Gateway Administrative Domain

Owned by Rumena Zlatkova (Deactivated)
Last updated: Nov 21, 2023 by Bala Harish A(AC)
2 min read

Content Gateway uses one storage domain within the storage cluster to persist meta information about all tenants and storage domains. Although there is no difference between storage domains in the storage cluster, Content Gateway uses these two distinctions for domains: administrative domain and tenant storage domain.

  • Administrative Domain refers to the domain used by Gateway to store meta information used in managing tenants and all other storage domains, including itself, and should only be accessible to cluster administrators. It is not recommended to use the administrative domain to store general-purpose content. Do not interfere with the objects managed by the Gateway.

  • Tenant Storage Domain (or Storage Domain) refers to the domains that store content that is accessible to normal users and applications. All content within a tenant storage domain is potentially accessible to the users of that domain and there is no special Gateway content within it.

The requirements for the name of the administrative domain:

  • globally unique for a set of tenant storage domains

  • defined in the gateway.cfg file

  • created prior to using tenant storage domains

  • same for all Gateway servers servicing a set of tenant storage domains

Important

The content within the administrative domain must be protected from access by users other than the cluster administrators. Thus, when this domain is created, an owner must be set and, optionally, an appropriate domain Policy should be defined for it.

Gateway includes a command to properly create a locked-down domain to facilitate the setup of the administrative domain. Edit the gateway.cfg file's adminDomain parameter to use the command. Define the name for the administrative domain and run the initialization script:

/opt/caringo/cloudgateway/bin/initgateway

Caution

Run once only. This command should be run one time when installing the first Gateway server; it should not run when installing subsequent servers.

Run locally only. Do not run the command in a remote cluster which replicates the administrative domain using a Feed.

A domain named by the adminDomain parameter is created in the storage cluster with the owner set to the value admin@. Without additional action on the part of the cluster administrator, this domain is locked for all access and requires the use of an administrative override to log in to the domain.

See https://perifery.atlassian.net/wiki/spaces/public/pages/2443822679 for more about access control and administrative override.

Cluster administrators use the Policy and IDSYS documents for the domain and change the ownership by modifying the X-Owner-Meta metadata value if access of the administrative domain needs to be open.

Caution

Verify access to the administrative domain is locked or unlocked. Content stored within the administrative domain controls access, policies, and management data for all tenants and storage domains.

The name of the administrative domain must be unique for a set of tenant storage domains and must not be created more than once whether using an SCSP operation or by using the initgateway script. Once an administrative domain or a tenant storage domain has been created, the only proper way to instantiate the domain in another cluster is by using remote replication in Swarm.

See https://perifery.atlassian.net/wiki/spaces/public/pages/2443817157

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.