Red Hat Training

A Red Hat training course is available for Red Hat Gluster Storage

Chapter 11. Users

This section describes the users in Red Hat Gluster Storage Console, how to set up user roles that control user permission levels, and how to manage users on the Red Hat Gluster Storage. Red Hat Gluster Storage Console relies on directory services for user authentication and information.
Users are assigned roles that allow them to perform their tasks as required. The role with the highest level of permissions is the admin role, which allows a user to set up, manage, and optimize all aspects of the Red Hat Gluster Storage Console. By setting up and configuring roles with permissions to perform actions and create objects, users can be provided with a range of permissions that allow the safe delegation of some administrative tasks to users without granting them complete administrative control.
Red Hat Gluster Storage Console provides a rich user interface that allows an administrator to manage their storage infrastructure from a web browser allowing even the most advanced configurations such as network bonding and VLANs to be centrally managed from a graphical console.

Note

Users are not created in Red Hat Gluster Storage Console, but in the Directory Services domain. Red Hat Gluster Storage Console can be configured to use multiple Directory Services domains.

11.1. Directory Services Support in Red Hat Gluster Storage Console

During installation, Red Hat Gluster Storage Console creates its own internal administration user, admin. This account is intended for use when initially configuring the environment, and for troubleshooting. To add other users to Red Hat Gluster Storage Console you will need to attach a directory server to the Console using the Domain Management Tool, rhsc-manage-domains.
Once at least one directory server has been attached to the Console you will be able to add users that exist in the directory server and assign roles to them using the Administration Portal. Users will be identified by their User Principle Name (UPN) of the form user@domain. Attachment of more than one directory server to the Console is also supported.
The directory servers currently supported for use with Red Hat Gluster Storage Console are:
  • Active Directory;
  • Identity Management (IdM); and
  • Red Hat Directory Server(RHDS).
You must ensure that the correct DNS records exist for your directory server. In particular you must ensure that the DNS records for the directory server include:
  • A valid pointer record (PTR) for the directory server's reverse look-up address.
  • A valid service record (SRV) for LDAP over TCP port 389.
  • A valid service record (SRV) for Kerberos over TCP port 88.
  • A valid service record (SRV) for Kerberos over UDP port 88.
If these records do not exist in DNS then you will be unable to add the domain to the Red Hat Gluster Storage Console configuration using rhsc-manage-domains.
For more detailed information on installing and configuring a supported directory server, refer to the vendor's documentation:

Important

A user must be created in the directory server specifically for use as the Red Hat Gluster Storage administrative user. Do not use the administrative user for the directory server as the Red Hat Gluster Storage administrative user.

Important

It is not possible to install Red Hat Gluster Storage Console (RHGSC) and IdM (ipa-server) on the same system. IdM is incompatible with the mod_ssl package, which is required by Red Hat Gluster Storage Console.
For information on creation of user accounts in Active Directory refer to http://technet.microsoft.com/en-us/library/cc732336.aspx.
For information on delegation of control in Active Directory refer to http://technet.microsoft.com/en-us/library/cc732524.aspx.

Note

Red Hat Gluster Storage Console uses Kerberos to authenticate with directory servers. RHDS does not provide native support for Kerberos. If you are using RHDS as your directory server then you must ensure that the directory server is made a service within a valid Kerberos domain. To do this you will need to perform these steps while referring to the relevant directory server documentation:
  • Configure the memberOf plug-in for RHDS to allow group membership. In particular ensure that the value of the memberofgroupattr attribute of the memberOf plug-in is set to uniqueMember.
    Consult the Red Hat Directory Server Plug-in Guide for more information on configuring the memberOf plug-in.
  • Define the directory server as a service of the form ldap/hostname@REALMNAME in the Kerberos realm. Replace hostname with the fully qualified domain name associated with the directory server and REALMNAME with the fully qualified Kerberos realm name. The Kerberos realm name must be specified in capital letters.
  • Generate a keytab file for the directory server in the Kerberos realm. The keytab file contains pairs of Kerberos principals and their associated encrypted keys. These keys will allow the directory server to authenticate itself with the Kerberos realm.
    Consult the documentation for your Kerberos principle for more information on generating a keytab file.
  • Install the keytab file on the directory server. Then configure RHDS to recognize the keytab file and accept Kerberos authentication using GSSAPI.
    Consult the Red Hat Directory Server Administration Guide for more information on configuring RHDS to use an external keytab file.
  • Test the configuration on the directory server by using the kinit command to authenticate as a user defined in the Kerberos realm. Once authenticated run the ldapsearch command against the directory server. Use the -Y GSSAPI parameters to ensure the use of Kerberos for authentication.