Setting up authentication

Use these instructions to set up authentication for protocols by using the installation toolkit.

Setting authentication configuration settings in the cluster definition file

You need to set up authentication methods for both the file and object users. If the object protocol is enabled on the protocol nodes, the installer automatically sets up the default local object authentication for object access. If you plan to configure object authentication with an external Keystone server and you are using the installation toolkit, do not configure external Keystone with the installation toolkit. For more information, see Configuring object authentication with an external keystone server. To make any more changes for authentication, issue the spectrumscale auth command as shown in the following example:

./spectrumscale auth -h
usage: spectrumscale auth [-h] {commitsettings,file,object} ...
If the cluster has two separate servers that control different node groups, run this command separately for object and file. Run the spectrumscale auth command with the data access method that you want to use, either file or object, and the authentication type.
Authentication prerequisites:
There are a few extra prerequisites that are needed if you wish to configure authentication.

The following packages must be installed on all protocol nodes before you run ./spectrumscale deploy

If object authentication is required:

  • openldap-clients

If file authentication is required:

  • sssd
  • ypbind
  • openldap-clients
To set up object authentication by using the installation toolkit:
Note: If you plan to configure object authentication with an external Keystone server and you are using the installation toolkit, do not configure external Keystone with the installation toolkit. For more information, see Configuring object authentication with an external keystone server.

Object authentication has an extra option to enable HTTP Secure (HTTPS). If you wish to set up HTTPS, you can include the option in the command and you are prompted in the next step to provide the paths to the certificates that are required.

  1. To set up object authentication, run this command:
    ./spectrumscale auth object [-h] [--https] {local,external,ldap,ad}

    This automatically opens a template file for you to fill with the required auth settings. For more information about these settings, see mmuserauth command.

  2. Save the file and close it, and the settings are automatically loaded for the installer to set up object authentication after protocols are enabled.
    If this auth command is run, authentication is automatically enabled by the installer.
    Note: Using unusual characters or white space in settings requires you to enter the setting in single quotes (' '). For example: 
    unixmap_domains = 'testdomain(1000-3000)' 
bind_username = 'My User'
  3. If required, configure file authentication by following the steps that are provided in the next section.
  4. Issue the ./spectrumscale deploy -pr command to initiate a pre-check to make sure that the cluster is in a good state for deployment.
  5. After the successful pre-check, issue the ./spectrumscale deploy command to deploy the new authentication configuration.
To set up file authentication by using the installation toolkit:
  1. To set up file authentication, run this command:
    ./spectrumscale auth file [-h] {ldap,ad,nis,none}
    This automatically opens a template file for you to fill with the required authentication settings. For more information about these settings, see mmuserauth command.
  2. Save the file and close it. The settings are automatically loaded for the installer to set up file authentication after protocols are enabled.
    Note: Using unusual characters or white space in settings requires you to enter the setting in single quotes (' '). For example: 
    unixmap_domains = 'testdomain(1000-3000)' 
bind_username = 'My User'
  3. If required, configure object authentication by following the steps that are explained in the previous section.
  4. Issue the ./spectrumscale deploy -pr command to initiate a pre-check to make sure that the cluster is in a good state for deployment.
  5. After the successful pre-check, issue the ./spectrumscale deploy command to deploy the new authentication configuration.
To clear authentication settings that are listed in the installation toolkit:
To clear authentication settings in the installation toolkit, run this command:
./spectrumscale auth clear

This does not clear or change a live and running authentication configuration. The ./spectrumscale auth clear command just clears the authentication settings from the clusterdefinition.txt file that is used by the installation toolkit during the deployment.

Note: If the installation toolkit is used to set up object support and file support (especially SMB) with AD or LDAP Authentication, the authentication setup might cause a temporary monitoring failure and trigger an IP failover. This might lead to an error message similar to the this error message when you configure object: "mmcesobjcrbase: No CES IP addresses are assigned to this node."
If the spectrumscale installer failed because of this problem, perform the steps:
  1. Check the cluster state by running the mmlscluster --ces command, and wait until the failed state of all nodes is cleared (flags=none).
  2. Rebalance the IP addresses by issuing this command: mmces address move --rebalance
  3. Rerun the installation toolkit to complete the object setup.