Managing users
Overview of user management
To operate and set up the Virtual Storage Software block storage cluster, you must register with Virtual Storage Software block as a user.
For example, in REST APIs, you must specify your user ID and password ("<user-ID>:<password>") in the Authorization header for the request header encoded in Base64.
In the case of CLI, specify the user Id in the --user option and enter your password interactively.
A user's operation privilege is determined by the roles set for the user group to which the user belongs. For example, only a user who belongs to a user group having the VpsSecurity role can create users. Ask a system administrator to create initial user groups and users that have the VpsSecurity role.
Be careful not to lose the passwords of valid users having the VpsSecurity role. If the passwords of all valid users having the VpsSecurity role are lost, ask a system administrator to change the passwords.
The only operation a user who is created can perform initially is to change the password. After changing the password, the user can perform any operations allowed for the given role. Ask a system administrator about password policies.
A user can be registered for more than one user group.
You can create new user groups.
The following table lists the roles and available operations. Create users according to the system operation guidelines.
Role |
Available operations |
VpsSecurity |
Managing users, obtaining session information |
VpsStorage |
Deleting compute node information, registering or deleting compute node initiator information, registering or deleting compute node paths, allocating volumes to compute node paths or releasing connections between volumes and compute node paths, obtaining compute port information Creating, deleting, expanding, or editing settings of volumes Obtaining, deleting, or restoring snapshots Obtaining information about volume capacity or volume performance Obtaining VPS usage status |
VpsMonitor |
Obtaining compute port information Obtaining information about volume capacity or volume performance Obtaining VPS usage status |
No role-based execution restriction is applied to the following operations:
-
Verifying, creating, and deleting your own session
-
Obtaining a message to be displayed in the GUI login window and in
-
Obtaining versions of APIs
-
Obtaining information about individual jobs
-
Obtaining information about storage cluster master (primary)
-
Obtaining information about control ports and internode ports
-
Network settings for the storage cluster
-
Storage cluster time settings
-
Obtaining your own user information
-
Changing your own password
- A user who has the VpsSecurity, VpsStorage, or VpsMonitor role can perform the
following operations:
-
Obtaining volume information
-
Obtaining S-VOL and P-VOL information
-
Obtaining compute node information
-
Obtaining compute node initiator information
-
Obtaining compute node path information
-
Obtaining volumes and compute node connection information
-
Obtaining compute port information
-
Obtaining storage node network settings
-
To perform a storage cluster operation through a REST API, for example, send an authentication request to Virtual Storage Software block with credentials specified in the Authorization header for the request header.
Virtual Storage Software block supports three authentication methods: basic authentication, session authentication, and ticket authentication.
In basic authentication, a user ID and a password are used as credentials. In basic authentication, authentication is performed for each request.
In session authentication, a token is used as credentials, and authentication can be omitted for a period of time. Therefore, session authentication is useful in application-based automatic operations. A token is obtained by running a REST API or CLI for generating a session. For how to generate a token, see Generating a session.
The settings that are applied to user authentication are called user authentication settings. User authentication settings contain password complexity, password expiration time, lockout, and session parameters. System administrators set those values and VPS administrators can obtain them. See Editing user authentication settings.
When linkage with an external authentication server is configured by the system administrator, authentication can be performed by using the user information registered in the external authentication server. Only an OpenLDAP or Active Directory (AD) external authentication server can be linked.
Obtaining detailed information about users (CLI or REST API)
The following information about the registered users can be obtained.
-
userId: User ID
-
userObjectId: User object ID
-
passwordExpirationTime: Expiration time of the password
-
isEnabled: Whether the user is valid
-
userGroups: List of IDs of user groups that the user belongs to (user group IDs and the object ID of each user group)
-
isBuiltIn: Whether the user is a built-in user
-
authentication: Authentication type
-
roleNames: Role of the user group
-
isEnabledConsoleLogin:
(Virtual machine) null
(Bare metal) Whether the console interface can be used
-
vpsId: ID of the VPS to which the user belongs
-
privileges: List of the VPS information that the user can access
Before you begin
-
Role required to obtain detailed information about a user: VpsSecurity
Role-based execution is not subject to restriction for obtaining the user information about yourself.
Procedure
Verify the user ID.
REST API: GET /v1/objects/users
CLI: user_list
Obtain detailed information about users.
Run either of the following commands with the user ID specified.
REST API: GET /v1/objects/users/<userId>
CLI: user_show
Changing your own password (CLI or REST API)
Note that only a user for which authentication is set to local can change their password.
If you change your password, your session is deleted.
Role-based execution is not subject to restriction.
Procedure
Change your own password.
Run either of the following commands with the user ID, current password, and new password specified.
REST API: PATCH /v1/objects/users/<userId>/password
CLI: user_password_set
After running the command, you receive a response indicating user information.