Defining Swarm Admins, Swarm Users, and Swarm Passwords

Owned by Rumena Zlatkova (Deactivated)
Last updated: Feb 22, 2024 by Bala Harish A(AC)
4 min read

Granting Swarm Access

Swarm uses two pairs of security lists to grant access to storage cluster management and viewing:

  • Administrators can access the Swarm UI and change the cluster configuration. SNMP read/write access is handled separately.

  • Operators can view the Swarm UI. SNMP read-only access is handled separately.

Disabling SNMP

Disable the Swarm Storage setting snmp.enabled if SNMP needs to be disabled cluster-wide, such as for a security need or using Swarm in containers. (v12.0)

Each user list is specified by a configuration parameter with name/value pairs in the Swarm Storage configuration file (cluster.cfg (CSN) or else node.cfg). Those passwords needed for SNMP access are handled in separate settings (v10.0):

security.administrators = {'admin':'adminpassword','admin2':'adminpassword2'} security.operators = {'operator':'operatorpassword','operator2':'operatorpassword2'} snmp.roCommunity = public snmp.rwCommunity = ourpwdofchoicehere # or section notation: [security]  administrators = {'admin':'adminpassword','admin2':'adminpassword2'} operators = {'operator':'operatorpassword','operator2':'operatorpassword2'} [snmp] roCommunity = public rwCommunity = ourpwdofchoicehere

Setting Name

Default

Notes

Setting Name

Default

Notes

security.administrators

{'admin': 'ourpwdofchoicehere'}

One or more username:password pairs. Sets credentials for who can administer the cluster via the Swarm UI.

Upgrading from 9.x - Remove the snmp username from here and update snmp.rwCommunity with the password if the value includes the snmp username.

  • Example: {'admin': 'adminpassword','admin2':'adminpassword2'}

security.operators

{}

One or more username:password pairs. Sets credentials for who can view the Swarm UI.

Upgrading from 9.x - It is ignored if the value includes an snmp username; remove it from here and update snmp.roCommunity with the password.

  • Example: {'operator': 'operatorpassword','operator2': 'operatorpassword2'}

snmp.rwCommunity

ourpwdofchoicehere

String. Password for the SNMP read-write community. 

Required - The SNMP read-write password must be known to dynamically change the Swarm 'admin' password via SNMP. The config file must be edited to change the SNMP read-write password. The SNMP password is the sole option if the admin-level credentials are lost.

snmp.roCommunity

public

String. Password for the SNMP read-only community.

Caution

  • The name admin is reserved, so do not delete it, which can cause errors and affect performance. Define a complex password for protection if deciding not to use admin.

  • Swarm prevents cluster booting if the SNMP security administrator (read/write user) is not set properly in the configuration file.

  • All administrative users and passwords must agree on all nodes or certain cluster actions fail.

  • Password updates are not complete until they are persisted in the cluster settings file across all nodes, and rapid, successive updates cannot be accepted on a given node until the first update completes processing.

  • Change passwords from the defaults before putting the cluster in to production, and improve security by encrypting the Swarm passwords. See next.

Encrypting Passwords

Represent the password as a hexadecimal-encoded MD5 hash of the following string instead of a clear text password:

username:user-list-name:password 

Where username and password consist of ASCII characters and user-list-name can be either "CAStor administrator" or "CAStor operator".

To create the MD5 hash, use a programming language or a utility such as md5sum or Apache htdigest. To update a node or cluster configuration file with a password hash created using htdigest:

  1. Create a file containing a hash of the user name, password, and user list name: 

    htdigest -c password-file.txt "CAStor administrator" Jo.Jones

  2. Enter and verify the user's password when prompted by htdigest.

  3. Open the new file (password-file.txt) in a text editor. The hash is the last entry in the string: 

Updating Passwords

The list of Administrators and passwords may be modified without rebooting by using several read-write SNMP OIDs. New administrative users can be added and existing users modified with the addModifyAdministrator SNMP OID. These are the essential commands:

  • Add Admin Users: Include the new user name and password separated by a colon: 
    addModifyAdministrator = "Jo.Jones:password1"

  • Update Password for an existing user — Include the existing user name and new password separated by a colon:  
    addModifyAdministrator = "Jo.Jones:password2"

  • Delete Admin Users (except the default admin and snmp users) — Send the name of an admin user: 
    removeAdministrator = "Jo.Jones"

Caution

  • All administrative users and passwords must agree across all nodes or certain cluster actions fail.

  • Any changes made via SNMP against a running cluster must be made in the node/cluster configuration file so any nodes offline when the change is made or new nodes added to the cluster after the fact can correctly authenticate cluster-wide actions.

  • It can take several minutes for these SNMP changes to propagate in the cluster. During this update window, old passwords and deleted users continue to work for up to 10 minutes.

Process

Examples and Notes

Process

Examples and Notes

Swarm has never booted

  1. Create and hash an admin password.

  2. Update passwords in the config file.

  3. Important: Unmount/stop the USB drive or else the changes are not saved if booting from a USB flash drive.

  4. Boot the Swarm cluster.

  5. the password can be removed from the config file after the cluster is running.

Hash of password

The first time the cluster is booted the Swarm admin password must be in the config file:

When the cluster is running, Swarm stores the admin password in the persisted Settings object, at which point it is safe to remove the password from the configuration file for security purposes:

Updating SNMP passwords

  1. Update passwords in the config file.

  2. Reboot the Swarm cluster.

Proceed to change the Swarm 'admin' password after rebooting with the new SNMP password in the file

Updating Swarm admin password

  1. Create and hash an admin password.

  2. Update password via SNMP, which Swarm saves in the persisted Settings object.

 

Changing admin password

Frequently asked questions:

  • How do I change the active SNMP read-write password? The SNMP passwords cannot be changed dynamically. Changing one or both requires a config file update and a cluster reboot.

  • What is the SNMP read-only password? The read-only password 'public', which is the 'community string'

  • Is the read-only SNMP password in the persisted Settings object? No

  • Can my SNMP read-write passwords in the persisted Settings object and cluster.cfg be different? Yes, but the config file SNMP read-write password is used.

  • How do I change my admin password? Update the password using SNMP and then update it in the config file unless it is removed from there. 

  • How do I change my SNMP read-only password to the cluster? Change the snmp.roCommunity setting in the config file and reboot the cluster.

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.