Versions Compared

Old Version 5

changes.mady.by.user Bala Harish A(AC)

Saved on

compared with

New Version Current

changes.mady.by.user Bala Harish A(AC)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
styledefault
typelist
printablefalse

Granting Swarm Access

Swarm uses two pairs of security lists to grant access to storage cluster management and viewing:

  • Administrators can access the Swarm UI and change the cluster configuration. SNMP read/write access is handled separately.

  • Operators can view the Swarm UI. SNMP read-only access is handled separately.

Note

Disabling SNMP

Disable the Swarm Storage setting snmp.enabled if SNMP needs to be disabled cluster-wide, such as for a security need or using Swarm in containers. (v12.0)

...

Setting Name

Default

Notes

security.administrators

{'admin': 'ourpwdofchoicehere'}

One or more username:password pairs. Sets credentials for who can administer the cluster via the Swarm UI.

Upgrading from 9.x - Remove the snmp username from here and update snmp.rwCommunity with the password if the value includes the snmp username.

  • Example: {'admin': 'adminpassword','admin2':'adminpassword2'}

security.operators

{}

One or more username:password pairs. Sets credentials for who can view the Swarm UI.

Upgrading from 9.x - It is ignored if the value includes an snmp username; remove it from here and update snmp.roCommunity with the password.

  • Example: {'operator': 'operatorpassword','operator2': 'operatorpassword2'}

snmp.rwCommunity

ourpwdofchoicehere

String. Password for the SNMP read-write community. 

Required - The SNMP read-write password must be known to dynamically change the Swarm 'admin' password via SNMP. The config file must be edited to change the SNMP read-write password. The SNMP password is the sole option if the admin-level credentials are lost.

snmp.roCommunity

public

String. Password for the SNMP read-only community.

Note

Caution

  • The name admin is reserved, so do not delete it, which can cause errors and affect performance. Define a complex password for protection if deciding not to use admin.

  • Swarm prevents cluster booting if the SNMP security administrator (read/write user) is not set properly in the configuration file.

  • All administrative users and passwords must agree on all nodes or certain cluster actions fail.

  • Password updates are not complete until they are persisted in the cluster settings file across all nodes, and rapid, successive updates cannot be accepted on a given node until the first update completes processing.

  • Change passwords from the defaults before putting the cluster in to production, and improve security by encrypting the Swarm passwords. See next.

Encrypting Passwords

Represent the password as a hexadecimal-encoded MD5 hash of the following string instead of a clear text password:

...

  1. Create a file containing a hash of the user name, password, and user list name: 

    Code Block
    languagebash
    htdigest -c password-file.txt "CAStor administrator" Jo.Jones

  2. Enter and verify the user's password when prompted by htdigest.

  3. Open the new file (password-file.txt) in a text editor. The hash is the last entry in the string: 

    Code Block
    languagebash
    Jo.Jones:CAStor administrator:08b0468c1d957b7bac24463dd2191a2d

Updating Passwords

The list of Administrators and passwords may be modified without rebooting by using several read-write SNMP OIDs. New administrative users can be added and existing users modified with the addModifyAdministrator SNMP OID. These are the essential commands:

  • Add Admin Users: Include the new user name and password separated by a colon: 
    addModifyAdministrator = "Jo.Jones:password1"

  • Update Password for an existing user — Include the existing user name and new password separated by a colon:  
    addModifyAdministrator = "Jo.Jones:password2"

  • Delete Admin Users (except the default admin and snmp users) — Send the name of an admin user: 
    removeAdministrator = "Jo.Jones"

Note

Caution

  • All administrative users and passwords must agree across all nodes or certain cluster actions fail.

  • Any changes made via SNMP against a running cluster must be made in the node/cluster configuration file so any nodes offline when the change is made or new nodes added to the cluster after the fact can correctly authenticate cluster-wide actions.

  • It can take several minutes for these SNMP changes to propagate in the cluster. During this update window, old passwords and deleted users continue to work for up to 10 minutes.

Info

Important

How passwords are updated depends on which ones need updating and whether Swarm has ever been started. 

Process

Examples and Notes

Swarm has never booted

  1. Create and hash an admin password.

  2. Update passwords in the config file.

  3. Important: Unmount/stop the USB drive or else the changes are not saved if booting from a USB flash drive.

  4. Boot the Swarm cluster.

  5. the password can be removed from the config file after the cluster is running.

Hash of password

Code Block
languagexml
$ echo -n 'admin:CAStor administrator:NEWPASSWORD' | md5sum | cut -d ' ' -f1
7fe563b8532b3a460def0895895eebf5

The first time the cluster is booted the Swarm admin password must be in the config file:

Code Block
languagetext
[security]
administrators = {'admin':'7fe563b8532b3a460def0895895eebf5'}

When the cluster is running, Swarm stores the admin password in the persisted Settings object, at which point it is safe to remove the password from the configuration file for security purposes:

Code Block
languagetext
[security]
administrators = {}

Updating SNMP passwords

  1. Update passwords in the config file.

  2. Reboot the Swarm cluster.

Info

Important

The SNMP read-write password must be known to dynamically change the Swarm 'admin' password. The config file must be edited if the SNMP read-write password needs to be changed.

Proceed to change the Swarm 'admin' password after rebooting with the new SNMP password in the file

Updating Swarm admin password

  1. Create and hash an admin password.

  2. Update password via SNMP, which Swarm saves in the persisted Settings object.

Changing admin password
Code Block
languagebash
snmpset -v2c -c SNMP- password -m +CARINGO-CASTOR-MIB SWARM-NODE-IP 
	addModifyAdministrator s "admin:new- password"
 
snmpset -v2c -c ourpwdofchoicehere -m +CARINGO-CASTOR-MIB 172.20.3.85 
	addModifyAdministrator s "admin:7fe563b8532b3a460def0895895eebf5"

...