Configuring authentication for object access

Configuring authentication for object access by using the Command Line Interface (CLI) utility.

Important:
  • CES Swift Object protocol feature is not supported from IBM Storage Scale 5.2.0 onwards.
  • IBM Storage Scale 5.1.8 is the last release that has CES Swift Object protocol.
  • IBM Storage Scale 5.2.0 will tolerate the update of a CES node from IBM Storage Scale 5.1.8.
    • Tolerate means:
      • The CES node will be updated to 5.2.0.
      • Swift Object support will not be updated as part of the 5.2.0 update.
      • You may continue to use the version of Swift Object protocol that was provided in IBM Storage Scale 5.1.8 on the CES 5.2.0 node.
      • IBM will provide usage and known defect support for the version of Swift Object that was provided in IBM Storage Scale 5.1.8 until you migrate to a supported object solution that IBM Storage Scale provides.
  • Please contact IBM for further details and migration planning.
There are two methods of configuring authentication:
  1. You can use the installation toolkit.
  2. You can use the mmuserauth command.
You can use the following authentication methods for object access:
  • Active Directory (AD)
  • Lightweight Directory Access Protocol (LDAP)
  • Local authentication
  • User-defined (external keystone)

The AD-based and LDAP-based authentication methods use an external AD and LDAP server to manage the authentication. Local authentication is handled by a Keystone server that is located within the IBM Storage Scale system.

The IBM Storage Scale system installation process configures Keystone server that is required for object access. By default, the IBM Storage Scale installation process configures object authentication with a local Keystone authentication method. If you have an existing Keystone server that you want to use for authentication, you can specify it.

Before you configure object authentication method, ensure that the Keystone Identity service is properly configured.

Note: Before you configure an authentication method for object access, ensure that all protocol nodes have Cluster Export Services (CES) IP addresses assigned. Also, make sure that you are running the authentication configuration command from the protocol node that has one or more CES IP addresses assigned to it.

Before you start manually configuring authentication method for object access, ensure that the openldap-clients Rational® Portfolio Manager (Rational Portfolio Manager) is installed.

On each protocol node, run the following command: yum install openldap-clients.
Note: This step is required only when the authentication type is AD or LDAP.
The mapping between user, role, and tenant is stored in the Keystone database. To switch from one authentication type to another, you must delete the existing mapping definitions by running the following command:
mmuserauth service remove --data-access-method object --idmapdelete
Note:
You can run the following command to configure authentication for file and object access protocols: 
mmuserauth service create --type ad --data-access-method file --servers myADserver
You can run the following command to verify authentication method configuration details:
mmuserauth service check --data-access-method object -N cesNodes
You can run the following command when the mmuserauth service check command reports that any certificate file is missing on any of the nodes:
mmuserauth service check --data-access-method object -N cesNodes --rectify

For more information, see mmuserauth command.