Table of Contents |
---|
minLevel | 1 |
---|
maxLevel | 2 |
---|
outline | false |
---|
style | default |
---|
type | list |
---|
printable | false |
---|
|
Granting Swarm Access
Swarm uses two pairs of security lists to grant access to storage cluster management and viewing:
Administrators can access the Swarm UI and change the cluster configuration. SNMP read/write access is handled separately.
Operators can view the Swarm UI. SNMP read-only access is handled separately.
Note |
---|
Disabling SNMPDisable the Swarm Storage setting snmp.enabled if SNMP needs to be disabled cluster-wide, such as for a security need or using Swarm in containers. (v12.0) |
...
Setting Name | Default | Notes |
---|
security.administrators | {'admin': 'ourpwdofchoicehere'}
| One or more username:password pairs. Sets credentials for who can administer the cluster via the Swarm UI. Upgrading from 9.x - Remove the snmp username from here and update snmp.rwCommunity with the password if the value includes the snmp username. |
---|
security.operators | {}
| One or more username:password pairs. Sets credentials for who can view the Swarm UI. Upgrading from 9.x - It is ignored if the value includes an snmp username; remove it from here and update snmp.roCommunity with the password. |
---|
snmp.rwCommunity | ourpwdofchoicehere
| String. Password for the SNMP read-write community. Required - The SNMP read-write password must be known to dynamically change the Swarm 'admin ' password via SNMP. The config file must be edited to change the SNMP read-write password. The SNMP password is the sole option if the admin-level credentials are lost. |
---|
snmp.roCommunity | public
| String. Password for the SNMP read-only community. |
---|
Note |
---|
CautionThe name admin is reserved, so do not delete it, which can cause errors and affect performance. Define a complex password for protection if deciding not to use admin . Swarm prevents cluster booting if the SNMP security administrator (read/write user) is not set properly in the configuration file. All administrative users and passwords must agree on all nodes or certain cluster actions fail. Password updates are not complete until they are persisted in the cluster settings file across all nodes, and rapid, successive updates cannot be accepted on a given node until the first update completes processing. Change passwords from the defaults before putting the cluster in to production, and improve security by encrypting the Swarm passwords. See next.
|
Encrypting Passwords
Represent the password as a hexadecimal-encoded MD5 hash of the following string instead of a clear text password:
...
Create a file containing a hash of the user name, password, and user list name:
Code Block |
---|
|
htdigest -c password-file.txt "CAStor administrator" Jo.Jones |
Enter and verify the user's password when prompted by htdigest.
Open the new file (password-file.txt
) in a text editor. The hash is the last entry in the string:
Code Block |
---|
|
Jo.Jones:CAStor administrator:08b0468c1d957b7bac24463dd2191a2d |
Updating Passwords
The list of Administrators and passwords may be modified without rebooting by using several read-write SNMP OIDs. New administrative users can be added and existing users modified with the addModifyAdministrator SNMP OID. These are the essential commands:
Add Admin Users: Include the new user name and password separated by a colon:
addModifyAdministrator = "Jo.Jones:password1"
Update Password for an existing user — Include the existing user name and new password separated by a colon:
addModifyAdministrator = "Jo.Jones:password2"
Delete Admin Users (except the default admin and snmp users) — Send the name of an admin user:
removeAdministrator = "Jo.Jones"
Note |
---|
CautionAll administrative users and passwords must agree across all nodes or certain cluster actions fail. Any changes made via SNMP against a running cluster must be made in the node/cluster configuration file so any nodes offline when the change is made or new nodes added to the cluster after the fact can correctly authenticate cluster-wide actions. It can take several minutes for these SNMP changes to propagate in the cluster. During this update window, old passwords and deleted users continue to work for up to 10 minutes.
|
Info |
---|
ImportantHow passwords are updated depends on which ones need updating and whether Swarm has ever been started. |
Process | Examples and Notes |
---|
Swarm has never booted Create and hash an admin password. Update passwords in the config file. Important: Unmount/stop the USB drive or else the changes are not saved if booting from a USB flash drive. Boot the Swarm cluster. the password can be removed from the config file after the cluster is running.
| Hash of password Code Block |
---|
| $ echo -n 'admin:CAStor administrator:NEWPASSWORD' | md5sum | cut -d ' ' -f1
7fe563b8532b3a460def0895895eebf5 |
The first time the cluster is booted the Swarm admin password must be in the config file: Code Block |
---|
| [security]
administrators = {'admin':'7fe563b8532b3a460def0895895eebf5'} |
When the cluster is running, Swarm stores the admin password in the persisted Settings object, at which point it is safe to remove the password from the configuration file for security purposes: Code Block |
---|
| [security]
administrators = {} |
|
Updating SNMP passwordsUpdate passwords in the config file. Reboot the Swarm cluster.
| Info |
---|
ImportantThe SNMP read-write password must be known to dynamically change the Swarm 'admin ' password. The config file must be edited if the SNMP read-write password needs to be changed. |
Proceed to change the Swarm 'admin ' password after rebooting with the new SNMP password in the file |
Updating Swarm admin passwordCreate and hash an admin password. Update password via SNMP, which Swarm saves in the persisted Settings object.
| Changing admin password Code Block |
---|
| snmpset -v2c -c SNMP- password -m +CARINGO-CASTOR-MIB SWARM-NODE-IP
addModifyAdministrator s "admin:new- password"
snmpset -v2c -c ourpwdofchoicehere -m +CARINGO-CASTOR-MIB 172.20.3.85
addModifyAdministrator s "admin:7fe563b8532b3a460def0895895eebf5" |
|
...