Role Based Access Control Guide

Role Based Access Control And Authentication





Abstract:

This guide covers login to Eyeglass admin functions and how to configure roles within Eyeglass to create specialized user roles.     


November, 2017


Revision Changes to this Document

Updated September 2017

Introduction to this Guide:

Overview

Eyeglass supports two types of login; Local Eyeglass OS or Proxy Login. This guide covers login to Eyeglass admin functions and how to configure roles within Eyeglass to create specialized user roles.   This guide also describes how to create custom roles in Eyeglass that can use Local or Proxy Login for access control.

Where to go for Support

Superna offers support in several forms, on-line, Voicemail, Email, or live on-line chat.

  1. The support site provides online ticket submission and case tracking.  Support Site link - support.superna.net 

  2. Leave a voicemail at 1 (855) 336-1580

    1. (must leave customer name email, description of question or issue, primary contact for your company with an account in our system. We will  assign the case to primary contact for email followup)

  3. Email eyeglasssupport@superna.net

  4. This is also how to download license keys.

  5. You can also raise a case right from in Eyeglass desktop using the help button, search for your issue and if want to raise a case or get a question answered, click the leave us a message, name, email and appliance ID and a case is opened directly from Eyeglass.

 http://site.superna.net/_/rsrc/1472870726155/support/LeaveUsAMessage.png?height=200&width=167

  1. Or get Support Using Chat M-F 9-5 EDT (empty box?  we are not online yet)

  2. Eyeglass Live Chat

  3. You should also review our support agreement here.

Eyeglass Authentication Options

Local Eyeglass OS or Proxy Login are the two types of login  Eyeglass supports.  Local Login uses a user account created in the OS.   Proxy Login options use Isilon as the authentication provider and proxies the user id and password to Ision for authentication validation and group membership.  Custom roles can be created in Eyeglass that can use local or proxy login for access control. In addition the Cluster Storage Monitor product also supports specific roles for users and administrators.

The following sections describe how to configure and use Local Eyeglass OS or Proxy Login.

Types of user Accounts

Local Eyeglass OS user accounts:

  1. When entering local users we recommend this syntax UNIX_USERS to represent the domain example UNIX_USERS\read  (this is a convention to ensure its easy to know where this user will exist for authentication)

  2. How to create new local user on the appliance:

    1. Ssh admin@x.x.x.x

    2. Sudo -s (enter admin pwd)

    3. useradd <user name>

    4. passwd <user name>  (to set a  password)

Proxy Login:

  1. Isilon user and group accounts created directly on Isilon clusters.

    1. For OneFS local user, user must be entered with the user upn format <user>@<cluster name>

  2. Active Directory user and group accounts - proxy login

    1. user@domain or domain\userid

  3. LDAP user and group (using LDAP authentication provider on Isilon) - proxy login

Role Based Access Control  (RBAC)

Key Features:

Role Based Access Control (RBAC) for Eyeglass allows any role combination to be created based on Eyeglass desktop icons.   Custom roles can be created to meet any requirement of access to Eyeglass features:

  1. Default admin user has all privileges

  2. Default read-only role can see all icons

  3. Create roles and assign icons of functionality

  4. Map to user or group in AD, LDAP or local Isilon users and groups.  

  5. All authentication is done through Isilon API to an authentication provider


Builtin Roles and user accounts:


Eyeglass ships with built in roles and users as follows

  1. admin

    1. Has all permissions for all products

    2. Default password 3y3gl4ss

  2. rwdefend

    1. Assigned the builtin role Ransomware Defender with ability to manage and monitor Ransomware Defender product

    2. Default password 3y3gl4ss

  3. auditor

    1. User has read and modify permissions within the Easy Auditor application

    2. Default password 3y3gl4ss

    3. Assigned the Auditor builtin group role

    4.  

    5. This also includes the manage remote services icon to see Eyeglass clustered agent status



Use Cases for Custom Roles:

  1. Monitoring only -readonly role

  2. Departmental login for DR readiness view

  3. Security for Ransomware monitoring (Ransomware Defender)

  4. Auditing for file audit (Easy Auditor)

  5. Failover only administration functions (i.e can not add new clusters)

  6. Logging and monitoring only

  7. Storage monitoring only (no DR functions)

  8. Cluster reporting only (no DR functions or storage monitoring)

  9. Centralized security to match Isilon Role based Access groups to include DR functions with SyncIQ

Local Authentication

When Local Authentication Type is selected on the login page, username and password entered on the login page must match the existing user and password provisioned on the Eyeglass Appliance Operating System.  

The Local Authentication type does not require IP address to be entered – assumes same IP as was used to access the login page.

The “root” user account cannot be used.  Default "admin" user can be used or user account can be created manually on the appliance, logged in as root, using the “adduser” command to add the user and then setting the password.

Pass-Through Proxy Device Authentication

Pass through login screen requires the FQDN or IP address of a cluster that holds the Isilon group with the custom Eyeglass role assigned.   

Active Directory User and Group for Proxy Authentication Setting

  1. Create a Group in Active Directory and add the Eyeglass Admin users to this group

  1. Login to Eyeglass as the admin user and open the User Roles Icon.

  1. Select  an Eyeglass role

  2. Add the AD user or AD group to this role.

    1. The user section: the AD  user name format must be <username>@<domain.name>. (Do not enter AD user in <DOMAIN>\<user>)

    2. The group section: the AD group name format must be in legacy format <DOMAIN>\<groupname> when entering the AD group into the role. NOTE The domain name must be uppercase <DOMAIN NAME>\<groupname>.

  3. Click Save.

  4. Example:


Isilon Local User and Group for  Proxy Authentication Setting

  1. Create Isilon Local User and/or Isilon Local Group account.

  2. Login to Eyeglass as the admin user and open the User Roles Icon.

  1. Select  an Eyeglass role

  2. Add the Isilon local user or Isilon local group to this role.

    1. The user section: the Isilon local user name format must be  entered with the user upn format <user>@<cluster name>

    2. The group section: the  Isilon local group name format must be entered in the format of <isilon local group name>

  3. Click Save.

  4. Example:

How to create a new Eyeglass Role

  1. Eyeglass Main menu select User Roles

  1. + next to Roles

  2. Enter a Name

  3. Select check boxes next to the permission to assign

  1. Assign users or groups to this new role.

  2. Click Save

How to Login with Eyeglass Local


Screen Shot 2016-07-29 at 3.44.38 PM.png

  1. Enter local user without the domain as per above, its best to create the user with domain to identify as local but login without the domain prefix.

  2. Since proxy authentication is not needed, the default login screen will work to login

How to Login with RBAC accounts on Isilon or Active Directory Auth Provider

  1. For users to authenticate they will need to switch to Proxy authentication to managed device login

Screen Shot 2016-07-26 at 8.04.39 PM.png

  1. For example to login with  an Active Directory domain user proxy authentication:

    1. Enter username in this format <username>@<domain.name>  or <domain>\<username>  

    2. Enter password, and ip address of SSIP of the isilon that has the authentication provider of the user account being used for login.

  2. For example to login with Isilon local user  proxy authentication:

    1. Enter username in this format  <username>@<cluster name>  

    2. Enter password, and ip address of SSIP of the isilon that has the authentication provider of the user account being used for login.

  3. The following screenshot is a backup permission only login desktop that only allows backup archives to be created in Eyeglass, with no other icons visible.

Notes:  Not all permission combinations make sense to combine,  not all combinations are tested to support implied logic of the role.

RBAC Known Limitations


  • Deletion of an Isilon or Active Directory Group associated with an Eyeglass User Role will not automatically update the User Role.  Eyeglass must be updated manually to remove the Group.