Managing GUI administrators

GUI administrators of the IBM Spectrum Scale™ system can monitor, configure, and manage the IBM Spectrum Scale system and are distinguished from the data users.

You can manage GUI users either locally within the system or in an external authentication server such as Microsoft Active Directory (AD) or Lightweight Directory Access Protocol Server (LDAP). By default, the IBM Spectrum Scale system uses an internal authentication repository for GUI users. To use an external AD or LDAP server, you need to disable the internal user repository that is used for the GUI user management and enable the LDAP/AD repository.

Managing administrative users locally in the IBM Spectrum Scale system

You can create users who can perform different administrative tasks on the system. Each user must be part of a user group or multiple groups that are defined on the system. When you create a new user, you assign the user to one of the default user groups or to a custom user group. User groups are assigned with predefined roles that authorize the users within that group to a specific set of operations on the GUI.

Use the Access > GUI Users page to create users and add them to a user group.

Predefined roles are assigned to user groups to define the working scope within the GUI. If a user is assigned to more than one user group, the permissions are additive, not restrictive. The predefined role names cannot be changed.

The following are the default user groups:

Administrator
Manages all functions on the system except those deals with managing users, user groups, and authentication.
SecurityAdmin
Manages all functions on the system, including managing users, user groups, and user authentication.
SystemAdmin
Manages clusters, nodes, alert logs, and authentication.
StorageAdmin
Manages disks, file systems, pools, filesets, and ILM policies.
SnapAdmin
Manages snapshots for file systems and filesets.
DataAccess
Controls access to data. For example, managing access control lists.
Monitor
Monitors objects and system configuration but cannot configure, modify, or manage the system or its resources.
ProtocolAdmin
Manages object storage and data export definitions of SMB and NFS protocols.
UserAdmin
Manages access for GUI users. Users who are part of this group have edit permissions only in the Access pages of the GUI.

The IBM Spectrum Scale system is delivered with a default GUI user named admin. This user is also stored in the local repository. You can log in to the system by using this user name to create additional GUI users and groups in local user repository.

Use the various controls that are available under the Password Policy tab of the GUI Users page to enforce strong passwords for the users. You can modify or expire password of the individual users or all the users that are created in the system. If the password is set as expired, the users will be prompted to change the password in the next login.

User groups

Users who are part of Security Administrator and User Administrator user groups can create role-based user groups where any users that are added to the group adopt the role that is assigned to that group.

Roles apply to users on the system and are based on the user group to which the user belongs. A user can be part of multiple user groups so that a single user can play multiple roles in the system. You can assign the following roles to your user groups:

Administrator
Users can access all functions on the GUI except those deals with managing users and user groups.
Security Administrator
Users can access all functions on the GUI, including managing users and user groups.
System Administrator
Users manage clusters, nodes, and alert logs.
Storage Administrator
Users manage disks, file systems, pools, and filesets.
Snapshot Administrator
Users manage snapshots for file systems, filesets.
Monitor
Users can view objects and system configuration but cannot configure, modify, or manage the system or its resources.
Data Access
Users can perform the following tasks:
- Edit owner, group, and ACL of any file or path through the Access > File System ACL > Files and Directories page.
- Edit owner, group, and ACL for a non-empty directory of a file system, fileset, NFS export, or SMB share.
- Create or delete object containers through the Object > Accounts page.
Protocol Administrator
Users manage object storage and data export definitions of SMB and NFS protocols.
User Administrator
Users manage GUI users and user groups.

Managing GUI administrators in an external authentication server

By default, the IBM Spectrum Scale uses an internal authentication repository for the GUI administrators. To use an external AD or LDAP server to manage the GUI administrators, perform the following steps:

Disable the internal user repository by performing the following steps:

Access the server that is running the GUI and open the following file by using a text editor: /opt/ibm/wlp/usr/servers/gpfsgui/server.xml

Comment out the two elements that are referring to the FsccUserRepo/Registry that are highlighted in boldface in the following example:

<server description="GSS GUI">
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
<feature>jdbc-4.0</feature>
<feature>ssl-1.0</feature>
<feature>servlet-3.0</feature>
<feature>appSecurity-2.0</feature>
<!-- <feature>usr:FsccUserRepo</feature> -->
<feature>jndi-1.0</feature>
</featureManager>
<!-- <fsccUserRegistry prefFile="${server.config.dir}/preferences.xml"/> -->
[...]

Add the LDAP or AD feature to the WebSphere® Liberty to enable LDAP or AD support in WebSphere Liberty by performing the following steps:
1. Access the server.xml file, which is at the following location: /opt/ibm/wlp/usr/servers/gpfsgui/server.xml
2. Add the entry ldapRegistry-3.0 in the server.xml as shown in the following example:
```
<server description="GSS GUI">
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
<feature>jdbc-4.0</feature>
<feature>ssl-1.0</feature>
<feature>servlet-3.0</feature>
<feature>appSecurity-2.0</feature>

<feature>jndi-1.0</feature>
<feature>ldapRegistry-3.0</feature>
</featureManager>
```
Note: When the IBM Spectrum Scale system is updated to the latest release, the server.xml is overwritten as part of the update. Therefore, if an external authentication server is used for managing GUI administrators, the server.xml file must be edited accordingly after every system update.

Configure <ldapRegistry> element in the LDAP or AD repository. Depending on the type of the external server, the configuration element can have different attribute values. Sample configurations for AD and IBM® Directory Server are given in the following example:

Active Directory Server

<ldapRegistry id="ldap"
    host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" 
    baseDN="cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" 
    bindDN="cn=testuser,cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" 
    bindPassword="testuserpwd"
    ldapType="Microsoft Active Directory"
    sslEnabled="false">
<activedFilters
userFilter="(&(sAMAccountName=%v)(objectcategory=person))" 
	groupFilter="(&(cn=%v)(objectcategory=group))" 
userIdMap="user:sAMAccountName" 
groupIdMap="*:cn" 
groupMemberIdMap="memberOf:member">
</activedFilters>
</ldapRegistry>

IBM Directory Server:

<ldapRegistry id="ldap" 
    host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" 
    baseDN="o=mycompany,c=us" 
    ldapType="IBM Tivoli Directory Server"
    sslEnabled="false">
<idsFilters
   userFilter="(&(uid=%v)(objectclass=ePerson))" 
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfURLs)))" 
userIdMap="*:uid" 
groupIdMap="*:cn" 
groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember">
</idsFilters>
</ldapRegistry>

For more information on the advanced configuration options or for enabling SSL, see Configuring LDAP user registries in Liberty.

Establish the LDAP group to GUI role mapping. After the GUI server was restarted, you must review the groups to roles mapping and add/remove group to role mappings as necessary.
View and modify the existing group to role mappings. You can view the existing groups by using the lsusergrp command. Adding and removing groups can be done by using mkusergrp and rmusergrp respectively.
Note: The commands that are used to manage the GUI administrators are not available in the same path where all other IBM Spectrum Scale commands are located. The GUI user management commands are located at the following location in the system: /usr/lpp/mmfs/gui/cli
Create a group to role mapping for initial access. For initial GUI access, you need to map one existing LDAP or AD group to the SecurityAdmin GUI role. The group name needs to match the CN attribute of the corresponding group in the external LDAP or AD repository. Log on to the server that is hosting the GUI and run the following command, which maps the specified LDAP group to the GUI role SecurityAdmin.
```
# /usr/lpp/mmfs/gui/cli/mkusergrp mySecurityAdminLDAPGroup --role securityadmin
```
After the initial setup, any additional group mappings can be created through the GUI by using the Create Group Mapping option that is available in the Access > GUI Access page of the IBM Spectrum Scale management GUI.
Note: The GUI Access page is available only if an external authentication server is enabled to manage the GUI user authentication. If an internal user repository is used for GUI user authentication, the GUI displays GUI Users page to create and manage GUI users and user roles.