Accounts and Users¶
Managing Accounts¶
Object Storage Accounts are a collection of containers and are typically associated with a tenant. Object Storage Account Management allows you to view/configure account properties, permissions, and storage usage, and see lists of users associated with the account.
Creating an account¶
Scope: Object Storage Administrator
When the system is first built, a default account is created, called
zios_admin. At that point only the Object Storage Admin has access
to this account. In order to provision Object Storage to customers, the
Object Storage Admin needs to create accounts.
To create additional accounts, first select the Accounts entity in the Main Navigation Panel (left panel) under Account Management, and then click the Create button in the top toolbar above the account pane.
In the dialog that opens, give a name to the new account and click Add. The new account will be added.
Note
An account name can comprise only the following characters, or any combination of them up to a maximum of 128 characters in length:
Uppercase and lowercase English letters (A-Z, a-z)
Numbers (0-9)
.period_underscore+plus-dash/minus@at
An account cannot contain spaces, other special characters and other language letters.
Accounts Properties¶
Scope: Object Storage Administrator Account Administrator
Properties - the following account properties are displayed in the account pane in the Account Management > Account view.
Note
Parameters marked with (*) in table below are only available to Object Storage Administrators.
Property
Description
ID
An internally assigned unique ID
Name
The name of the account
Status (*)
Normal / Deleting / Deleted, awaiting cleanup
Enabled (*)
Yes/No
Public URL
The URL that identifies this account. To be used by the REST API
Containers
Number of containers in the selected account
Objects
Number of objects stored in the selected account
Used Capacity
Amount of written data in the account
Policies
Show statistics per each policy (e.g. 2-way protection) used by this account. Details include:
Containers: Number of containers this account keeps in this policy
Objects: Number of objects this account keeps in this policy
Used Capacity: Capacity consumed by this account, kept in this policy
Permissions - account permissions are displayed in the details pane, permission tab in the Account Management > Account view. For more information on account permissions, see Setting Account Permissions.
Users - lists of users per account are displayed in the users pane in the Account Management > Users view, and in the Users tab in the Account Management > Account view.
Capacity Metering - provide live metering of the capacity usage associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Used Capacity
Total storage capacity consumed in the selected account
Containers
Total numbers of containers belonging to the selected account, by storage policy
Objects
Total numbers of objects belonging to the selected account, by storage policy
Frontend Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Bandwidth (MB/s)
Total throughput (in MB) of read and write commands issued to proxy for the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Account Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Container Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Account Quota Management¶
Version: 23.09
Scope: Object Storage Administrator Account Administrator
Quotas are a useful way to control capacity consumption on a specific account or container.
Capacity quotas can be set:
Per container by the Account Administrator
Globally per account by the Object Storage Administrator
Note
The sum of actual usage capacities of all the containers in an account are tracked, so that cumulatively they do not exceed the account’s quota.
For purposes such as future planning, it is also possible to specify container quotas such that their sum or even an individual container’s quota can be higher than the account quota. Although it is possible to specify higher quotas at container level, the system will prevent consumption of extra storage when the account quota has been reached.
Configurations are available for alert notifications when the quota’s warning, emergency and 100% utilization thresholds are reached:
Quota alerts to Object Storage Administrator: see Quota Alerts on the Settings page.
Quota alerts to Account Administrator: see Account Admininstrator Quota Alerts.
Note
Once enabled, it will take up to 10 minutes for the quota management to be activated.
Account Level Quota Management¶
Scope: Object Storage Administrator
Navigate to Account Management > Accounts.
In the top pane select the desired account, and open the Quotas tab in the bottom Details pane.
Mark the Enable capacity quota checkbox.
Enter the Capacity (GiB) quota. The minimum is 1 GiB.
Click Update.
Note
When the quota is enabled, the actual Used capacity (GiB) also displays in the same tab.
In the Account Management > Accounts > Quotas tab, an Account Administrator cannot configure the account’s capacity quota, but can view:
Whether the capacity quota feature is enabled or disabled for the account.
If enabled, the capacity quota and used capacity amounts.
Account Admininstrator Quota Alerts¶
Scope: Account Administrator
Quota alerts to the Object Storage Administrator are configured in the account’s Settings. See Quota Alerts on the Settings page.
By default, alert notifications are not sent to the Account Administrator.
To configure the system to issue alert notifications to the Account Administrator when the quota’s warning, emergency and 100% utilization thresholds are reached:
Navigate to Account Management > Accounts.
In the bottom account details pane, open the Quota Alerts tab.
Mark the Notify the account administrator(s) with quota alerts checkbox.
Select the Alert frequency option to determine notification repetition on reaching a quota alert threshold:
Single alert (default) notification without further repetition, when the usage capacity reaches the threshold.
Once a day, for as long as the usage capacity reaches the threshold, repeat the notification alert.
Click Update.
Deleting an account¶
Scope: Object Storage Administrator
To delete an account, navigate to Account Management > Account, select the account to be deleted, and click Delete in the top toolbar.
Note
Deleting an account is an irreversible operation, and requires double confirmation
Once an account is deleted, all account user data is removed. However account billing information still exists in the system for usage report generation. Click Cleanup in top toolbar to completely remove it from the system.
Disabling an account¶
Scope: Object Storage Administrator
To disable an account, navigate to Account Management > Account, select the account to be deleted, and click Disable in the top toolbar.
Note
Once an account is disabled, the account is no longer available for read or write operations. However, Object Storage maintains the account entities (users, access rights, etc.), as well as all the containers and objects.
Self Service Account Creation¶
Scope: Account Administrator
In addition to creation of a new account by the Object Storage administrator as described in Creating an account, a user can be given permission to create his own account. In this case, a user will request creation of a new account via a provided URL. The Object Storage Admin will receive and must then approve the request. The account will then be created and the user who initiated the request will be set as the Account Administrator.
The detailed procedure for account self-creation is as follows:
Use the GUI URL received from Object Storage Admin to access the login screen.
On the login screen, click Create new account. In the overlay that displays, enter the following information:
Name for the new account
Your username as the Account Admin
Your email address
Select a password
Note
While account name and the username for a given user are unique across the Object Storage, the same email address can be used for multiple users. This is useful in cases the same entity needs visibility to more than a single account.
Click Create Account. This will create an account creation request that will go to the Object Storage Admin for approval. Once approved, You will automatically become the Account Admin of your new account.
The user initiating the request will receive an automated email response confirming the request.
The Object Storage Admin will receive an email informing about the pending request:
The Object Storage Admin should open the GUI, select Users in the Main Navigation Panel (Left Panel) under Account Management, select the pending account request, and either Approve or Deny it.
Upon approval, the new account will be created, the account admin will be defined with the given credentials, and receive an email notification with the following information:
Object Storage Account Management & Console URL
Object Storage API Endpoint URL
Account Name
User Name
Managing Users¶
Understanding User Roles¶
The Object Storage supports the following roles:
Object Storage Admin - responsible for the administration of the Object Storage. This is the user that created the VPSA Object in the Zadara Provisioning Portal.
Object Storage Admin - Read Only - dedicated read-only role for cross-accounts monitoring and reporting purposes. The Read-Only role is available for the zios_admin account only. Read-Only users will have access to the Object Storage RestAPI, however they will not have data access. The user role is designated for monitoring and reporting purposes, such as:
Performance monitoring
Capacity monitoring
Usage reports and billing automation
Account Administrators - responsible for the administration of their accounts.
Account Member - can perform Object Storage operations according to the given permissions within the limits of that account.
User Information¶
Information about the logged-in user of the current session is displayed by clicking the user name in the upper right corner of the GUI.
Some of the displayed properties have optional actions associated with them, such as viewing, copying and resetting passwords.
The following User’s properties are displayed:
Property |
Description |
|---|---|
Account Information |
|
Username |
The login ID of the User |
User’s email address |
|
Account |
The account where the user belongs |
User ID |
An internally assigned unique ID |
Account ID |
An internally assigned unique ID |
Dual Factor Authentication |
Indicates if this user has dual factor authentication activated. Option to activate/deactivate dual factor authentication. |
Authentication |
|
S3 Access Key |
To be used by client using the S3 interface Option to copy the access key to the clipboard. |
S3 Secret Key |
To be used by client using the S3 interface Options to view the key, copy it to the clipboard, or reset it. |
Region |
Region name |
API Token |
Token to be used for authentication by the REST API The token expires in 24 hours. Good practice is for every script to start with a new token. See API guide: http://zios-api.zadarastorage.com Options to view the token, copy it to the clipboard, or reset it. |
Connectivity - Front End Network |
|
API Endpoint |
The effective Front End private address for REST API for all IO requests |
V3 Auth Endpoint |
The effective Front End private address for REST API auth requests |
Account URL |
The Front End private network URL that identifies this user’s account. To be used by the REST API. |
Connectivity - Public Network |
|
Public IP |
Public IP of the Object Storage (see: Assigning Public IPs) |
Public API endpoint |
The public address for REST API for all IO requests |
Public V3 Auth Endpoint |
The public address for REST API auth requests |
Public Account URL |
The public network URL that identifies this user’s account. To be used by the REST API |
Note
Connected users can reset their Object Storage Access/Secret keys. The existing access and secret keys will be revoked.
Creating a User¶
Scope: Object Storage Administrator Account Administrator
To create a new user in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the top toolbar on the Users pane, click Create.
In the Add User dialog which opens, enter the following:
Username
A Username can comprise only the following characters, or any combination of them up to a maximum of 128 characters in length:
Uppercase and lowercase English letters (A-Z, a-z)
Numbers (0-9)
.period_underscore+plus-dash/minus@at
A Username cannot contain spaces, other special characters and other language letters.
Email
Role
Note
Everything an Account admin does, is within the context of that Account. So, when an Account admin creates users, there is no need to select an Account.
Note
Users with Object Storage Admin role can only be created in the zios_admin account.
Click Add User. The new user will receive an email with the following information:
Object Storage Account Management & Console URL
Object Storage API Endpoint URL
Account Name
User Name
Assigned User Role
Temporary Password
Note
The new user should use the temporary password for the first login, and then change the password after logging on.
Viewing Users Properties¶
Scope: Object Storage Administrator Account Administrator
To view user properties in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users. User properties are displayed in the top pane of the console.
To view additional properties in the lower details pane, select a single user from the displayed list in the top pane.
The following user properties are displayed:
Property |
Description |
|---|---|
Name |
The login ID of the User |
User’s email address |
|
ID |
An internally assigned unique ID |
Account Name |
The account where the user belongs |
Account ID |
An internally assigned unique ID |
Role |
Object Storage Admin, Account Admin, Member |
Locked |
Indicates if the user is locked and blocked from access |
Notify on Events |
Object Storage Administrator can specify for themselves whether to receive notifications for events Option to activate/deactivate |
Dual Factor Authentication |
Indication if this user has dual factor authentication activated |
Enabled |
User is active or not. A disabled user can’t login and can’t perform any operation. |
Deleting users¶
Scope: Object Storage Administrator Account Administrator
To delete a user in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user to be deleted and click Delete from the top toolbar.
In the Confirm Deletion dialog which opens, click Yes. Note that the deletion process may take a few minutes.
Disabling/Enabling users¶
Scope: Object Storage Administrator Account Administrator
A disabled user cannot log in to the GUI or perform any operation via the REST API. However the system remembers the user with all the properties and permissions. Once users are enabled, they can resume operations as before.
To disable a user in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user to be disabled and click Disable from the top toolbar.
In the Confirm Action dialog which opens, click Yes. Note that the process may take a few minutes.
Note
To enable a user who has been disabled, repeat the process above and select Enable from the toolbar instead of Disable.
Reset password¶
Scope: Object Storage Administrator Account Administrator
Object Storage Admins and Account Admins can reset users’ passwords. When resetting a password, the user will receive an email with a temporary password that they will have to change at the next login.
To reset a user password in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user whose password is to be reset and click Reset Password from the top toolbar.
In the Confirm Password Reset dialog which opens, click Yes.
The user will receive an email with a temporary password.
Note
Users who have forgotten their password do not need to refer to the admin to reset their password. They can click the Forgot Password link on the login screen.
Change Role¶
Scope: Object Storage Administrator Account Administrator
An Account Member can be changed to an Account Admin, and vice versa. Users that are members of the system zios_admin account can be promoted to Object Storage Admin only by someone who currently has the Object Storage Admin role.
To change a user role in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user whose role is to be changed, and click Change Role from the top toolbar.
In the Change Role dialog which opens, enter the new user role and click Change Roles.
Dual Factor Authentication¶
It is a common practice to protect access in cases of compromised passwords. For this purpose, the Object Storage supports Dual Factor Authentication using a mobile Authenticator application. Each user can turn Dual Factor Authentication on or off. The Object Storage Admin can force Dual Factor Authentication on all users.
To use Dual Factor Authentication, install a mobile Authenticator app (e.g. Google Authenticator) from Google Play or Apple AppStore on your mobile device.
Important
If the Object Storage administrator requires Dual Factor Authentication to be set for all Object Storage accounts, all system users must enable Dual Factor Authentication for their account in the next login. This setting cannot be disabled for a specific user.
Enabling Dual Factor Authentication¶
In the Object Storage console, click on user name on top, right corner of screen. Current user property details will be displayed.
For Dual Factor Authentication, click Activate or Deactivate. Close the properties dialog, and logout.
The next time you login, a confirmation screen will open with a QR code. Scan the code with your mobile device, and enter the token.
From now on, during every login, you will be asked to enter the Dual Factor Authentication token from the Authenticator app on your mobile device.
Important
The mobile device that runs the Authenticator app is needed for login. if the device was lost or replaced, the user must ask the Object Storage Admin to reset their Dual Factor Authentication settings. The Object Storage Admin must contact Zadara support to reset the Dual Factor Authentication.
Enforcing Dual Factor Authentication¶
The Object Storage Admin can force Dual Factor Authentication for all users. In setting/Security click Edit on Dual Factor Authentication, select the checkbox and Save. This setting change does not have immediate effect. The next time each user will login, the Dual Factor Authentication token from the mobile device’s Authenticator app be required.
Note
When MFA enforcement is removed, the users with Dual Factor Authentication configured are still required to use the temporary code when logging in. However each user can change their settings in the user properties as described above.