Accounts and Users

Managing Accounts

Object Storage Accounts are a collection of containers and are typically associated with a tenant. Object Storage Account Management allows you to view/configure account properties, permissions, and storage usage, and see lists of users associated with the account.

Creating an account

Scope: Object Storage Administrator

When the system is first built, a default account is created, called zios_admin. At that point only the Object Storage Admin has access to this account. In order to provision Object Storage to customers, the Object Storage Admin needs to create accounts.

To create additional accounts, first select the Accounts entity in the Main Navigation Panel (left panel) under Account Management, and then click the Create button in the top toolbar above the account pane.

In the dialog that opens, give a name to the new account and click Add. The new account will be added.

Note

An account name can comprise only the following characters, or any combination of them up to a maximum of 128 characters in length:

  • Uppercase and lowercase English letters (A-Z, a-z)

  • Numbers (0-9)

  • . period

  • _ underscore

  • + plus

  • - dash/minus

  • @ at

An account cannot contain spaces, other special characters and other language letters.

Accounts Properties

Scope: Object Storage Administrator Account Administrator

  • Properties - the following account properties are displayed in the account pane in the Account Management > Account view.

    Note

    Parameters marked with (*) in table below are only available to Object Storage Administrators.

    Property

    Description

    ID

    An internally assigned unique ID

    Name

    The name of the account

    Status (*)

    Normal / Deleting / Deleted, awaiting cleanup

    Enabled (*)

    Yes/No

    Public URL

    The URL that identifies this account. To be used by the REST API

    Containers

    Number of containers in the selected account

    Objects

    Number of objects stored in the selected account

    Used Capacity

    Amount of written data in the account

    Policies

    Show statistics per each policy (e.g. 2-way protection) used by this account. Details include:

    • Containers: Number of containers this account keeps in this policy

    • Objects: Number of objects this account keeps in this policy

    • Used Capacity: Capacity consumed by this account, kept in this policy

  • Permissions - account permissions are displayed in the details pane, permission tab in the Account Management > Account view. For more information on account permissions, see Setting Account Permissions.

  • Users - lists of users per account are displayed in the users pane in the Account Management > Users view, and in the Users tab in the Account Management > Account view.

  • Capacity Metering - provide live metering of the capacity usage associated with the selected account.

    The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.

    The following charts are displayed:

    Chart

    Description

    Used Capacity

    Total storage capacity consumed in the selected account

    Containers

    Total numbers of containers belonging to the selected account, by storage policy

    Objects

    Total numbers of objects belonging to the selected account, by storage policy

  • Frontend Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.

    The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.

    The following charts are displayed:

    Chart

    Description

    Throughput (OP/s)

    The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.

    Bandwidth (MB/s)

    Total throughput (in MB) of read and write commands issued to proxy for the selected account.

    Latency (ms)

    Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.

  • Account Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.

    The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.

    The following charts are displayed:

    Chart

    Description

    Throughput (OP/s)

    The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.

    Latency (ms)

    Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.

  • Container Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.

    The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.

    The following charts are displayed:

    Chart

    Description

    Throughput (OP/s)

    The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.

    Latency (ms)

    Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.

Account Quota Management

Version: 23.09

Scope: Object Storage Administrator Account Administrator

Quotas are a useful way to control capacity consumption on a specific account or container.

Capacity quotas can be set:

  • Per container by the Account Administrator

  • Globally per account by the Object Storage Administrator

Note

The sum of actual usage capacities of all the containers in an account are tracked, so that cumulatively they do not exceed the account’s quota.

For purposes such as future planning, it is also possible to specify container quotas such that their sum or even an individual container’s quota can be higher than the account quota. Although it is possible to specify higher quotas at container level, the system will prevent consumption of extra storage when the account quota has been reached.

Configurations are available for alert notifications when the quota’s warning, emergency and 100% utilization thresholds are reached:

Note

Once enabled, it will take up to 10 minutes for the quota management to be activated.

Account Level Quota Management

Scope: Object Storage Administrator

  1. Navigate to Account Management > Accounts.

  2. In the top pane select the desired account, and open the Quotas tab in the bottom Details pane.

  3. Mark the Enable capacity quota checkbox.

  4. Enter the Capacity (GiB) quota. The minimum is 1 GiB.

  5. Click Update.

Note

  • When the quota is enabled, the actual Used capacity (GiB) also displays in the same tab.

  • In the Account Management > Accounts > Quotas tab, an Account Administrator cannot configure the account’s capacity quota, but can view:

    • Whether the capacity quota feature is enabled or disabled for the account.

    • If enabled, the capacity quota and used capacity amounts.

Account Admininstrator Quota Alerts

Scope: Account Administrator

Quota alerts to the Object Storage Administrator are configured in the account’s Settings. See Quota Alerts on the Settings page.

By default, alert notifications are not sent to the Account Administrator.

To configure the system to issue alert notifications to the Account Administrator when the quota’s warning, emergency and 100% utilization thresholds are reached:

  1. Navigate to Account Management > Accounts.

  2. In the bottom account details pane, open the Quota Alerts tab.

  3. Mark the Notify the account administrator(s) with quota alerts checkbox.

  4. Select the Alert frequency option to determine notification repetition on reaching a quota alert threshold:

    • Single alert (default) notification without further repetition, when the usage capacity reaches the threshold.

    • Once a day, for as long as the usage capacity reaches the threshold, repeat the notification alert.

  5. Click Update.

Deleting an account

Scope: Object Storage Administrator

To delete an account, navigate to Account Management > Account, select the account to be deleted, and click Delete in the top toolbar.

Note

  • Deleting an account is an irreversible operation, and requires double confirmation

  • Once an account is deleted, all account user data is removed. However account billing information still exists in the system for usage report generation. Click Cleanup in top toolbar to completely remove it from the system.

Disabling an account

Scope: Object Storage Administrator

To disable an account, navigate to Account Management > Account, select the account to be deleted, and click Disable in the top toolbar.

Note

Once an account is disabled, the account is no longer available for read or write operations. However, Object Storage maintains the account entities (users, access rights, etc.), as well as all the containers and objects.

Self Service Account Creation

Scope: Account Administrator

In addition to creation of a new account by the Object Storage administrator as described in Creating an account, a user can be given permission to create his own account. In this case, a user will request creation of a new account via a provided URL. The Object Storage Admin will receive and must then approve the request. The account will then be created and the user who initiated the request will be set as the Account Administrator.

The detailed procedure for account self-creation is as follows:

  1. Use the GUI URL received from Object Storage Admin to access the login screen.

  2. On the login screen, click Create new account. In the overlay that displays, enter the following information:

    • Name for the new account

    • Your username as the Account Admin

    • Your email address

    • Select a password

    Note

    While account name and the username for a given user are unique across the Object Storage, the same email address can be used for multiple users. This is useful in cases the same entity needs visibility to more than a single account.

  3. Click Create Account. This will create an account creation request that will go to the Object Storage Admin for approval. Once approved, You will automatically become the Account Admin of your new account.

  4. The user initiating the request will receive an automated email response confirming the request.

  5. The Object Storage Admin will receive an email informing about the pending request:

  6. The Object Storage Admin should open the GUI, select Users in the Main Navigation Panel (Left Panel) under Account Management, select the pending account request, and either Approve or Deny it.

  7. Upon approval, the new account will be created, the account admin will be defined with the given credentials, and receive an email notification with the following information:

    • Object Storage Account Management & Console URL

    • Object Storage API Endpoint URL

    • Account Name

    • User Name

Managing Users

Understanding User Roles

The Object Storage supports the following roles:

  • Object Storage Admin - responsible for the administration of the Object Storage. This is the user that created the VPSA Object in the Zadara Provisioning Portal.

  • Object Storage Admin - Read Only - dedicated read-only role for cross-accounts monitoring and reporting purposes. The Read-Only role is available for the zios_admin account only. Read-Only users will have access to the Object Storage RestAPI, however they will not have data access. The user role is designated for monitoring and reporting purposes, such as:

    • Performance monitoring

    • Capacity monitoring

    • Usage reports and billing automation

  • Account Administrators - responsible for the administration of their accounts.

  • Account Member - can perform Object Storage operations according to the given permissions within the limits of that account.

User Information

Information about the logged-in user of the current session is displayed by clicking the user name in the upper right corner of the GUI.

Some of the displayed properties have optional actions associated with them, such as viewing, copying and resetting passwords.

The following User’s properties are displayed:

Property

Description

Account Information

Username

The login ID of the User

Email

User’s email address

Account

The account where the user belongs

User ID

An internally assigned unique ID

Account ID

An internally assigned unique ID

Dual Factor Authentication

Indicates if this user has dual factor authentication activated.

Option to activate/deactivate dual factor authentication.

Authentication

S3 Access Key

To be used by client using the S3 interface

Option to copy the access key to the clipboard.

S3 Secret Key

To be used by client using the S3 interface

Options to view the key, copy it to the clipboard, or reset it.

Region

Region name

API Token

Token to be used for authentication by the REST API The token expires in 24 hours. Good practice is for every script to start with a new token. See API guide: http://zios-api.zadarastorage.com

Options to view the token, copy it to the clipboard, or reset it.

Connectivity - Front End Network

API Endpoint

The effective Front End private address for REST API for all IO requests

V3 Auth Endpoint

The effective Front End private address for REST API auth requests

Account URL

The Front End private network URL that identifies this user’s account. To be used by the REST API.

Connectivity - Public Network

Public IP

Public IP of the Object Storage (see: Assigning Public IPs)

Public API endpoint

The public address for REST API for all IO requests

Public V3 Auth Endpoint

The public address for REST API auth requests

Public Account URL

The public network URL that identifies this user’s account. To be used by the REST API

Note

Connected users can reset their Object Storage Access/Secret keys. The existing access and secret keys will be revoked.

Creating a User

Scope: Object Storage Administrator Account Administrator

To create a new user in an Object Storage account:

  1. In the Object Storage console, navigate to Account Management > Users.

  2. From the top toolbar on the Users pane, click Create.

  3. In the Add User dialog which opens, enter the following:

    • Username

      A Username can comprise only the following characters, or any combination of them up to a maximum of 128 characters in length:

      • Uppercase and lowercase English letters (A-Z, a-z)

      • Numbers (0-9)

      • . period

      • _ underscore

      • + plus

      • - dash/minus

      • @ at

      A Username cannot contain spaces, other special characters and other language letters.

    • Email

    • Role

    Note

    Everything an Account admin does, is within the context of that Account. So, when an Account admin creates users, there is no need to select an Account.

    Note

    Users with Object Storage Admin role can only be created in the zios_admin account.

  4. Click Add User. The new user will receive an email with the following information:

    • Object Storage Account Management & Console URL

    • Object Storage API Endpoint URL

    • Account Name

    • User Name

    • Assigned User Role

    • Temporary Password

    Note

    The new user should use the temporary password for the first login, and then change the password after logging on.

Viewing Users Properties

Scope: Object Storage Administrator Account Administrator

To view user properties in an Object Storage account:

  1. In the Object Storage console, navigate to Account Management > Users. User properties are displayed in the top pane of the console.

  2. To view additional properties in the lower details pane, select a single user from the displayed list in the top pane.

The following user properties are displayed:

Property

Description

Name

The login ID of the User

Email

User’s email address

ID

An internally assigned unique ID

Account Name

The account where the user belongs

Account ID

An internally assigned unique ID

Role

Object Storage Admin, Account Admin, Member

Locked

Indicates if the user is locked and blocked from access

Notify on Events

Object Storage Administrator can specify for themselves whether to receive notifications for events

Option to activate/deactivate

Dual Factor Authentication

Indication if this user has dual factor authentication activated

Enabled

User is active or not. A disabled user can’t login and can’t perform any operation.

Deleting users

Scope: Object Storage Administrator Account Administrator

To delete a user in an Object Storage account:

  1. In the Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user to be deleted and click Delete from the top toolbar.

  3. In the Confirm Deletion dialog which opens, click Yes. Note that the deletion process may take a few minutes.

Disabling/Enabling users

Scope: Object Storage Administrator Account Administrator

A disabled user cannot log in to the GUI or perform any operation via the REST API. However the system remembers the user with all the properties and permissions. Once users are enabled, they can resume operations as before.

To disable a user in an Object Storage account:

  1. In the Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user to be disabled and click Disable from the top toolbar.

  3. In the Confirm Action dialog which opens, click Yes. Note that the process may take a few minutes.

Note

To enable a user who has been disabled, repeat the process above and select Enable from the toolbar instead of Disable.

Reset password

Scope: Object Storage Administrator Account Administrator

Object Storage Admins and Account Admins can reset users’ passwords. When resetting a password, the user will receive an email with a temporary password that they will have to change at the next login.

To reset a user password in an Object Storage account:

  1. In the Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user whose password is to be reset and click Reset Password from the top toolbar.

  3. In the Confirm Password Reset dialog which opens, click Yes.

  4. The user will receive an email with a temporary password.

Note

Users who have forgotten their password do not need to refer to the admin to reset their password. They can click the Forgot Password link on the login screen.

Change Role

Scope: Object Storage Administrator Account Administrator

An Account Member can be changed to an Account Admin, and vice versa. Users that are members of the system zios_admin account can be promoted to Object Storage Admin only by someone who currently has the Object Storage Admin role.

To change a user role in an Object Storage account:

  1. In the Object Storage console, navigate to Account Management > Users.

  2. From the displayed list, select the user whose role is to be changed, and click Change Role from the top toolbar.

  3. In the Change Role dialog which opens, enter the new user role and click Change Roles.

Dual Factor Authentication

It is a common practice to protect access in cases of compromised passwords. For this purpose, the Object Storage supports Dual Factor Authentication using a mobile Authenticator application. Each user can turn Dual Factor Authentication on or off. The Object Storage Admin can force Dual Factor Authentication on all users.

To use Dual Factor Authentication, install a mobile Authenticator app (e.g. Google Authenticator) from Google Play or Apple AppStore on your mobile device.

Important

If the Object Storage administrator requires Dual Factor Authentication to be set for all Object Storage accounts, all system users must enable Dual Factor Authentication for their account in the next login. This setting cannot be disabled for a specific user.

Enabling Dual Factor Authentication

  1. In the Object Storage console, click on user name on top, right corner of screen. Current user property details will be displayed.

  2. For Dual Factor Authentication, click Activate or Deactivate. Close the properties dialog, and logout.

  3. The next time you login, a confirmation screen will open with a QR code. Scan the code with your mobile device, and enter the token.

  4. From now on, during every login, you will be asked to enter the Dual Factor Authentication token from the Authenticator app on your mobile device.

Important

The mobile device that runs the Authenticator app is needed for login. if the device was lost or replaced, the user must ask the Object Storage Admin to reset their Dual Factor Authentication settings. The Object Storage Admin must contact Zadara support to reset the Dual Factor Authentication.

Enforcing Dual Factor Authentication

The Object Storage Admin can force Dual Factor Authentication for all users. In setting/Security click Edit on Dual Factor Authentication, select the checkbox and Save. This setting change does not have immediate effect. The next time each user will login, the Dual Factor Authentication token from the mobile device’s Authenticator app be required.

Note

When MFA enforcement is removed, the users with Dual Factor Authentication configured are still required to use the temporary code when logging in. However each user can change their settings in the user properties as described above.