Chapter 11. Users
This section describes the users in Red Hat Gluster Storage Console, how to set up user roles that control user permission levels, and how to manage users on the Red Hat Gluster Storage. Red Hat Gluster Storage Console relies on directory services for user authentication and information.
Users are assigned roles that allow them to perform their tasks as required. The role with the highest level of permissions is the admin role, which allows a user to set up, manage, and optimize all aspects of the Red Hat Gluster Storage Console. By setting up and configuring roles with permissions to perform actions and create objects, users can be provided with a range of permissions that allow the safe delegation of some administrative tasks to users without granting them complete administrative control.
Red Hat Gluster Storage Console provides a rich user interface that allows an administrator to manage their storage infrastructure from a web browser allowing even the most advanced configurations such as network bonding and VLANs to be centrally managed from a graphical console.
Note
Users are not created in Red Hat Gluster Storage Console, but in the Directory Services domain. Red Hat Gluster Storage Console can be configured to use multiple Directory Services domains.
11.1. Directory Services Support in Red Hat Gluster Storage Console
During installation, Red Hat Gluster Storage Console creates its own internal administration user,
admin
. This account is intended for use when initially configuring the environment, and for troubleshooting. To add other users to Red Hat Gluster Storage Console you will need to attach a directory server to the Console using the Domain Management Tool, rhsc-manage-domains
.
Once at least one directory server has been attached to the Console you will be able to add users that exist in the directory server and assign roles to them using the Administration Portal. Users will be identified by their User Principle Name (UPN) of the form
user@domain
. Attachment of more than one directory server to the Console is also supported.
The directory servers currently supported for use with Red Hat Gluster Storage Console are:
- Active Directory;
- Identity Management (IdM); and
- Red Hat Directory Server(RHDS).
You must ensure that the correct DNS records exist for your directory server. In particular you must ensure that the DNS records for the directory server include:
If these records do not exist in DNS then you will be unable to add the domain to the Red Hat Gluster Storage Console configuration using
- A valid pointer record (PTR) for the directory server's reverse look-up address.
- A valid service record (SRV) for LDAP over TCP port
389
. - A valid service record (SRV) for Kerberos over TCP port
88
. - A valid service record (SRV) for Kerberos over UDP port
88
.
rhsc-manage-domains
.
For more detailed information on installing and configuring a supported directory server, refer to the vendor's documentation:
- Active Directory - http://technet.microsoft.com/en-us/windowsserver/dd448614.
- Red Hat Directory Server (RHDS) Documentation - https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/
Important
A user must be created in the directory server specifically for use as the Red Hat Gluster Storage administrative user. Do not use the administrative user for the directory server as the Red Hat Gluster Storage administrative user.
Important
It is not possible to install Red Hat Gluster Storage Console (RHGSC) and IdM (ipa-server) on the same system. IdM is incompatible with the mod_ssl package, which is required by Red Hat Gluster Storage Console.
For information on creation of user accounts in Active Directory refer to http://technet.microsoft.com/en-us/library/cc732336.aspx.
For information on delegation of control in Active Directory refer to http://technet.microsoft.com/en-us/library/cc732524.aspx.
Note
Red Hat Gluster Storage Console uses Kerberos to authenticate with directory servers. RHDS does not provide native support for Kerberos. If you are using RHDS as your directory server then you must ensure that the directory server is made a service within a valid Kerberos domain. To do this you will need to perform these steps while referring to the relevant directory server documentation:
- Configure the
memberOf
plug-in for RHDS to allow group membership. In particular ensure that the value of thememberofgroupattr
attribute of thememberOf
plug-in is set touniqueMember
.Consult the Red Hat Directory Server Plug-in Guide for more information on configuring thememberOf
plug-in. - Define the directory server as a service of the form
ldap/hostname@REALMNAME
in the Kerberos realm. Replace hostname with the fully qualified domain name associated with the directory server and REALMNAME with the fully qualified Kerberos realm name. The Kerberos realm name must be specified in capital letters. - Generate a
keytab
file for the directory server in the Kerberos realm. Thekeytab
file contains pairs of Kerberos principals and their associated encrypted keys. These keys will allow the directory server to authenticate itself with the Kerberos realm.Consult the documentation for your Kerberos principle for more information on generating akeytab
file. - Install the
keytab
file on the directory server. Then configure RHDS to recognize thekeytab
file and accept Kerberos authentication using GSSAPI.Consult the Red Hat Directory Server Administration Guide for more information on configuring RHDS to use an externalkeytab
file. - Test the configuration on the directory server by using the
kinit
command to authenticate as a user defined in the Kerberos realm. Once authenticated run theldapsearch
command against the directory server. Use the-Y GSSAPI
parameters to ensure the use of Kerberos for authentication.