Organizations management
Organizations are used for the separation of duties between different groups of users on the same Content Software for File system. So that an organization cannot control or view other organization data. It is possible to create up to 64 organizations.
Within an organization, the Organization Admin manages the logical entities participating in obtaining control of data (the Cluster Admin cannot manage these entities).
The Cluster Admin can perform the following activities:
- Create new organizations and define the Organization Admin.
- Delete existing organizations.
- Monitor per organization the total capacity used by all the organization filesystems.
While Cluster Admins are people trusted by the different organizations (for example, have root access to the backend hosts), they are obscured from the organization data in the Content Software for File system. The Cluster Admin separation is partial, for example, they can still see the events of all organizations. The Content Software for File system ensures the separation of any sensitive information between the different organizations.
Organization management use cases
Private cloud multi-tenancy
Working with organizations makes it possible to manage different departments. While this requires more configuration, for example, different LDAP configurations are usually unnecessary between different departments in the same organization, the Cluster Admin is fully trusted.
It is possible to separate and obscure specific departments, such as IT, Finance, Life Sciences, Genomics, and even specific projects in departments.
Logical separation of external groups of users
When multiple, independent groups use the same provided infrastructure, the use of multiple organizations provides much better security, obscuration, and separation of data.
Cluster level entities
The Cluster Admin manages the following entities at the cluster level:
- Hardware.
- NFS service (NFS groups and IP/interfaces)
- SMB service.
- Filesystem groups - definition of tiering policies for the different groups, while the Organization Admin selects the filesystem group from the predefined list of groups for each filesystem created
- KMS.
Organization level entities
At the organization level, only the relevant Organization Admin manages all system entities, while the users can only view the system entities within the organization.
Cluster Admins do not have permissions to view or manage the system entities within the organization, which include the following:
- Filesystems, and the option to mount the filesystems (also a Cluster Adminfile cannot mount the filesystems)
- Object store buckets.
- LDAP server.
- NFS exports (NFS client permissions).
Managing organizations
Only users defined as Cluster Admins can manage organizations. When no organization is created, the root organization is the default organization and all operations are regular. That is, it is not necessary to authenticate the mounts or supply an organization name when logging in using the GUI/CLI.
Once a new organization is created, the organization name must be provided in every login command, using the --org attribute in the weka user login command.
Usage and quota management
Cluster Admins can view an organization's usage (both SSD and total) and can limit usage with quotas per organization. This can be leveraged for charge-backs on either used or allocated capacity of SSD or object store data.
Organization admin role privileges
When a new organization is created, the Cluster Admin creates an Organization Admin user for the organization, who is the administrator within the organization responsible for managing each organization level entity.
Organization Admins have similar privileges to Cluster Admins, except that these privileges are limited to the organization level. They can perform the following within the organization:
- Create new users.
- Delete existing users.
- Change user passwords.
- Set user roles.
- Manage the organization LDAP configuration.
To avoid situations where an Organization Admin loses access to a Content Software for File system cluster, the following restrictions are implemented on Organization Admins:
- Cannot delete themselves.
- Cannot change their role
Managing organizations using the GUI
Using the GUI, you can:
- Create an organization
- View organizations
- Edit an organization
- Delete an organization
Creating an organization using the GUI
Only a Cluster Admin can create an organization.
Procedure
From the menu, select Configure > Organizations.
On the Organizations page, select +Create.
In the Create Organization dialog, set the following properties:
- Organization Name: A name for the organization.
- Org. Admin Username: The user with an Organization Admin role created for the organization.
- Org. Admin Password: The password of the user with an Organization Admin role created for the organization.
- Confirm Password: The same password as set in the Org. Admin Password.
- Set Organization SSD Quota: Turn on the switch and set the SSD capacity limitation for the organization.
- Set Organization Total Quota: Turn on the switch and set the total capacity limitation for the organization (SSD and object store bucket).
Select Save.
Viewing organizations
As a Cluster Admin, you can view all organizations in the cluster.
As an Organization Admin, you can view only the organization you are assigned to.
Procedure
From the menu, select Configure > Organizations.
Editing an organization
You can modify an organization's SSD and total quota to meet the capacity demand changes.
Procedure
From the menu, select Configure > Organizations.
On the Organizations tab, select the three dots of the organization to edit and select Edit.
In the Edit Organization dialog, set the following properties:
- Set Organization SSD Quota: Turn on the switch and set the SSD capacity limitation for the organization.
- Set Organization Total Quota: Turn on the switch and set the total capacity limitation for the organization (SSD and object store bucket).
Select Save.
Deleting an organization
If an organization is no longer required, you can remove it. You cannot remove the root organization.
Procedure
From the menu, select Configure > Organizations.
On the Organizations tab, select the three dots of the organization to edit and select Remove.
In the confirmation message, select Yes.
Mount authentication for organization filesystems
Once the Cluster Admin has created an organization and the Organization Admin has created filesystems, users, or configured the LDAP for the organization, regular users of the organization can mount filesystems.
The purpose of organizations is to provide separation and security for organization data, which requires authentication of the Content Software for File system filesystem mounts. This authentication of mounts prevents users of other organizations and even the Cluster Admin from accessing organization filesystems.
Mounting filesystems in an organization (other than the Root organization) is only supported using a stateless client. If the user is not logged into the Content Software for File system, a login prompt will appear as part of the mount command.
Mounting a filesystem using the CLI
To securely mount a filesystem, first log into the Content Software for File system:
weka user login my_user my_password --org my_org -H backend-host-0
Then mount the filesystem:
mount -t wekafs backend-host-0/my_fs /mnt/weka/my_fs
Mount authentication
Authentication is achieved by obtaining a mount token and including it in the mount command. Logging into the Content Software for File system using the CLI (the weka user login command) creates an authentication token and saves it in the client (default to ~/.weka/auth-token.json, which can be changed using the--pathattribute).
The Content Software for File system assigns the token that relates to a specific organization. Only mounts that pass the path to a correct token can successfully access the filesystems of the organization.
Once the system authenticates a user, the mount command uses the default location of the authentication token. It is possible to change the token location/name and pass it as a parameter in the mount command using the auth_token_path mount option, or theWEKA_TOKEN environment variable.
mount -t wekafs backend-host-0/my_fs /mnt/weka/my_fs -o auth_token_path=<path>
This option is useful when mounting several filesystems for several users/organizations on the same host or when using Autofs.
When a token is compromised or no longer required, such as when a user leaves the organization, the Organization Admin can prevent using that token for new mounts by revoking the user access.