Accounts and Users Management

Managing Accounts

Object Storage Accounts are a collection of containers and are typically associated with a tenant. VPSA Object Storage Account Management allows you to view/configure account properties, permissions, and storage usage, and see lists of users associated with the account.

Creating account (zios_admin)

When the system is first built, a default account is created called zios_admin account. At that point only the VPSA Object Storage Admin has access to this account. In order to provision object storage to customers, the VPSA Object Storage Admin needs to create accounts.

To create additional accounts, first select the accounts entity in the Main Navigation Panel (left panel) under Account Management, and then click the Create button in the top toolbar above the account pane.

In the dialog that opens, give a name to the new account and click Add. The new account will be added.

Viewing Accounts Properties (VPSA Object Storage Admin and Account Admin)

The following properties and information can be viewed:

  • Properties - the following account properties are displayed in the account pane in the Account Management > Account view.

    Note

    Parameters marked with (*) in table below are only available to VPSA Object Storage Administrators.

    Property

    Description

    ID

    An internally assigned unique ID

    Name

    The name of the Account

    Status (*)

    Normal / Deleting / Deleted, awaiting cleanup

    Enabled (*)

    Yes/No

    Public URL

    The URL that identifies this account. To be used by the REST API

    Containers

    Number of containers in the selected Account

    Objects

    Number of objects stored in the selected Account

    Used Capacity

    Amount of written data in the Account

    Capacity Updated at

    Date when capacity was measured

    Policies

    Show statistics per each policy (e.g. 2-way protection) used by this account. Details include:

    • Containers: Number of containers this account keeps in this policy

    • Objects: Number of objects this account keeps in this policy

    • Used Capacity: Capacity consumed by this account keeps in this policy

  • Users - lists of users per account are displayed in the users pane in the Account Management > Users view.

  • Permissions - account permissions are displayed in the details pane, permission tab in the Account Management > Account view. For more information on account permissions, see Setting Account Permissions (Account Admin).

  • Quotas - quotas can be set on the storage capacity available to an account. For more information, see Account Quota Management (VPSA Object Storage Admin or Account Admin).

  • Capacity Metering - provide live metering of the capacity usage associated with the selected account as shown below.

    image11

    The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.

    The following charts are displayed:

    Chart

    Description

    Used Capacity

    Total storage capacity consumed in the selected account

    Containers

    Total numbers of containers belonging to the selected account, by storage policy

    Objects

    Total numbers of objects belonging to the selected account, by storage policy

  • Frontend Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account as shown below.

    image12

    The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.

    The following charts are displayed:

    Chart

    Description

    Throughput (OP/s)

    The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.

    Bandwidth (MB/s)

    Total throughput (in MB) of read and write commands issued to proxy for the selected account.

    Latency (ms)

    Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.

Account Quota Management (VPSA Object Storage Admin or Account Admin)

If needed, a VPSA Object Storage Admin or Account Admin can set an account level/container level quota.

Note

Once enabled, It will take up to 10 minutes for the quota management to be activated.

Account Level Quota Management (VPSA Object Storage admin only)

  1. Navigate to Account Management > Account.

  2. Select the desired account and open the Quotas tab in the bottom Details tab.

  3. To enable account level quotas, enter the desired account level quota capacity limitations and click Update.

  4. Note that once enabled, the actual capacity usage will also be available in the same tab.

Container Level Quota Management

  1. In the console view, select the desired container in the top pane, and open the Quotas tab in the bottom Details tab.

  2. To enable container level quotas, enter the desired container level quota capacity limitations and click Update.

  3. Note that once enabled, the actual capacity usage will also be available in the same tab.

image13

Deleting account (VPSA Object Storage Admin)

To delete an account, navigate to Account Management > Account, select the account to be deleted, and click Delete in the top toolbar.

Note

Deleting an account is an irreversible operation, and requires double confirmation

Note

Once an account is deleted, all account user data is removed. However account billing information still exists in the system for usage report generation. Click Cleanup in top toolbar to completely remove it from the system.

Disabling an account (VPSA Object Storage Admin)

To disable an account, navigate to Account Management > Account, select the account to be deleted, and click Disable in the top toolbar.

Note

Disable/Enable button toggles as the account state changes.

Note

Once an account is disabled, the account is no longer available for read or write operations. However, VPSA Object Storage maintains the account definitions (users, access rights, etc.), as well as all the containers and objects.

Self Service Account Creation (Account Admin)

In addition to creation of a new account by the VPSA Object Storage Admin as described in Creating account (zios_admin), a user can be given permission to create his own account. In this case, a user will request creation of a new account via a provided URL. The VPSA Object Storage Admin will receive and must then approve the request. The account will then be created and the user who initiated the request will become the Account Admin.

The detailed procedure for account self-creation is as follows:

  1. Use the GUI URL received from VPSA Object Storage Admin to access the following login screen.

    image15

  2. Click Create new account and enter the following information:

    • Name for the new Account

    • Your username as the Account admin

    • Your email address

    • Select a password

    Note

    While account name and the username for a given user are unique across the VPSA Object Storage, the same email address can be used for multiple users. This is useful in cases the same entity needs visibility to more than a single account.

  3. Click Create Account. This will create an Account creation request that will go to the VPSA Object Storage Admin for approval. Once approved, You will automatically become the Account Admin of your new account.

  4. The user initiating the request will receive and automated email response confirming the request.

  5. The VPSA Object Storage Admin will receive an email informing him about the pending request:

  6. The VPSA Object Storage Admin should open the GUI, select Users in the Main Navigation Panel (Left Panel) under Account Management, select the pending Account request, and either Approve or Deny it.

  7. Upon approval, the new account will be created, the account admin will be defined with the given credentials, and receive email notification with the following information:

    • VPSA Object Storage Account Management & Console URL

    • VPSA Object Storage API Endpoint URL

    • Account Name

    • User Name

Managing Users

Understanding User Roles

The VPSA Object Storage support the following roles:

  • VPSA Object Storage Admin - responsible for the administration of the VPSA Object Storage. This is the user that created the VPSA Object Storage in the Zadara Provisioning Portal.

  • VPSA Object Storage Admin - Read Only - dedicated read-only role for cross-accounts monitoring and reporting purposes. The Read-Only role is available for the zios_admin account only. A Read-Only user will have access to the VPSA Object Storage RestAPI, however he will not have data access. The user role is designated for monitoring and reporting purposes, such as:

    • Performance monitoring

    • Capacity monitoring

    • Usage reports & billing automation

  • Account Administrators - responsible for the administration of his account.

  • Account Member - can perform object storage operations according to the given permissions within the limits of that account.

User Information

Information about currently logged-in users is displayed by clicking the user name in upper right corner of GUI.

image14

The following User’s properties are displayed:

Property

Description

Account Information

Username

The login ID of the User

Email

User’s email address

Account

The account where the user belongs

User ID

An internally assigned unique ID

Account ID

An internally assigned unique ID

Multi-Factor Auth.

Indication if this user has Multi-Factor authentication activated

Authentication

S3 Access Key

To be used by client using the S3 interface

S3 Secret Key

To be used by client using the S3 interface

Region

Region name

API Token

Token to be used for authentication by the REST API The token expires in 24 hours. Good practice is for every script to start with a new token. See API guide: http://zios-api.zadarastorage.com

Connectivity - Front End Network

API Endpoint

The effective Front End private address for REST API for all IO requests

V3 Auth Endpoint

The effective Front End private address for REST API auth requests

Account URL

The Front End private network URL that identifies this user’s account. To be used by the REST API.

Connectivity - Public Network

Public IP

Public IP of the VPSA Object Storage (see: Assigning Public IPs (VPSA Object Storage Admin))

Public API endpoint

The public address for REST API for all IO requests

Public V3 Auth Endpoint

The public address for REST API auth requests

Public Account URL

The public network URL that identifies this user’s account. To be used by the REST API

Note

The connected user can reset his Object Storage Access/Secret keys. The existing access and secret keys will be revoked.

Creating User (VPSA Object Storage Admin, Account Admin)

To create a new user in a VPSA Object Storage account:

  1. Within the VPSA Object Storage console, navigate to Account Management > Users.

  2. From top toolbar over Users pane, click Create.

  3. In the Add User dialogue which opens, enter the following:

    • Username

    • Email

    • Role

    Note

    Everything an Account admin does, is within the context of that Account. So, when an Account admin creates users, there is no need to select an Account.

    Note

    Users with VPSA Object Storage Admin role can only be created in the zios_admin account.

  4. Click Add User. The new user will receive email with the following information:

    • VPSA Object Storage Account Management & Console URL

    • VPSA Object Storage API Endpoint URL

    • Account Name

    • User Name

    • Assigned User Role

    • Temporary Password

    Note

    The new user should use the temporary password for the first login, and then change the password after logging on.

Viewing Users Properties (VPSA Object Storage Admin, Account Admin)

To view user properties in a VPSA Object Storage account:

  1. Within the VPSA Object Storage console, navigate to Account Management > Users. User properties are displayed in the top pane of the console.

  2. To view additional properties in the lower details pane, select a single user from the displayed list in the top pane.

    image16

The following user properties are displayed:

Property

Description

Name

The login ID of the User

Email

User’s email address

ID

An internally assigned unique ID

Enabled

User is active or not. Disabled user can’t login and can’t perform any operation

Multi-Factor Auth.

Indication if this user has Multi-Factor authentication activated

Role

VPSA Object Storage Admin, Account Admin, Member

Account Name

The account where the user belongs

Account ID

An internally assigned unique ID

Notify on Events

Specify is this user want to get email notifications for events

Deleting users (VPSA Object Storage Admin, Account Admin)

To delete a user in a VPSA Object Storage account:

  1. Within the VPSA Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user to be deleted and click Delete from the top toolbar.

  3. In the Confirm Deletion dialogue which opens, click Yes. Note the deletion process may take a few minutes.

Disabling/Enabling users (VPSA Object Storage Admin, Account Admin)

A disabled user cannot login to the GUI or perform any operation via the REST API. However the system remembers the user with all the properties and permissions. Once users are enabled, they can resume operations as before.

To disable a user in a VPSA Object Storage account:

  1. Within the VPSA Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user to be disabled and click Disable from the top toolbar.

  3. In the Confirm Action dialogue which opens, click Yes. Note the process may take a few minutes.

Note

To enable a user who has been disabled, repeat the process above and select Enable from the toolbar instead of Disable.

Reset password (VPSA Object Storage Admin, Account Admin)

VPSA Object Storage Admins and Account Admins can reset Users’ passwords. When resetting a password, the User will receive an email with a temporary password that they will have to change at the next login.

To reset a user password in a VPSA Object Storage account:

  1. Within the VPSA Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user whose password is to be reset and click Reset Password from the top toolbar.

  3. In the Confirm Password Reset dialogue which opens, click Yes.

  4. The user will receive an email with a temporary password.

Note

Users who have forgotten their password do not need to refer to the admin to reset their password. They can click the Forgot Password link on the login screen.

Change Role (VPSA Object Storage Admin, Account Admin)

An Account Member can be changed to an Account Admin, and vice versa. Users under the system zios_admin account can be promoted to VPSA Object Storage Admin only by someone who currently has the VPSA Object Storage Admin role.

To change a user role in a VPSA Object Storage account:

  1. Within the VPSA Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user whose role is to be disabled and click Change Role from the top toolbar.

  3. In the Change Role dialogue which opens, enter the new user role and click Change Roles.

Multi-Factor Authentication

It is a common practice to protect access in case of compromised password. For this purpose, the VPSA Object Storage supports Multi-Factor Authentication (MFA) using the Authenticator mobile application. Each user can turn Multi-Factor Authentication on/off for . The VPSA Object Storage Admin can force Multi-Factor Authentication on all users.

To use the MFA, install Authenticator mobile app (e.g. Google Authenticator) from Google Play or Apple AppStore on your mobile device.

Important

In case the VPSA Object Storage administrator requires MFA to be set for all Object Storage account, it is required by all system users to enable MFA for their account in the next login, this setting cannot be disabled for a specific user.

Enabling Multi-Factor Authentication

  1. In the VPSA Object Storage console, click on user name on top, right corner of screen. Current user property details will be displayed.

    image17

  2. For Multi-Factor Authentication, click Activate or Deactivate. Close the properties dialog, and logout.

  3. The next time you login, a confirmation screen will open with a QR code. Scan the code with your mobile device, and enter the token.

  4. From now on, during every login, you will be asked to enter the MFA token from the Authenticator app on your mobile device.

Important

The mobile device that runs the Authenticator app is needed for login. In case the device was lost or replaced, the user must ask the VPSA admin to reset their MFA settings. VPSA admin must contact Zadara support to reset the MFA.

Enforcing Multi-Factor Authentication

VPSA administrator can force MFA for all users. In setting/Security click Edit on the Multi-Factor Authentication, select the checkbox and Save. This setting change does not have immediate effect. Next time each user will login, the MFA token from the mobile device Authenticator app be required.

Note

When MFA enforcement is removed, the users with MFA configured are still required to use the temporary code when logging in. However each user can change his settings in the user properties as described above.

Remote Authentication

An external identity provider (Openstack Keystone) can be used as the authentication engine for the Object Storage. This integration will expose Zadara’s Object Storage service directly to the Openstack dashboard (Horizon); the Object Storage will be available immediately to all Openstack registered users.

The following section will provide an overview of this capability along with the required steps to properly integrate Keystone (the OpenStack identity service) with Zadara VPSA Object Storage.

Openstack version: Train and later

remote-auth-layout

Openstack Prerequisites

Creating Openstack Object-Store Service

$ openstack service create --name=vpsa-obs --description "Zadara Object Storage" object-store

The expected output is a confirmation the service was created, similar to the following:

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Zadara Object Storage            |
+-------------+----------------------------------+
| enabled     | True                             |
+-------------+----------------------------------+
| id          | 74b0f72dcf3f4c7eb50462122c1d40cc |
+-------------+----------------------------------+
| name        | vpsa-obs                         |
+-------------+----------------------------------+
| type        | object-store                     |
+-------------+----------------------------------+

Creating Object-Store Endpoints

The Object Store service endpoints should direct Openstack users to use the VPSA Object Storage, the URL in the following examples (https://vsa-0000004e-zadara-iop-01.zadara.com) should be replaced with the actual target VPSA Object Storage.

The service exposes three endpoints: internal, public & admin endpoints. All three should be configured in order to allow seamless integration.

Internal Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs internal "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_\$(tenant_id)s"

Public Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs public "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_\$(tenant_id)s"

Admin Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs admin "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/"

Confirm all 3 endpoints were created as expected.

Note

Openstack is not actively testing for endpoint connectivity, it is recommended to ensure the endpoint is accessible prior its configuration.

$ openstack endpoint list --service vpsa-obs -c 'Service Name' -c 'Service Type' -c URL

The expected result is the list of all three endpoints as configured in the previous steps, similar to the following:

+--------------+--------------+------------------------------------------------------------------------+
| Service Name | Service Type | URL                                                                    |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/                  |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+

Horizon Dashboard

At this point, horizon should have an additional section “Object Storage”.

horizon-object-service

VPSA Object Storage Configuration

The VPSA Object Storage will require the Openstack endpoint URL. Ensure you have a valid endpoint prior proceeding to the next step.

Private domain names are supported, however, will require the VPSA Object Storage administrator to set a custom name server under Settings > Network.

The endpoint can be retrieved from Horizon or by using the openstack cli tool, as in the following example:

$ openstack endpoint list --service identity

+--------------+--------------+-------------------------------+
| Service Name | Service Type | URL                           |
+--------------+--------------+-------------------------------+
| keystone     | identity     | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+
| keystone     | identity     | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+

Important

It is expected that the Keystone Authentication endpoint will be accessible from the VPSA Object Storage Front End network, public/secondary VNI network endpoint or are not supported.

Enabling Remote Authentication

In the VPSA Object Storage management interface, navigate to the Account Management > Remote Authentication view.

enable-remote-auth

The following information is required:

  • Authentication service endpoint URL - the Openstack Keystone identity URL as retrieved from Openstack.

  • Administrator username - the openstack administrator username.

  • Administrator password - the openstack administrator password.

  • Administrator project name - the openstack administrator project.

Upon submitting the form, the VPSA Object Storage user interface will reload in order to apply the changes.

Important

As of this point all user management will be subject to the Openstack Keystone service and will not be managed from the VPSA Object Storage GUI. Only the ZIOS_ADMIN account and the cloud_admin user (via Zadara Command Center) will have access to the VPSA Object Storage user interface. All existing local accounts will not be accessible.

Navigating to the Accounts view in the VPSA Object Storage user interface section will now list all Openstack Projects. This view is the administrative visibility to the account consumption and utilization.

In the accounts listing, the administrator will be able to review:

  1. Account name as defined in keystone.

  2. Status - the status of the account in the VPSA Object Storage. An account will be considered active if one of its users have used the Object Storage service from Openstack. This is useful when managing a large cluster with a large number of users/projects.

  3. The account id (project ID) as defined in Openstack.

  4. The container count for the selected account.

  5. The overall object count (across all containers)

  6. Used capacity for the selected account.

Note

The consumption usage may take a couple of minutes to reflect the actual usage.

Verify The Keystone User Access To The Object Storage Service

Openstack CLI

  1. Source a valid user information.

  2. Try to create a container using the openstack cli

    $ openstack container create shlomi
    
  3. Try to list the container recently created

    $ openstack container list
    
    +--------+
    | Name   |
    +--------+
    | shlomi |
    +--------+
    

S3 Credentials

Openstack will allow its users to interact with the cluster resources using aws s3 credentials.

These credentials can be used in order to configure S3 clients for Object Storage operations.

  1. Create ec2 credentials

    $ openstack ec2 credentials create
    
  2. Use the provided credentials to access the Object Storage using an S3 client.

  3. The S3 Object Storage client should be configured with the VPSA Object Storage endpoint along with the aws credentials that were created in Openstack.

Note

Clients that support AWS v4 Signatures will be required to set the Object Storage “Region”. The default region in the VPSA Object Storage is us-east-1 and can be modified to match the Openstack region field.

Horizon Dashboard

From the Horizon dashboard, all registered users will be able to execute Object Storage related operations such as:

  • Container creation

  • Container deletion

  • Object Upload/Download/Deletion

zios-horizon-op

Limitations & Known Issues

Limitations

  • 18597 - ZIOS_ADMIN account cannot add additional admin users once external authentication is enabled.

  • VPSA Object Storage GUI is accessible only by ZIOS_ADMIN/CLOUD_ADMIN (via Zadara Command Center).

  • VPSA Object Storage REST API is accessible for ZIOS_ADMIN account only.

  • VPSA Object Storage REST API will require local authentication.

  • The VPSA Object Storage is caching the remote account and users information to avoid synchronization issues, the update interval is set to 30 minutes.

Known Issues

  • 18810 - Modifying the main projects will not be populated to the VPSA Object Storage user interface and not account information will be displayed for the user.

  • 18797 - When terminating an account, the VPSA Object Storage account should be deleted prior to the OS account deletion.