Managing organizations
How to manage organizations using the CLI.
Managing organizations
Only users defined as Cluster Admins can manage organizations. When no organization is created, the root organization is the default organization and all operations are regular. That is, it is not necessary to authenticate the mounts or supply an organization name when logging in using the GUI/CLI.
Once a new organization is created, the organization name must be provided in every login command, using the --org attribute in the weka user login command.
Creating an organization using the CLI
Use the following command line to create an organization:
weka org create <name> <username> <password> [--ssd-quota ssd-quota] [--total-quota total-quota]
Name | Type | Value | Limitations | Mandatory | Default |
name | String | Organization name | Must be a valid name | Yes | |
username | String | Username of the created Organization Admin | Must be a valid name | Yes | |
password | String | Password of the created Organization Admin | Yes | ||
ssd-quota | Number | Allowed quota out of the system SSDs to be used by the organization | Must be a valid number | No | 0 (not limited) |
total-quota | Number | Total allowed quota for the organization (SSD and object store) | Must be a valid number | No | 0 (not limited) |
Viewing organizations using the CLI
# weka org ID | Name | Allocated SSD | SSD Quota | Allocated Total | Total Q ---+------------+---------------+-----------+-----------------+-------- 0 | Root | 0 B | 0 B | 0 B | 0 B 1 | Local IT | 500.00 GB | 500.00 GB | 500.00 GB | 0 B 2 | CUSTOMER_1 | 100.00 GB | 300.00 GB | 200.00 GB | 900.00
Renaming organizations using the CLI
Use the following command line to rename an organization:
weka org rename <org> <new-name>
Name | Type | Value | Limitations | Mandatory | Default |
org | String/Integer | Current organization name or ID | Yes | ||
new-name | String | New organization name | Yes |
Updating the quota of an organization using the CLI
Use the following command line to update an organization's quota:
weka org set-quota <org> [--ssd-quota ssd-quota] [--total-quota total-quota]
Name | Type | Value | Limitations | Mandatory | Default |
org | String/Integer | Organization name or ID | The root organization (org ID = 0 cannot be limited) | Yes | |
ssd-quota | Number | Allowed quota out of the system SSDs to be used by the organization | Must be a valid number | No | |
total-quota | Number | Total allowed quota for the organization (SSD and object store) | Must be a valid number | No |
Deleting an organization using the CLI
weka org delete
Use the following command line to delete an organization:
weka org delete <org>
Name | Type | Value | Limitations | Mandatory | Default |
org | String/Integer | Organization name or ID | Yes |
Mount authentication for organization filesystems
Once the Cluster Admin has created an organization and the Organization Admin has created filesystems, users, or configured the LDAP for the organization, regular users of the organization can mount filesystems.
The purpose of organizations is to provide separation and security for organization data, which requires authentication of the Content Software for File system filesystem mounts. This authentication of mounts prevents users of other organizations and even the Cluster Admin from accessing organization filesystems.
Mounting filesystems in an organization (other than the Root organization) is only supported using a stateless client. If the user is not logged into the Content Software for File system, a login prompt will appear as part of the mount command.
Mounting a filesystem using the CLI
To securely mount a filesystem, first log into the Content Software for File system:
weka user login my_user my_password --org my_org -H backend-host-0
Then mount the filesystem:
mount -t wekafs backend-host-0/my_fs /mnt/weka/my_fs
Mount authentication
Authentication is achieved by obtaining a mount token and including it in the mount command. Logging into the Content Software for File system using the CLI (the weka user login
command) creates an authentication token and saves it in the client (default to ~/.weka/auth-token.json,
which can be changed using the--path
attribute).
The Content Software for File system assigns the token that relates to a specific organization. Only mounts that pass the path to a correct token can successfully access the filesystems of the organization.
Once the system authenticates a user, the mount command uses the default location of the authentication token. It is possible to change the token location/name and pass it as a parameter in the mount command using the auth_token_path
mount option, or theWEKA_TOKEN
environment variable.
mount -t wekafs backend-host-0/my_fs /mnt/weka/my_fs -o auth_token_path=<path>
This option is useful when mounting several filesystems for several users/organizations on the same host or when using Autofs.
When a token is compromised or no longer required, such as when a user leaves the organization, the Organization Admin can prevent using that token for new mounts by revoking the user access.