Setting up authentication

Use these instructions to set up authentication for protocols.

Setting authentication configuration settings in the cluster definition file

You need to set up authentication methods for both the file and object users. If the object protocol is enabled on the protocol nodes, the installer automatically sets up the default local object authentication for object access. If you plan to configure object authentication with an external Keystone server and you are using the installation toolkit, do not configure external Keystone with the installation toolkit. For more information, see Configuring object authentication with an external keystone server. To make any more changes for authentication, issue the spectrumscale auth command as shown in the following example:

$ ./spectrumscale auth -h
usage: spectrumscale auth [-h] {commitsettings,file,object} ...

If the cluster has two separate servers that control different node groups, run this command separately for object and file. Run the spectrumscale auth command with the data access method that you want to use, either file or object, and the authentication type.

Authentication prerequisites:

There are a few additional prerequisites needed if you wish to configure authentication.

The following packages must be installed on all protocol nodes before running ./spectrumscale deploy

If Object authentication is required:

openldap-clients

If file authentication is required:

sssd
ypbind
openldap-clients

To set up object authentication by using the installation toolkit:

Note: If you plan to configure object authentication with an external Keystone server and you are using the installation toolkit, do not configure external Keystone with the installation toolkit. For more information, see Configuring object authentication with an external keystone server.

Object auth has two extra options to enable https or to enable pki. If you wish to set up either of these, you can include them in the command and you will be prompted in the next step to give the paths to the certificates required.

To set up object authentication, run this command:
```
 $ ./spectrumscale auth object [-h] [--https] [--pki] {local,external,ldap,ad}
```
This will automatically open a template file for you to fill with the required auth settings. For more information about these settings, see mmuserauth command.
Save the file and close it, and the settings will automatically be loaded for the installer to set up object authentication after protocols have been enabled.
If this auth command has been run, authentication will automatically be enabled by the installer.
Note: Using unusual characters or white space in settings will require you to enter the setting in single quotes (' '). For example:
```
unixmap_domains = 'testdomain(1000-3000)' 
bind_username = 'My User'
```
If required, configure file authentication by following the steps provided in the next section.
Issue the ./spectrumscale deploy -pr command to initiate a pre-check to make sure that the cluster is in a good state for deployment.
After the successful pre-check, issue the ./spectrumscale deploy command to deploy the new authentication configuration.

To set up file authentication by using the installation toolkit:

To set up file authentication, run this command:
```
$ ./spectrumscale auth file [-h] {ldap,ad,nis,none}
```
This will automatically open a template file for you to fill with the required auth settings. For more information about these settings, see mmuserauth command.
Save the file and close it; the settings will automatically be loaded for the installer to set up file authentication after protocols have been enabled.
Note: Using unusual characters or white space in settings will require you to enter the setting in single quotes (' '). For example:
```
unixmap_domains = 'testdomain(1000-3000)' 
bind_username = 'My User'
```
If required, configure object authentication by following the steps that are explained in the previous section.
Issue the ./spectrumscale deploy -pr command to initiate a pre-check to make sure that the cluster is in a good state for deployment.
After the successful pre-check, issue the ./spectrumscale deploy command to deploy the new authentication configuration.

To clear authentication settings listed in the install toolkit:

To clear authentication settings in the install toolkit, run this command:

 $ ./spectrumscale auth clear

This does not clear or change a live and running authentication configuration. The ./spectrumscale auth clear command just clears the authentication settings from the clusterdefinition.txt file that is used by the installation toolkit during the deployment.

Note: If the spectrumscale installer is used to set up object support and file support (especially SMB) with AD or LDAP Authentication, the authentication setup might cause a temporary monitoring failure and trigger an IP failover. This might lead to an error message similar to the following when configuring object : "mmcesobjcrbase: No CES IP addresses are assigned to this node."

If the spectrumscale installer failed because of this problem, do the following:

Check the cluster state by running the mmlscluster --ces command, and wait till the failed state of all nodes is cleared (flags=none).
Rebalance the IP addresses by running this command: mmces address move --rebalance
Rerun the spectrumscale installer to complete the object setup.