Print Email PDF

Role-Based Access Control (RBAC) with Qumulo Core

Michael Khmelnitsky
Updated
  1. Qumulo Care
  2. Permissions

IN THIS ARTICLE 

This article explains how you can use role-based access control for users and groups in Qumulo Core.

REQUIREMENTS

  • A cluster running Qumulo Core
  • Command-line tools installed using the Web UI
  • Existing Qumulo Administrator privileges

DETAILS

Qumulo Core lets you grant specific privileges to any user or groupeither locally or through Active Directoryusing role-based access control (RBAC). Assigning any of the following roles by using the Web UI or qq CLI lets you control access to your cluster by letting some users share management responsibilities while still restricting certain actions.

IMPORTANT:

  • For any changes to take effect, user accounts with newly assigned roles must log out and log back in (or their sessions must time out).
  • Use special care when granting privileges to roles and users because certain privileges (such as replication-write privileges) can use system privileges to overwrite or move data to a location where a user has greater permissions. This can give a user access to all directories and files in a cluster regardless of any specific file and directory settings.

ROLE TYPES

Administrators Role

Important: Only the default, administrator user can access the cluster by using SSH.

This role is suitable for system administrators. Users with this role have full access to and control of the cluster, including the following actions:

  • Configure and manage general cluster settings for audit logging, snapshots, replication, quotas, and so on using the Web UI, API, or qq CLI
  • Create files and directories in all current and future directories
  • Read all files and file attributes and list all directories in all current and future directories
  • Delete or rename all files and directories in all current and future directories
  • Change ownership and permissions for all files and directories in all current and future directories

Data-Administrators Role

This role is suitable for API and qq CLI users who don't have Web UI access but have the same file privileges as the Administrators role, including the following actions:

  • Read and write permissions for all NFS, SMB, quotas, and snapshot APIs
  • Read-only permissions for local API users
  • Access to analytics and filesystem-related APIs, including: tree deletion, permission modes, and reading or releasing file locks (NLM)

Observers Role

This role is suitable for users or groups who can access the Web UI and read-only APIs with a few exceptions (debug APIs and authentication settings).

NOTES:

  • By default, any cluster running Qumulo Core 2.14.1 to 3.0.4 assigns this role to the Everyone group automatically. Clusters running Qumulo Core 3.0.5 (and higher) don't assign this role and non-administrative users don't have access to the Web UI or read-only APIs unless you explicitly assign the necessary role to them.
  • You can assign both Data-Administrators and Observers role to a user to give the user the ability to manage data on your Qumulo cluster using the Web UI without full administrative access.

Custom Roles

Qumulo Core lets you configure custom roles using the qq CLI. For more information, see Managing Roles by Using the qq CLI.

Managing Roles by Using the Web UI

This section explains how you can add a member to or remove a member from an existing role, and create and edit a custom role.

To Add a Member to an Existing Role

  1. Log in to the Qumulo Core Web UI.
  2. Click Cluster > Role Management.
  3. On the Role Management page, next to the role that you want to assign, click Add Member.
  4. Click Add Members for the role you wish to assign (for example, Administrators).
  5. In the Add Member to <Administrators> dialog box, type the trustee and then click Yes, Add Member.
    TIP: For examples of valid trustee inputs, click Screen_Shot_2021-09-08_at_5.29.36_PM.png.
  6. Click Yes, Assign Role.
    The new user or group is added to the role.

To Remove a Member from an Existing Role

  1. Log in to the Qumulo Core Web UI.
  2. Click Cluster > Role Management.
  3. On the Role Management page, to remove a user or group from a role, click Screen_Shot_2021-09-08_at_5.49.44_PM.png.

To Create a Custom Role

  1. Log in to the Qumulo Core Web UI.
  2. Click Cluster > Role Management.
  3. On the Role Management page, click Create Role.
  4. On the Create Role page, do the following:
    1. Enter a Name and Description.
    2. Select every privilege that you want to add to the role.
    3. Click Save.
    Your custom role is created and added to the Role Management page.

To Edit a Custom Role

  1. Log in to the Qumulo Core Web UI.
  2. Click Cluster > Role Management.
  3. On the Role Management page, next to the role that you want to edit, click Screen_Shot_2021-09-08_at_6.04.08_PM.png.
  4. On the Edit <My Role> page, select the privileges that you want to include in the role and then click Save.

Managing Roles by Using the qq CLI

This section explains how you can add a trustee to an existing role, create and modify custom roles, add single or multiple privileges to a role, view the existing privileges for a role.

To Add a Trustee to an Existing Role

The following example grants access to the Web UI to trustee Everyone by adding it to the Observers role.

qq auth_assign_role
  --role Observers 
  --trustee Everyone

The following example adds user uid:l00 to the Administrators role. 

qq auth_assign_role
  --role Administrators
  --trustee uid:1000

To Remove a Trustee from an Existing Role

The following example removes user uid:2000 from the Administrators role. 

qq auth_unassign_role
  --role observers
  --trustee uid:2000

To Create a New Custom Role

Specify the role name and include the optional description and privileges arguments, for example:

qq auth_create_role 
  --role "SMB-Manager" 
  --description "Manage SMB Shares"
  --privileges-file PRIVILEGES

Note: The role name must be 1-64 characters long, without whitespace characters.

To Modify an Existing Custom Role

Use the auth_modify_role command to add, modify, or remove a role.

To Add a Privilege to an Existing Custom Role

Use the auth_modify_role command to add a privilege to a role, for example:

qq auth_modify_role 
  -r SMB-Manager 
  -G PRIVILEGE_SMB_SHARE_READ

To Add Multiple Privileges to a New Custom Role

Use the auth_list_privileges command and pipe (|) all privileges that include a keyword to a text file. Then, use the auth_create_role command with your text file.
In the following example, we add all privileges that contain the WRITE keyword to a text file which we then use to create a custom role:

qq auth_list_privileges | grep WRITE > all-write-privileges.txt
qq auth_create_role
  -r "Write-Everything"
  -d "Can write, create, modify everything"
  -p all-write-privileges.txt

To View Existing Role Privileges

Use the auth_list_privileges command and pipe (|) all privileges that include a keyword to grep, for example:

qq auth_list_privileges | grep PRIVILEGE_SMB

To View Existing Users and Groups with Role-Based Control on Your Cluster

Use the auth_list_roles command.

RESOLUTION

You now know how to use role-based access control for Qumulo Core users and groups.

ADDITIONAL RESOURCES

Default File permissions in Qumulo Core

QQ CLI: Admins, Users and Groups

 

Like what you see? Share this article with your network!

Articles in this section

See more
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.