Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Content Gateway uses one storage domain within the storage cluster in order to persist meta information about all tenants and storage domains. Although there is no difference between storage domains to the storage cluster, Content Gateway uses these two distinctions for domains: administrative domain, tenant storage domain.

  • administrative domain refers to the domain used by Gateway in order to store meta information used in the management of tenants and all other storage domains, including itself, and should only be accessible to cluster administrators. While the administrative domain can be used to store general-purpose content, this is not recommended since care must be taken not to interfere with the objects managed by the Gateway.
  • tenant storage domain (or storage domain) refers to the domains that store content that is accessible to normal users and applications. All content within a tenant storage domain is potentially accessible to the users of that domain and there is no special Gateway content within it.

The requirements for the name of the administrative domain are that it must be:

  • globally unique for a set of tenant storage domains
  • defined in the gateway.cfg file
  • created prior to using tenant storage domains
  • same for all Gateway servers servicing a set of tenant storage domains

Important

The content within the administrative domain must be protected from access by users other than the cluster administrators. Thus, when this domain is created, an owner must be set and, optionally, an appropriate domain Policy should be defined for it.

To facilitate the setup of the administrative domain, Gateway includes a command to properly create a locked-down domain. In order to use the command, edit the gateway.cfg file's adminDomain parameter, define the name for the administrative domain, and then run the initialization script:

/opt/caringo/cloudgateway/bin/initgateway

Caution

Run once only. This command should be run only one time when installing the first Gateway server; it should not be run when installing subsequent servers.

Run locally only. Do not, under any circumstances, run it in a remote cluster to which you will replicate the administrative domain via a Feed.

A domain named by the adminDomain parameter will be created in the storage cluster with the owner set to the value admin@. Without additional action on the part of the cluster administrator, this domain is locked for all access and requires the use of an administrative override in order to log into the domain.

See Restricting Domain Access for more about access control and administrative override.

If cluster administrators want to open the access of the administrative domain, they can use the Policy and IDSYS documents for the domain and change the ownership by modifying the X-Owner-Meta metadata value.

Caution

Take care if access to the administrative domain is unlocked. Content stored within the administrative domain controls access, policies, and management data for all tenants and storage domains.

The name of the administrative domain must be unique for a set of tenant storage domains and must not be created more than once whether using an SCSP operation or by using the initgateway script. Once an administrative domain or a tenant storage domain has been created, the only proper way to instantiate the domain in another cluster is by using remote replication in Swarm.

See Replicating Domains to Other Clusters.

  • No labels

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.