Role-Based Access Control (RBAC) with Qumulo Core

IN THIS ARTICLE 

Outlines how to use role-based access control for users and groups in Qumulo Core

REQUIREMENTS

• Cluster running Qumulo Core 2.13.5 and above for Administrators role (2.14.0 and above for Web UI configuration)
• Cluster running Qumulo Core 2.14.1 and above for Data-Administrators and Observers roles
• Cluster running Qumulo Core 3.0.2 and above for custom roles
• Command line (CLI) tools installed via API & Tools in the Web UI
• Existing Qumulo Administrator privileges

DETAILS

With Qumulo, specific privileges can be granted to any user or group, local or in Active Directory, via role-based access control (RBAC). Assigning any one of the following roles using the Qumulo Core Web UI or QQ CLI will control access so that management responsibilities for the cluster can be shared while still restricting certain actions.

NOTE: Users with a newly assigned role will need to re-log in or experience a session timeout for the change to take effect.

Administrators Role

Qumulo Administrators will have full access and control of the cluster. Once a user or group is assigned the Administrators role, they will have the privilege to perform the following actions:

• Configure and manage general cluster settings for audit logging, snapshots, replication, quotas, etc. via the Web UI, API, or QQ CLI
• Create files and directories in the current and all future directories
• Read all files and file attributes and list all directories in the current and all future directories
• Delete or rename all files and directories in the current and all future directories
• Change ownership and permissions for all files and directories in the current and all future directories

Data-Administrators Role

The Data-Administrators role is ideal for API/CLI users. With this role, a user or group will not have access to the Web UI but will have the same file privileges as the Administrators role along with the following:

• Read/write permissions for all NFS/SMB/Quotas/Snapshots APIs
• Read-only permissions to APIs for local-users
• Access to the analytics and miscellaneous fs-related APIs including tree-deletes, permissions modes, and reading/releasing locks (NLM) on files

Observers Role

With the Observers role, a user or group will have the privilege to access the Web UI and read-only APIs with a few exceptions (debug APIs and authentication settings). This role is assigned to the "Everyone" group by default on any cluster running a version of Qumulo Core between 2.14.1 and 3.0.4.

Starting with the 3.0.5 release, clusters will no longer assign the "Everyone" group to the Observers role by default. Non-admin users will no longer have access to the Web UI or read-only APIs on the cluster unless you assign the role. To grant access, go to the Role Management page in the Web UI and add “Everyone” to the “Observers” group or run the qq command below.

qq auth_assign_role --role Observers --trustee Everyone

TIP! If needed, you can assign a user both the Data-Administrators and Observers role to give them the ability to manage the data on your Qumulo cluster via the Web UI without giving them full admin access.

Custom Roles (3.0.2 and above)

With the release of Qumulo Core 3.0.2, you can configure custom roles via the qq command-line. To create a new custom role, specify the role name and include the optional description and privileges arguments in the command below. Note that the role name must be 1-64 characters long and contain no white space.

qq auth_create_role --role NEW_ROLE_NAME --description ROLE DESCRIPTION --privileges-file PRIVILEGES

To modify the name, description, or privileges on an existing custom role, you can specify the role name and change the description or privileges by using the optional arguments:

 qq auth_modify_role --role ROLE_NAME

 -d DESCRIPTION, --description DESCRIPTION
 New description of the role

Privileges:
 -p PRIVILEGES_FILE, --privileges-file PRIVILEGES_FILE
 Overwrite the role's privileges with output from
 auth_list_privileges, cannot be used with -G or -R
 -G PRIVILEGE [PRIVILEGE ...], --grant PRIVILEGE [PRIVILEGE ...]
 Privilege to add to this role (may be repeated)
 -R PRIVILEGE [PRIVILEGE ...], --revoke PRIVILEGE [PRIVILEGE ...]
 Privilege to remove from this role (may be repeated)

To remove a custom role, you can include the role name with the following command:

qq auth_delete_role --role ROLE_NAME

Example:

Create a custom role called SMB-Manager:

qq auth_create_role --role "SMB-Manager" --description "Manage SMB shares"

Find out the existing SMB managing privileges using the following command:

qq auth_list_privileges | grep PRIVILEGE_SMB

Output:

PRIVILEGE_SMB_SHARE_READ: View SMB shares and settings
PRIVILEGE_SMB_SHARE_WRITE: Create, modify, and delete SMB shares and settings

Add these two privileges to the new SMB-Manager role with the following commands:

qq auth_modify_role -r SMB-Manager -G PRIVILEGE_SMB_SHARE_READ
qq auth_modify_role -r SMB-Manager -G PRIVILEGE_SMB_SHARE_WRITE

TIP! You can use a text file for adding privileges to a new role. For example, create a file with all "WRITE" privileges:

qq auth_list_privileges | grep WRITE > all-write-privs.txt

With that all-write-privs.txt, create a new “Write-Everything” role:

qq auth_create_role -r "Write-Everything" -d "Can write, create, modify everything" -p all-write-privs.txt

Role Management via the UI

1. Login to the Qumulo Core Web UI.
   
2. Hover over the Cluster menu and click Role Management.
   
   
   
   
3. Click Add Members for the role you wish to assign.
   
   
   
   
4. Use any one of the following trustee inputs to assign the role:
   
   
   
   
5. Click Yes, Assign Role.
   
   
   

The new user or group will be added to the list of Administrators, Data-Administrators, or Observers on the Role Management page. To unassign a role, simply click the blue trash can icon on the user or group listing.

Custom Roles (3.0.4 and above)

Custom roles can be created and managed in the Qumulo Core Web UI with versions 3.0.4 and above. To add a new custom role to your cluster, click the Create Role button at the top of the page. 

Specify the name, description, and privileges and click the Save button at the bottom of the Create Role page.

Once the role is created, the custom role will be listed on the Role Management page alongside the Administrators, Data-Administrators, and Observers roles. Here you'll be able to easily edit the privileges via the pencil icon or delete an existing custom role by clicking the blue trash can icon.

To edit the privileges of an existing custom role, click the pencil icon, check or uncheck the privileges, and click the Save button at the bottom of the page.

 

Role Management via QQ CLI

To assign a role to a user or group, include the credential information for the trustee in the command below:

qq auth_assign_role --role ROLE --trustee TRUSTEE

Role options include:

• administrators
• data-administrators
• observers
• custom roles

Supported credentials for the trustee include the following:

• UID
• GID
• SID
• Local username
• Active Directory credentials with DOMAIN\name
• auth_id

EXAMPLE: Running the command below would assign the Administrators role to the user with UID 1000.

qq auth_assign_role --role administrators --trustee uid:1000

To unassign a role, include the credential information for the trustee in the command below:

qq auth_unassign_role --role ROLE --trustee TRUSTEE

EXAMPLE: The Observers role would be unassigned to the user with UID 2000 using the command below.

qq auth_unassign_role --role observers --trustee uid:2000 

To review the list of users and groups that have role-based access control on your cluster, use the command below:

qq auth_list_roles

RESOLUTION

You should now be able to successfully use role-based access control (RBAC) for users and groups in Qumulo Core

ADDITIONAL RESOURCES

Default File permissions in Qumulo Core

QQ CLI: Admins, Users and Groups

 

Like what you see? Share this article with your network!