Role Based Access Control Guide

Role Based Access Control And Authentication






Overview


This guide covers login to Eyeglass admin functions and how to configure roles within eyeglass to create specialized user roles.   The Cluster Storage Monitor product also supports specific roles for users and administrators.



Overview - Eyeglass Authentication Options


Local Authentication

When Local authentication Type is selected on the login page, username and password entered on login page must match existing user and password provisioned on the Eyeglass appliance Operating System.  

The Local authentication type does not require IP address to be entered – assumes same IP as was used to access the login page.

The “root” user account cannot be used.  Default "admin" user can be used or user account can be created manually on the appliance, logged in as root, using the “adduser” command to add user and then setting the password.

Pass-Through Device Authentication


Pass through login screen requires fqdn or ip address of a cluster that holds the Isilon group with custom Eyeglass role assigned.   The Eyeglass authentication requires the Isilon role to grant the following two permissions

Platform API - Read

SMB - Read









Role Based Access Control Key Features


Role Based Access Control for Eyeglass allows any role combination to be created based on Eyeglass desktop icons.   Custom roles can be created to meet any requirement of access to Eyeglass features

  1. Default admin user has all privileges

  2. Default read-only role can see all icons

  3. Create roles and assign icons of functionality

  4. Map to user or group in AD or local Isilon users and groups.  

  5. All authentication is done through Isilon API to authentication provider


Use Cases for Custom Roles


  1. Monitoring only -readonly role

  2. Departmental login for DR readiness view

  3. Failover only administration functions (i.e can not add new clusters)

  4. Logging and monitoring only

  5. Storage monitoring only (no DR functions)

  6. Cluster reporting only (no DR functions or storage monitoring)

  7. Centralized security to match Isilon Role based Access groups to include DR functions with SyncIQ

Types of users Accounts


  1. Isilon user and group accounts

  2. Active Directory user and group accounts

  3. Local Eyeglass OS user accounts

    1. When entering local users we recommend this syntax UNIX_USERS to represent the domain example UNIX_USERS\read  (this is a convention to ensure its easy to know where this user will exist for authentication)

    2. To create the user on the appliance:

      1. Ssh admin@x.x.x.x

      2. Sudo -s (enter admin pwd)

      3. useradd <user name>

      4. passwd <user name>  (to set a  password)

How to create a new Role


  1. Eyeglass Main menu select User Roles

  2. Screen Shot 2016-07-26 at 7.57.34 PM.png

  3. + next to Roles

  4. Enter a Name

  5. Select check box next to the permission to assign

  6. Screen Shot 2016-07-26 at 7.57.34 PM.png

  7. Click + for users or + Groups to enter AD users and groups of the AD Domain Auth provider configured on isilon example superna\adminuser1 for a user or group.  

    1. In order to login with short and long user name, both must be added in User Roles (user@domain and DOMAIN\user)

    2. User account can also be Isilon users and group versus AD users and groups as well

    3. For OneFS local user, user must entered with the user upn format <user>@<cluster name>

  8. Screen Shot 2016-07-26 at 8.00.03 PM.png

  9. Screen Shot 2016-07-26 at 8.00.13 PM.png

  10. Click Save



How to Login with RBAC accounts on Isilon or Active Directory Auth Provider

  1. For users to authenticate they will need to switch to device authentication login

  2. Screen Shot 2016-07-26 at 8.04.39 PM.png

  3. Example to login to an active Directory domain user account enter username@domain.name  or domain\username  enter pwd, and ip address of SSIP of the isilon that has the authentication provider of the user account being used for login.

  4. The following screenshot is a backup permission only login desktop that only allows backup archives to be created in eyeglass, with no other icons visible.

  5. Role configuration

    1. Screen Shot 2016-07-26 at 8.10.40 PM.png

  6. Screen Shot 2016-07-26 at 8.07.17 PM.png



Notes:  Not all permission combinations make sense to combine,  not all combinations are tested to support implied logic of the role.


How to Login with Eyeglass Local


  1. Screen Shot 2016-07-29 at 3.44.38 PM.png

  2. Enter local user without the domain as per above, its best to create the user with domain to identify as local but login without the domain prefix.

  3. Since not proxy authentication is needed default login screen will work to login


ROLE BASED ACCESS CONTROL KNOWN LIMITATIONS


  • Deletion of an Isilon or Active Directory Group associated with an Eyeglass User Role will not automatically update the User Role.  Eyeglass must be updated manually to remove the Group.