual target VPSA Object Storage.
The service exposes three endpoints: internal, public & admin endpoints. All three should be configured in order to allow seamless integration.
Internal Endpoint
$ openstack endpoint create --region RegionOne vpsa-obs internal "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_\$(tenant_id)s"
Public Endpoint
$ openstack endpoint create --region RegionOne vpsa-obs public "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_\$(tenant_id)s"
Admin Endpoint
$ openstack endpoint create --region RegionOne vpsa-obs admin "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/"
Confirm all 3 endpoints were created as expected.
Note
Openstack is not actively testing for endpoint connectivity, it is recommended to ensure the endpoint is accessible prior its configuration.
$ openstack endpoint list --service vpsa-obs -c 'Service Name' -c 'Service Type' -c URL
The expected result is the list of all three endpoints as configured in the previous steps, similar to the following:
+--------------+--------------+------------------------------------------------------------------------+
| Service Name | Service Type | URL |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/ |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+
Horizon Dashboard¶
At this point, horizon should have an additional section “Object Storage”.
VPSA Object Storage Configuration¶
The VPSA Object Storage will require the Openstack endpoint URL. Ensure you have a valid endpoint prior proceeding to the next step.
Private domain names are supported, however, will require the VPSA Object Storage administrator to set a custom name server under Settings > Network.
The endpoint can be retrieved from Horizon or by using the openstack cli tool, as in the following example:
$ openstack endpoint list --service identity
+--------------+--------------+-------------------------------+
| Service Name | Service Type | URL |
+--------------+--------------+-------------------------------+
| keystone | identity | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+
| keystone | identity | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+
Important
It is expected that the Keystone Authentication endpoint will be accessible from the VPSA Object Storage Front End network, public/secondary VNI network endpoint or are not supported.
Enabling Remote Authentication¶
In the VPSA Object Storage management interface, navigate to the Account Management > Remote Authentication view.
The following information is required:
Authentication service endpoint URL - the Openstack Keystone identity URL as retrieved from Openstack.
Administrator username - the openstack administrator username.
Administrator password - the openstack administrator password.
Administrator project name - the openstack administrator project.
Upon submitting the form, the VPSA Object Storage user interface will reload in order to apply the changes.
Important
As of this point all user management will be subject to the Openstack Keystone service and will not be managed from the VPSA Object Storage GUI. Only the ZIOS_ADMIN account and the cloud_admin user (via Zadara Command Center) will have access to the VPSA Object Storage user interface. All existing local accounts will not be accessible.
Navigating to the Accounts view in the VPSA Object Storage user interface section will now list all Openstack Projects. This view is the administrative visibility to the account consumption and utilization.
In the accounts listing, the administrator will be able to review:
Account name as defined in keystone.
Status - the status of the account in the VPSA Object Storage. An account will be considered active if one of its users have used the Object Storage service from Openstack. This is useful when managing a large cluster with a large number of users/projects.
The account id (project ID) as defined in Openstack.
The container count for the selected account.
The overall object count (across all containers)
Used capacity for the selected account.
Note
The consumption usage may take a couple of minutes to reflect the actual usage.
Verify The Keystone User Access To The Object Storage Service¶
Openstack CLI¶
Source a valid user information.
Try to create a container using the openstack cli
$ openstack container create shlomi
Try to list the container recently created
$ openstack container list +--------+ | Name | +--------+ | shlomi | +--------+
S3 Credentials¶
Openstack will allow its users to interact with the cluster resources using aws s3 credentials.
These credentials can be used in order to configure S3 clients for Object Storage operations.
Create ec2 credentials
$ openstack ec2 credentials create
Use the provided credentials to access the Object Storage using an S3 client.
The S3 Object Storage client should be configured with the VPSA Object Storage endpoint along with the aws credentials that were created in Openstack.
Note
Clients that support AWS v4 Signatures will be required to set the Object Storage “Region”. The default region in the VPSA Object Storage is us-east-1 and can be modified to match the Openstack region field.
Horizon Dashboard¶
From the Horizon dashboard, all registered users will be able to execute Object Storage related operations such as:
Container creation
Container deletion
Object Upload/Download/Deletion
Limitations & Known Issues¶
Limitations¶
18597 - ZIOS_ADMIN account cannot add additional admin users once external authentication is enabled.
VPSA Object Storage GUI is accessible only by ZIOS_ADMIN/CLOUD_ADMIN (via Zadara Command Center).
VPSA Object Storage REST API is accessible for ZIOS_ADMIN account only.
VPSA Object Storage REST API will require local authentication.
The VPSA Object Storage is caching the remote account and users information to avoid synchronization issues, the update interval is set to 30 minutes.
Known Issues¶
18810 - Modifying the main projects will not be populated to the VPSA Object Storage user interface and not account information will be displayed for the user.
18797 - When terminating an account, the VPSA Object Storage account should be deleted prior to the OS account deletion.