Accounts and Users Management

Managing Accounts

Object Storage Account is a collection of Containers. Typically an account is associated with a tenant. Access rights can be granted for users per account.

Creating account (ZIOS Admin)

When the system is first built, a default account is created called zios_admin account. At that point only the ZIOS admin has access to this account. In order to provision object storage to customers, the ZIOS administrator needs to create Accounts.

To create additional Accounts, first select the Accounts entity in the Main Navigation Panel (Left Panel) under Account Management, and then click the Create button in the Center Panel.

image35

In the dialog that opens give a name to the new account. And click Add. The new account will be added.


Viewing Accounts Properties (ZIOS and Account Admin)

You can view the following properties and metering information in the Accounts Details South Panel tabs:

image35a

Properties

Each Account includes the following properties:

Property

Description

Name

The name of the Account

Status

Normal / Deleting / Deleted, awaiting cleanup

ID

An internally assigned unique ID

Enabled

Yes/No

Public URL

The URL that identifies this account. To be used by the REST API

Containers

Number of containers in the selected Account

Objects

Number of objects stored in the selected Account

Used Capacity

Amount of written data in the Account

Policies

Show statistics per each policy used by this account Details include:

  • Containers: Number of containers this account keeps in this policy

  • Objects: Number of objects this account keeps in this policy

  • Used Capacity: Capacity consumed by this account keeps in this policy

Users

Lists the users of the selected account.

Permissions

For account permissions see here Setting Account Permissions (Account Admin)

Capacity Metering

The Metering Charts provide live metering of the capacity usage associated with the selected Account.

The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 minutes, or 1 hour, 1 day, 1 week. The Auto button lets you see continuously-updating live metering info.

The following charts are displayed:

Chart

Description

Used Capacity

Total storage capacity consumed in the selected Account

Containers

Total numbers of containers belonging to the selected Account, by Storage Policy

Objects

Total numbers of objects belonging to the selected Account, by Storage Policy

image36

Frontend Metering

The Metering Charts provide live metering of the IO workload at the Object Storage frontend that belong to the selected Account.

The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Auto button lets you see continuously-updating live metering info.

The following charts are displayed:

Chart

Description

Throughput (OP/s)

The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected Account.

Bandwidth (MB/s)

Total throughput (in MB) of read and write commands issued to proxy for the selected account.

Latency (ms)

Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.

image37


Account Quota Management (Object Storage Administrator or Account Admin)

If needed, a VPSA Object Storage administrator (zios_admin) or Account administrator can set an account level/container level quota.

Note

Once enabled, It will take up to 10 minutes for the quota management to be activated.

Enable Account - Quota Management

In the VPSA Object Storage management interface navigate to the Account view: Account Management > Accounts, select an Object Storage Account. In the view south pane open the Quotas tab and check the Enable quota by capacity checkbox.

enable-account-quota

Note

Account level quota can be enabled by the VPSA Object Storage administrator (zios_admin)

Enable Container Quota Management

In the VPSA Object Storage management interface navigate to the Console view. Select a container, in the view south pane open the Quotas tab and check the Enable capacity quota, and/or the Enable objects count quota.

enable-container-quota

View quota consumption

Account quota

Once quota management was enabled for a given account, the account administrator will have a clear visibility for the current consumption. In the VPSA Object Storage management interface navigate to the Account view, Account Management > Accounts. In the view south pane open the Quotas.

view-account-quota

Container quota

Once quota management was enabled for a given container, the account member will have a clear visibility for the current consumption. In the VPSA Object Storage management interface navigate to the Console view, select a container and in the view south pane open the Quotas.

Deleting account (ZIOS Admin)

To Delete an Account, first select the Accounts entity in the Main Navigation Panel (Left Panel) under Account Management, select the Account to be deleted, and then click the Delete button in the Center Panel.

image39

Deleting an account is an irreversible operation, and requires double confirmation

Note

After an account is deleted, all account user data is removed however account billing information still exist in the system for usage report generation. The ZIOS Admin need to click the “Cleanup” button in the Center Panel in order to completely remove it from the system.

image40

image41

Disabling an account (ZIOS Admin)

When an account is disabled by the ZIOS Administrator, no one can access that account, not for read nor for write operations. However, VPSA Object Storage keeps all the account definitions (Users, access rights, etc.), and all the containers and objects.

To Disable an Account, first select the Accounts entity in the Main Navigation Panel (Left Panel) under Account Management, select the Account to be disabled, and then click the Disable button in the Center Panel.

Note

Disable/Enable button toggles as the account state changes.

Self Service Account Creation (Account Admin)

ZIOS Administrator have an alternative procedure for creating new accounts. Instead of creating the Account (as described here Creating account (ZIOS Admin)) and creating Account admin, the ZIOS admin can let users to create their own Accounts. The procedure is as follows:

  1. ZIOS admin gives the GUI URL to the person that will create the Account (Account admin)

  2. The account admin uses the GUI to create a request for new account

  3. ZIOS admin approves the request

  4. A new Account is being built, and a new admin user is defined in it.

Below is a detailed description of this procedure.

Use the GUI URL and get to the login screen:

image42

Since you don’t have login credentials, and you want to create a new account, click the Create new account link. In the new account dialog enter the following fields:

  • Name for the new Account

  • Your username as the Account admin

  • Your email address

  • Select a password

Note

While account name and the username for a given user are unique across the VPSA Object Storage, the same email address can be used for multiple users. This is useful in cases the same entity needs visibility to more than a single account.

And click Create Account. This will create an Account creation request that will go to the ZIOS Admin for approval. You will automatically become the Account admin of your new account.

image43

You will receive the following email, as confirmation for the request:

Important

Subject : Your new account creation request (Production_Account - requested 2016-06-27 10:27:12)

Your new account creation request has been sent.

Please notice that the Account will not be active until the creation request is approved. A mail notification will be sent to you upon approval.

User: Prod_Account_Admin

Email: myname@zadarastorage.com

Account: Production_Account

The ZIOS admin will receive an email informing him about the pending request:

Important

Subject : New Account creation request (Production_Account - requested 2016-06-27 10:27:11)

A new account creation request created on cloud zadara-qa3

You can approve/deny requests on your ZIOS Z1 at https://vsa-00000144-zadaraqa3.zadarazios.com:8443.

Details:

User: Prod_Account_Admin

Email: myname@zadarastorage.com

The ZIOS Admin should open the GUI, select Users entity in the Main Navigation Panel (Left Panel) under Account Management, select the pending Account request, and either Approve or Deny it.

image45

Upon approval the new account will be created, the account admin will be defined with the given credentials. You will receive an email notification about the new account:

Important

Subject : Your new account creation request has been approved

Your Account Creation request was approved, and you were added to Z77 ZIOS as Admin user under Production_Account account.

Your role allows you to manage objects and users under your account.

To start working with your ZIOS use the following information:

ZIOS Account Management & Console URL: https://vsa-00000152-zadara-qa3.zadarazios.com:8443

ZIOS API Endpoint URL: https://vsa-00000152-zadara-qa3.zadarazios.com:443

Account: Production_Account

Username: Prod_account_admin

The Account is ready. You can now login to the GUI, add members to the Account, create containers and start store objects.

Managing Users

Understanding users roles

The VPSA Object Storage support the following roles:

  • ZIOS Administrator(ZIOS Admin): Responsible for the administration of the VPSA Object Storage. This is the user that created the VPSA Object Storage in the Zadara Provisioning Portal.

  • ZIOS Admin - Read Only a dedicated Read-Only account for cross-accounts monitoring and reporting purposes. The Read-Only role is available for the ZIOS_ADMIN account only. A Read-Only user will have access to the VPSA Object Storage RestAPI, however it will not have data access. The user role is designated for monitoring and reporting purposes, such as:

    • Performance monitoring

    • Capacity monitoring

    • Usage reports & billing automation

  • Account Administrators : Responsible for the administration of their account

  • Account Member can do object storage operations according to the given permissions within the limits of that account.

User Information

Information about the user currently logged in to the GUI is displayed by clicking the user name on the GUI upper right corner.

The following User’s properties are displayed:

Property

Description

Username

The login ID of the User

Email

User’s email address

Account

The account where the user belongs

Public URL

The URL that identifies this user’s account. To be used by the REST API

User ID

An internally assigned unique ID

Account ID

An internally assigned unique ID

Dual Factor Auth.

Indication if this user has dual factor authentication activated

Object Storage API Token

Token to be used for authentication by the REST API The token expires in 24 hours. Good practice is for every script to start with getting a new token. See API guide http://zios-api.zadarastorage.com

Public IP

Public IP of the VPSA Object Storage (see: Assigning Public IPs (ZIOS Admin))

API Endpoint

The effective address for REST API for all IO requests

Auth Endpoint

The effective address for REST API for all authentication requests

S3 Access Key

To be used by client using the S3 interface

S3 Secret Key

To be used by client using the S3 interface

Note

The connected user can reset its Object Storage Access/Secret keys. The existing Access and Secret keys will be revoked. reset-s3-user-keys

Creating user (ZIOS Admin, Account Admin)

To create a User, first select the Users entity in the Main Navigation Panel (Left Panel) under Account Management, and then click the Create button in the Center Panel.

image47

In the dialog that opens, give the user a name, select the role, enter an email address, and select the User’s Account. Click Create.

Note

Everything an Account admin does, is within the context of that Account. So, when an Account admin creates users, there is no need to select an Account.

Note

Users with ZIOS Admin role can only be created in the zios_admin account.

The new user will receive an email with links to access the GUI for their account, and the first-time password. The new user must change the temporary password at first login

Important

You were just added to Z1 as #Member user under Test_Account account. Your role allows you to manage objects in your account according to your permissions.

To start working with your Object Storage use the following information:

Console URL: https://vsa-00000144-zadara-qa3.zadarazios.com:8443

API Endpoint URL: https://vsa-00000144-zadara-qa3.zadarazios.com:443

Account: Test_Account

Username: Test_Account_Member

Temporary Password Code: 9oya82BXV53Z2_qwJGq3

Please use the Temporary Password Code when logging into your Object Storage user interface for the first time to create a new password.

Viewing Users Properties (ZIOS Admin, Account Admin)

image48

The following User’s properties are displayed:

Property

Description

Name

The login ID of the User

Email

User’s email address

ID

An internally assigned unique ID

Account Name

The account where the user belongs

Account ID

An internally assigned unique ID

Role

ZIOS Admin, Account Admin, Member

Notify on Events

Specify is this user want to get email notifications for events

Dual Factor Auth.

Indication if this user has dual factor authentication activated

Enabled

User is active or not. Disabled user can’t login and can’t perform any operation

Deleting users (ZIOS Admin, Account Admin)

To Delete a User, first select the Users entity in the Main Navigation Panel (Left Panel) under Account Management, select the User to be deleted, and then click the Delete button in the Center Panel.

image49

The system will ask for confirmation. By clicking Yes the deletion process will begin, and might take few minutes.

image50

Disabling users (ZIOS Admin, Account Admin)

A disabled user cannot login to the GUI or perform any operation via the REST API. However the system remembers the User with all the properties and permissions. Once users are enabled, they can resume operations as before.

To Disable a User, first select the Users entity in the Main Navigation Panel (Left Panel) under Account Management, select the User to be deleted, and then click the Disable button in the Center Panel.

image51

The system will ask for confirmation. By clicking Yes the disabling process will begin, and might take few minutes.

image52

Reset password (ZIOS Admin, Account Admin)

ZIOS admin and Account admins can reset Users’ passwords. When resetting a password, the User will receive an email with a temporary password that they will have to change at the next login.

To reset someone’s password, first select the Users entity in the Main Navigation Panel (Left Panel) under Account Management, select the User for whom you will reset the password, and then click the Reset Password button in the Center Panel.

image53

image54

The system will ask for confirmation. By clicking Yes the user will be assigned a

temporary password that will be sent by email:

Important

Subject :Forgot Z888 Password - acc_member_2 - requested at: 2016-06-28 12:10:49 +0300

You requested to reset the password on your ZIOS Z888. If you made this request follow the instructions below:

Your temporary passcode is: t5CpKs_M-oMNwqX6jiJ4

In order to reset your password, you must login to the ZIOS at https://vsa-00000154-zadaraqa3.zadarazios.com:8443 using your username and the supplied password code as your

password.Account: Production_Account

Username: Prod_account_adminAccount: Production_Account

Note

Users who have forgotten their password do not need to refer to the admin to reset their password. They can click the Forgot Password link on the login screen.

Change Role (ZIOS Admin, Account Admin)

Account member can be promoted to become an Account Admin, and vice versa. Users under the system account zios_admin can be promoted to ZIOS Admins only by ZIOS Admin.

To change someone’s role, first select the Users entity in the Main Navigation Panel (Left Panel) under Account Management, select the User for whom you want to promote, and then click the Change Role button in the Center Panel.

image55

In the dialog that open select the new role and click Change Roles

image56


Dual Factor Authentication

The VPSA Object Storage supports Dual Factor Authentication (DFA) using Authenticator mobile application. It is a common practice to protect access in case of compromised password, as a password is not enough in order to login. Each user can turn Dual Factor Authentication on/off for themself. The ZIOS admin can force Dual Factor Authentication on all users.


Enabling Dual Factor Authentication

To enable DFA open the current User Properties by clicking the user name on the upper right corner of VPSA GUI screen.

image78a

Click Activate or Deactivate. Close the properties dialog, and logout.

The first time you login again, the following screen will pop up.

image78b

Install Authenticator mobile app. (e.g. Google Authenticator) from Google Play or Apple AppStore, and scan the QR code. Enter the code you get on the Authenticator. You are now set.

image78c

Every login, from now on will require the temporary code from the Authenticator app.

Important

The mobile device that runs the Authenticator app is needed for login. In case the device was lost or replaced, the user must ask the VPSA admin to reset their DFA settings. VPSA admin must contact Zadara support for reset the DFA.


Enforcing Dual Factor Authentication

VPSA administrator can force DFA for all users. In setting/Security click Edit on the Dual Factor Authentication, check the checkbox and Save. This setting change doe not have immediate effect. Next time each user will login, she will be required to set her mobile device Authenticator app as described above.

image78d

Note

When DFA enforcement is removed, the users with DFA configured are still required to use the temporary code when logging in. However each user can change her settings in the user properties as described above.

Remote Authentication

An external identity provider (Openstack Keystone) can be used as the authentication engine for the Object Storage. This integration will expose Zadara’s Object Storage service directly to the Openstack dashboard (Horizon); the Object Storage will be available immediately to all Openstack registered users.

The following section will provide an overview of this capability along with the required steps to properly integrate Keystone (the OpenStack identity service) with Zadara VPSA Object Storage.

Openstack version: Train and later

remote-auth-layout

Openstack Prerequisites

Creating Openstack Object-Store Service

$ openstack service create --name=vpsa-obs --description "Zadara Object Storage" object-store

The expected output is a confirmation the service was created, similar to the following:

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Zadara Object Storage            |
+-------------+----------------------------------+
| enabled     | True                             |
+-------------+----------------------------------+
| id          | 74b0f72dcf3f4c7eb50462122c1d40cc |
+-------------+----------------------------------+
| name        | vpsa-obs                         |
+-------------+----------------------------------+
| type        | object-store                     |
+-------------+----------------------------------+

Creating Object-Store Endpoints

The Object Store service endpoints should direct Openstack users to use the VPSA Object Storage, the URL in the following examples (https://vsa-0000004e-zadara-iop-01.zadarazios.com) should be replaced with the actual target VPSA Object Storage.

The service exposes three endpoints: internal, public & admin endpoints. All three should be configured in order to allow seamless integration.

Internal Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs internal "https://vsa-0000004e-zadara-iop-01.zadarazios.com/v1/KEY_\$(tenant_id)s"

Public Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs public "https://vsa-0000004e-zadara-iop-01.zadarazios.com/v1/KEY_\$(tenant_id)s"

Admin Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs admin "https://vsa-0000004e-zadara-iop-01.zadarazios.com/v1/"

Confirm all 3 endpoints were created as expected.

Note

Openstack is not actively testing for endpoint connectivity, it is recommended to ensure the endpoint is accessible prior its configuration.

$ openstack endpoint list --service vpsa-obs -c 'Service Name' -c 'Service Type' -c URL

The expected result is the list of all three endpoints as configured in the previous steps, similar to the following:

+--------------+--------------+------------------------------------------------------------------------+
| Service Name | Service Type | URL                                                                    |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadarazios.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadarazios.com/v1/                  |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadarazios.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+

Horizon Dashboard

At this point, horizon should have an additional section “Object Storage”.

horizon-object-service

VPSA Object Storage Configuration

The VPSA Object Storage will require the Openstack endpoint URL. Ensure you have a valid endpoint prior proceeding to the next step.

Private domain names are supported, however, will require the VPSA Object Storage administrator to set a custom name server under Settings > Network

The endpoint can be retrieved from Horizon or by using the openstack cli tool, like in the following example:

$ openstack endpoint list --service identity

+--------------+--------------+-------------------------------+
| Service Name | Service Type | URL                           |
+--------------+--------------+-------------------------------+
| keystone     | identity     | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+
| keystone     | identity     | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+

Important

It is expected that the Keystone Authentication endpoint will be accessible from the VPSA Object Storage Front End network, public/secondary VNI network endpoint or are not supported.

Enabling Remote Authentication

In the VPSA Object Storage management interface, navigate to the Account Management > Remote Authentication.

enable-remote-auth

The following information is required:

  • Authentication service endpoint URL - the Openstack Keystone identity URL as retrieved from Openstack.

  • Administrator username - the openstack administrator username.

  • Administrator password - the openstack administrator password

  • Administrator project name - the openstack administrator project

Upon submitting the form, the VPSA Object Storage user interface will reload in order to apply the changes.

Important

As of this point all user management will be subject to the Openstack Keystone service and will not be managed from the VPSA Object Storage GUI. Only the ZIOS_ADMIN account and the cloud_admin user (via Zadara Command Center) will have access to the VPSA Object Storage user interface. All existing local accounts will not be accessible.

Navigating to the Accounts in the VPSA Object Storage user interface section will now list all Openstack Projects, this view is the administrative visibility to the account consumption and utilization.

In the accounts listing the administrator will be able to review:

  1. Account name as defined in keystone.

  2. Status - the status of the account in the VPSA Object Storage. An account will be considered active if one of its users have used the Object Storage service from Openstack, this is useful when managing a large cluster with a large number of users/projects.

  3. The account id (project ID) as defined in Openstack.

  4. The container count for the selected account.

  5. The overall object count (across all containers)

  6. Used capacity for the selected account.

Note

The consumption usage may take a couple of minutes to reflect the actual usage.

Verify The Keystone User Access To The Object Storage Service

Openstack CLI

  1. Source a valid user information.

  2. Try to create a container using the openstack cli

    $ openstack container create shlomi
    
  3. Try to list the container recently created

    $ openstack container list
    
    +--------+
    | Name   |
    +--------+
    | shlomi |
    +--------+
    

S3 Credentials

Openstack will allow its users to interact with the cluster resources using aws s3 credentials.

These credentials can be used in order to configure S3 clients for Object Storage operations.

  1. Create ec2 credentials

    $ openstack ec2 credentials create
    
  2. Use the provided credentials to access the Object Storage using an S3 client.

  3. The S3 Object Storage client should be configured with the VPSA Object Storage endpoint along with the aws credentials that were created in Openstack.

Note

Clients that support AWS v4 Signatures will be required to set the Object Storage “Region”. The default region in the VPSA Object Storage is us-east-1 and can be modified to match the Openstack region field.

Horizon Dashboard

From the Horizon dashboard, all registered users will be able to execute Object Storage related operations such as:

  • Container creation

  • Container deletion

  • Object Upload/Download/Deletion

zios-horizon-op

Limitations & Known Issues

Limitations

  • 18597 - ZIOS_ADMIN account cannot add additional admin users once external authentication is enabled.

  • VPSA Object Storage GUI is accessible only by ZIOS_ADMIN/CLOUD_ADMIN (via Zadara Command Center).

  • VPSA Object Storage REST API is accessible for ZIOS_ADMIN account only.

  • VPSA Object Storage REST API will require local authentication.

  • The VPSA Object Storage is caching the remote account and users information to avoid synchronization issues, the update interval is set to 30 minutes.

Known Issues

  • 18810 - Modifying the main projects will not be populated to the VPSA Object Storage user interface and not account information will be displayed for the user.

  • 18797 - When terminating an account, the VPSA Object Storage account should be deleted prior to the OS account deletion.