Configuring authentication for object access

Configuring authentication for object access by using the command line utility

There are two methods of configuring authentication:

By using the installation toolkit
By using the mmuserauth command in the command line utility

You can use the following authentication methods for object access:

Active Directory (AD)
LDAP
Local authentication
User-defined (external keystone)

The AD-based and LDAP-based authentication methods use an external AD and LDAP server respectively to manage the authentication. Local authentication is handled by a Keystone server that resides within the IBM Spectrum Scale system.

The IBM Spectrum Scale system installation process configures Keystone server that is required for object access. By default the IBM Spectrum Scale installation process configures object authentication with a local Keystone authentication method. If you have an existing Keystone server that you want to use, specify that it be used for authentication.

Before you configure object authentication method, ensure that the Keystone Identity service is properly configured.

Note: Before you configure an authentication method for object access, ensure that all protocol nodes have CES IP addresses assigned and you are issuing the authentication configuration command from the protocol node that has one or more CES IP addresses assigned to it.

Before you start manually configuring authentication method for object access, ensure that the openldap-clients RPM is installed.

On each protocol node, issue the following command: yum install openldap-clients.

Note: This step is required only when the authentication type is AD/LDAP.

The mapping between user, role, and tenant is stored in the Keystone database. If you switch from one authentication type to another you must delete the existing mapping definitions by issuing the following command:

mmuserauth service remove --data-access-method object --idmapdelete

Note:

It is recommended to run the mmuserauth service check command as follows after configuring object authentication using the mmuserauth service create command:

mmuserauth service check --data-access-method object -N cesNodes

If the mmuserauth service check command reports that any certificate file is missing on any of the nodes, then run the following command:

mmuserauth service check --data-access-method object -N cesNodes --rectify

For more information about mmuserauth service check, see the topic mmuserauth command.

Configuring local authentication for object access
Object access can be configured with the Keystone server that is available in the IBM Spectrum Scale system. In this mode, Keystone stores the identity and assignment information locally in its database.
Configuring an AD-based authentication for object access
You can configure Keystone with an external AD server as the authentication back-end so that AD users can access the object store by using their AD credentials. The same AD server can be used for both object access and file access.
Configuring an LDAP-based authentication for object access
You can configure Keystone with an external LDAP server as the authentication back-end. This will allow LDAP users to access the object store using their LDAP credentials. The same LDAP server can be used for both object access and file access.
Configuring object authentication with an external keystone server
The object protocol can be configured with an external keystone server. This can be accomplished by either using an existing internal keystone server that is already deployed in the local environment or by utilizing an external keystone server that is hosted outside of the local environment.
Creating object accounts
An account is used to group or isolate object resources. Each object user is part of an account. Object users are mapped to an account and can access only the objects that reside within the project. Each user needs to be defined with a set of user rights and privileges to perform a specific set of operations on the resources of the account to which it belongs. Users can be assigned to multiple accounts with different roles on each account.
Managing object users, roles, and projects
IBM Spectrum Scale for object storage uses the keystone service for identity management. Keystone provides user authentication and authorization processes.
Deleting expired tokens
By default, the Keystone Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens considerably increases the database size and might affect the service performance.

Parent topic: Managing protocol user authentication

Related concepts:

Setting up authentication servers to configure protocol user access

Configuring authentication and ID mapping for file access

Managing user-defined authentication

Deleting the authentication and the ID mapping configuration

Listing the authentication configuration

Verifying the authentication services configured in the system

Modifying the authentication method

Authentication limitations