...
Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Granting Swarm Access
Swarm uses two pairs of security lists to grant access to storage cluster management and viewing:
Administrators can access the Swarm UI and change the cluster configuration. SNMP read/write access is handled separately.
Operators can view the Swarm UI. SNMP read-only access is handled separately.
Note |
---|
Disabling SNMPDisable the Swarm Storage setting |
Each user list is specified by a configuration parameter with name/value pairs in the Swarm Storage configuration file (cluster.cfg
(CSN) or else node.cfg)
. Those passwords needed for SNMP access are handled in separate settings (v10.0):
Code Block | ||
---|---|---|
| ||
security.administrators = {'admin':'adminpassword','admin2':'adminpassword2'}
security.operators = {'operator':'operatorpassword','operator2':'operatorpassword2'}
snmp.roCommunity = public
snmp.rwCommunity = ourpwdofchoicehere
# or section notation:
[security]
administrators = {'admin':'adminpassword','admin2':'adminpassword2'}
operators = {'operator':'operatorpassword','operator2':'operatorpassword2'}
[snmp]
roCommunity = public
rwCommunity = ourpwdofchoicehere |
Setting Name | Default | Notes |
---|---|---|
security.administrators |
| One or more username:password pairs. Sets credentials for who can administer the cluster via the Swarm UI. Upgrading from 9.x - Remove the
|
security.operators |
| One or more username:password pairs. Sets credentials for who can view the Swarm UI. Upgrading from 9.x - It is ignored if the value includes an snmp username; remove it from here and update
|
snmp.rwCommunity |
| String. Password for the SNMP read-write community. Required - The SNMP read-write password must be known to dynamically change the Swarm ' |
snmp.roCommunity |
| String. Password for the SNMP read-only community. |
Note |
---|
Caution
|
Encrypting Passwords
Represent the password as a hexadecimal-encoded MD5 hash of the following string instead of a clear text password:
Code Block | ||
---|---|---|
| ||
username:user-list-name:password |
Where username and password consist of ASCII characters and user-list-name
can be either "CAStor administrator" or "CAStor operator".
To create the MD5 hash, use a programming language or a utility such as md5sum or Apache htdigest. To update a node or cluster configuration file with a password hash created using htdigest:
Create a file containing a hash of the user name, password, and user list name:
Code Block language bash htdigest -c password-file.txt "CAStor administrator" Jo.Jones
Enter and verify the user's password when prompted by htdigest.
Open the new file (
password-file.txt
) in a text editor. The hash is the last entry in the string:Code Block language bash Jo.Jones:CAStor administrator:08b0468c1d957b7bac24463dd2191a2d
Updating Passwords
The list of Administrators and passwords may be modified without rebooting by using several read-write SNMP OIDs. New administrative users can be added and existing users modified with the addModifyAdministrator SNMP OID. These are the essential commands:
Add Admin Users: Include the new user name and password separated by a colon:
addModifyAdministrator = "Jo.Jones:password1"
Update Password for an existing user — Include the existing user name and new password separated by a colon:
addModifyAdministrator = "Jo.Jones:password2"
Delete Admin Users (except the default admin and snmp users) — Send the name of an admin user:
removeAdministrator = "Jo.Jones"
Note |
---|
Caution
|
Info |
---|
ImportantHow passwords are updated depends on which ones need updating and whether Swarm has ever been started. |
Process | Examples and Notes | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Swarm has never booted
| Hash of password
The first time the cluster is booted the Swarm admin password must be in the config file:
When the cluster is running, Swarm stores the admin password in the persisted Settings object, at which point it is safe to remove the password from the configuration file for security purposes:
| |||||||||||||||
Updating SNMP passwords
|
Proceed to change the Swarm ' | |||||||||||||||
Updating Swarm admin password
| Changing admin password
|
Frequently asked questions:
How do I change the active SNMP read-write password? The SNMP passwords cannot be changed dynamically. Changing one or both requires a config file update and a cluster reboot.
What is the SNMP read-only password? The read-only password '
public
', which is the 'community string'Is the read-only SNMP password in the persisted Settings object? No
Can my SNMP read-write passwords in the persisted Settings object and cluster.cfg be different? Yes, but the config file SNMP read-write password is used.
How do I change my admin password? Update the password using SNMP and then update it in the config file unless it is removed from there.
How do I change my SNMP read-only password to the cluster? Change the
snmp.roCommunity
setting in the config file and reboot the cluster.