IDSYS Document Format
Overview
The IDSYS document defines how Gateway integrates with an external identity management system such as:
LDAP
Active Directory (AD)
Linux PAM
IDSYS controls:
User authentication
Group resolution
Token-based authentication
Token administration privileges
Identity inheritance across Root, Tenant, and Storage Domain scopes
IDSYS documents are JSON-formatted configuration objects. An IDSYS document may exist at:
Root level
Tenant level
Storage domain level
When multiple IDSYS documents exist, the lowest level overrides the higher level. If a lower level does not define an IDSYS, it inherits from the higher level.
SAML for SSO
With Gateway 7.1, Content UI 7.0, and Swarm UI 3.0 and higher, can enable Single Sign-On (SSO) to the Swarm and Content UIs through a third-party identity provider, such as Google. See Enabling SSO with SAML. (v7.1)
Common IDSYS Fields
Below are the common fields within all IDSYS documents. Fields specific to the back-end identity management system are broken out into separate sections.
Field | Required | Description |
|---|---|---|
name | No | Name of the IDSYS document; value is not used by Gateway |
description | No | Description of the IDSYS document; value is not used by Gateway |
comments | No | Comments about the IDSYS; may be any valid JSON object type |
cookieName | No1 | Cookie name used to store authentication token. Example: "token" |
tokenPath | No1 | URI path used for token authentication. Example: "/.TOKEN/" |
tokenAdmin | No1 | User or group trusted as the default token administrator, allowed to create, view, and delete authentication tokens for other users. Additional or overriding permissions can be granted through policy using the |
1 For details regarding token-based authentication, see Token-Based Authentication.
The tokenAdmin field defines the default principal (user or group) trusted to manage authentication tokens for other users.
Token administration includes the ability to:
Create authentication tokens on behalf of other users
List tokens belonging to other users
Delete tokens belonging to other users
User and Group Support
Both IDSYS and policy support:
Users
Groups
When a group is specified, all members of the group are granted token administration permissions. Nested or recursive groups are not supported.
The tokenAdmin field accepts a principal name as a string. The format is the same for both users and groups.
For example:
"tokenAdmin": "admin"The value is resolved by the configured identity management system:
If
adminmatches a user, that user is treated as the token administrator.If
adminmatches a group, all members of that group are granted token administration permissions.
There is no syntax difference between users and groups in the IDSYS configuration. Resolution is determined by the identity provider (LDAP, Active Directory, or PAM).
Name Conflict Between User and Group
If the same name exists as both a user and a group (for example, "admin"):
The value is resolved by the identity provider.
Gateway does not provide a way to explicitly specify whether the value refers to a user or a group.
To avoid ambiguity:
Use distinct names for users and groups, or
Use fully qualified names where supported
When to Use IDSYS vs Policy
Use IDSYS tokenAdmin when:
Defining a default or single token administrator
Assigning a single user or group
Use policy (TokenAdmin action) when:
Granting access to multiple users or groups
Enabling cross-tenant or cross-scope access
Implementing fine-grained access control
Policy can extend or override the tokenAdmin value defined in IDSYS.
Multi-Tenant and Cross-Scope Behavior
Policy-based authorization enables token administration across IDSYS scopes.
A user or group defined in one scope (for example, Root) can perform token administration in another scope (for example, Tenant) if:
The principal is properly qualified, and
A policy grants the
TokenAdminaction in that scope
IDSYS Scope and Inheritance
The tokenAdmin value follows the IDSYS precedence model:
Root IDSYS applies cluster-wide unless overridden
Tenant IDSYS overrides Root if defined
Domain IDSYS overrides Tenant if defined
Policy evaluation is applied within the effective IDSYS scope of the request.
When using HTTP Basic authentication (that is, authentication without tokens or S3 HMAC), user credentials are validated against the configured identity management system.
For LDAP, the password is validated using the configured user attribute (commonly
userPassword).For PAM, the system uses the underlying operating system authentication mechanism.
Passwords may be stored and validated using formats supported by the respective identity provider.
Password Security
Plain-text passwords in both Gateway Configuration and IDSYS are replaced by encrypted versions on startup. Enter the new credentials and restart Gateway, when changing management passwords, which replaces those strings with encrypted versions as part of the startup. (v7.1)
LDAP and AD Examples
These are examples of IDSYS documents for LDAP and Active Directory. They contain fields specific to LDAP as well as fields common to all IDSYS documents.
LDAP
{"ldap": {
"name" : "idsys-ldap",
"description": "LDAP identity management configuration",
"protocol" : "ldaps",
"ldaphost": ["ldap.example.com", "ldap-sec.example.com"],
"ldapport": 636,
"adminDN": "uid=USERNAME,ou=Users,dc=example,dc=com",
"adminPassword": "PASSWORD",
"userBase": "ou=Users,dc=example,dc=com",
"groupBase": "ou=Groups,dc=example,dc=com",
"userFilter": "objectclass=account",
"groupMemberUidAttr": "memberUid",
"cookieName": "token",
"tokenPath": "/.TOKEN/",
"tokenAdmin": "superuser@admindomain.example.com"
} }The block beginning with "uidAttribute" makes this specific to Active Directory:
Active Directory
{"ldap": {
"name": "idsys-ad",
"description": "Active Directory example configuration",
"protocol" : "ldaps",
"ldaphost": "ad.mycompany.com",
"ldapport": "636",
"adminDN": "cn=BINDUSER,ou=Applications,dc=mycompany,dc=com",
"adminPassword": "BINDPASSWORD",
"userBase": "ou=Users,dc=mycompany,dc=com",
"groupBase": "ou=Groups,dc=mycompany,dc=com",
"uidAttribute":"sAMAccountName",
"userFilter":"objectclass=*",
"groupMemberDNAttr": "member",
"cookieName": "token",
"tokenPath": "/.TOKEN/",
"tokenAdmin" : "caringoadmin@"
} }LDAP and AD Fields
These are the fields within the IDSYS document specific to the LDAP or Active Directory back-end identity management system.
Caution
Nested/recursive groups, such as the built-in groups in Active Directory, are not supported by Gateway.
Field | Default | Required | Description |
|---|---|---|---|
ldaphost |
| Yes | Host name or IP of the LDAP server as a string or a multiple servers as a list. Example: ["1.1.1.1", "1.1.1.2"] |
ldapport |
| Yes | Port the LDAP service is running on. If using Active Directory use “Global Catalog” port 3269 ( |
protocol | ldap | No | Set to "ldap" or "ldaps" |
referrals | follow | No | Set to "follow" or "ignore" to control how referrals are handled |
adminDN |
| Yes | DN used to bind to the LDAP server for queries |
adminPassword |
| Yes | Password for adminDN user |
userBase |
| Yes | DN where users are defined |
groupBase |
| Yes | DN where groups are defined |
uidAttribute | uid | No | Attribute name containing user's ID. Examples:
|
userFilter |
| Yes | Filter for user objects. Example: "objectclass=account" |
groupMemberUidAttr |
| Yes1 | Group attribute whose values contain uid of member. Example: "memberUid" if OpenLDAP is configured for groups with "objectclass=posixgroup" |
groupMemberDNAttr |
| Yes1 | Group attribute whose values contain DN of member. Example: "member" if OpenLDAP is configured for groups with "objectclass=groupOfNames"; also common with Active Directory |
s3SecretKeyAttr |
| No2 | **Deprecated** User attribute whose value contains the user's S3 secret key in plain-text. Verify "userPassword" has a plaintext value since this is not the normal handling of this attribute if used. |
1 The groupMemberUidAttr and groupMemberDNAttr parameters are mutually exclusive and one must be defined in IDSYS.
2 The s3SecretKeyAttr parameter is needed when using S3 Protocol Personality with a user password stored in LDAP. It is not required when using token authentication exclusively.
The adminDN and adminPassword parameters define the credentials with which the Gateway binds to the LDAP system to perform queries and read records for users and groups. The adminDN entity within LDAP needs to have read level access (rscdx privileges) within the LDAP tree. It is not necessary to grant write or manage level access to Gateway.
A user's name in an access control Policy document is the value of the LDAP attribute named by the
uidAttributeparameter. This is theuidattribute of a user's LDAP record by default.A group's name in an access control Policy document is the
cnattribute for the group LDAP entity. The name of this attribute cannot be configured. A group's name may contain spaces and other non-alphanumeric characters.
Important
Add the signer's public key PEM file to the Java keystore to avoid a SunCertPathBuilderException when Gateway queries the LDAP server if using LDAPs with self-signed certificates.
Although previously this required running java keytool, now use the CentOS/RHEL utility update-ca-trust to add any CA to the system.
# cp ca.pem /etc/pki/ca-trust/source/anchors/ # update-ca-trust extract
PAM Example
There are no fields within the IDSYS document specific to the PAM back-end identity management system. Follow this process to implement identity management if using PAM:
Because the
rootuser (uid=0) on this Content Gateway server cannot be used to authenticate to the Gateway, create another user (such assuperuser@admindomain.example.com) on this server for this purpose.Copy and paste this example into the IDSYS document:
/etc/caringo/cloudscaler/idsys.json.{"pam": { "name" : "idsys-pam", "description": "PAM identity management configuration", "cookieName": "token", "tokenPath": "/.TOKEN/", "tokenAdmin": "superuser@admindomain.example.com" } }Update the
tokenAdminto match the authentication user.
Modifying IDSYS
The root IDSYS configuration is stored in the idsys.json file on the Gateway server's disk so it is always available and an administrator can always modify it. This prevents locking oneself out of the storage cluster. Changes to the local file take effect without the need to restart the Gateway.
Important
It is crucial the root IDSYS document is synchronized across all servers when more than one Gateway server is deployed.
See Defined ETC Documents for modifying a tenant or storage domain's sub-resource through the management API.
See SCSP Context Sub-Resources for details on modifying a storage domain's sub-resource through the storage API.
The entire JSON document with all fields must be provided in the update request, even if one field is being modified when updating an IDSYS sub-resource through the management API or the storage API.
Caution
Protect permission to read and update the IDSYS document for a domain from untrusted users. In deployments where a service provider allows clients to manage content within domains, the service provider normally maintains sole privilege to access the IDSYS document. This includes retaining ownership of the domain objects.
IDSYS Precedence Model
The identity system is described by IDSYS documents can exist at the root, tenant, and storage domain within the system. The lowest level overrides the higher levels when IDSYS documents exist at multiple levels in the hierarchy. It inherits from a higher level when a lower level lacks an IDSYS.
All tenants and all storage domains inherit from the Root IDSYS if a Root IDSYS exists. There is one identity management system with one set of users and groups. Each tenant and the storage domains owned by them share an identity system separate from the Root IDSYS if the tenants each defines an IDSYS. The storage domains inherit from the Tenant IDSYS.
The IDSYS inheritance also works at the field level. Tenant and storage domain IDSYS documents can choose to override specific fields. The value is inherited by the tenant and domain levels if tokenAdmin is defined in the Root IDSYS and not in the tenant or domain IDSYS. The Root IDSYS may define the LDAP adminDN and adminPassword and allows the tenant and domain IDSYS documents to override the userBase and groupBase values.
Single Company
In this scenario, the company has one identity management system, there is one tenant per business unit, and each business unit has one or more storage domains. This scenario is likely with a private cloud serving a single company. The configuration in this scenario is the Root IDSYS defining the configuration of the identity management system and there are no IDSYS definitions for the tenants and storage domains. Therefore, the tenants and storage domains inherit from the Root IDSYS using a single source of users and groups.
Service Provider/Distributed Company
In this scenario, a storage MSP, or a large company with business units each with separate identity management systems and multiple user/group sources. The configuration in this scenario is the Root IDSYS defining the cluster administrator users and groups and the Tenant IDSYS documents defining the users and groups for each client or business unit. The storage domains do not define an IDSYS so they inherit the definition from the tenant and share the users and groups with the other storage domains owned by the tenant.
Service Provider with Resellers
This is an extension of the previous scenario except each tenant can be a reseller offering storage domains to separate, unrelated companies. In this case, each storage domain defined an IDSYS that overrides the Tenant IDSYS allowing a different set of users and groups for each storage domain. This scenario is not mutually exclusive with the previous one: a hybrid of the two is possible where some domains override the IDSYS of the tenant, and others do not.
Qualifying User and Group Names
It may be required to fully qualify the user and group principal names to verify correct policy resolution. In access control policies and x-owner-meta headers, a "fully qualified" principal has a tenant name or storage domain appended directly to the name:
user | non-qualified | Principal from the same IDSYS scope as the content |
|---|---|---|
user@domain | fully qualified | Principal from a specific storage domain's IDSYS scope |
user+tenant | fully qualified | Principal from a specific tenant's IDSYS scope |
user@ | fully qualified | Principal from root scope |
The name in the policies may remain unqualified (no @domain or +tenant suffix on principal names) if a principal (user/group) authenticates from the same IDSYS as the resource they are accessing.
Gateway uses the default assignment of the x-owner-meta header value to fully qualify the principal (such as user@domain or user+tenant) if a principal authenticates from a different IDSYS from the one used by the resource. Applications can also assign object ownership across domains, where the IDSYS of the storage domain differs from the user from another domain. There is no limit on the number of cross-domain relationships that exist, but all must be within the same Swarm cluster.
Tokens: Tokens are bound to the IDSYS of the context both where and when they are created. The token has to take the root scope if creating a tenant-level token but the tenant does not have an IDSYS. All requests using this token authenticate using the root IDSYS (and likely fail, not finding the user there), even if a correct tenant-level IDSYS is added later. The token must ignore any domain-level IDSYS, current or future if creating a tenant-level token with a tenant IDSYS. Either create a tenant-level IDSYS and use inherit at the domain-level or create tokens at the domain-level if domain-level controls over tokens is desired.
Best Practice
Fully qualify any token administrators defined in an IDSYS document. This practice avoids ambiguity if a storage domain inherits an IDSYS from the tenant or root scope because token administrator is a privileged permission.
Fully qualify user/group names in the policies if there is more than one IDSYS involved, to verify there are no problems with policy resolution.