Role-Based Access Control (RBAC) with Qumulo Core

IN THIS ARTICLE 

Outlines how to use role-based access control for users and groups in Qumulo Core

REQUIREMENTS

• Cluster running Qumulo Core 2.13.5 and above for Administrators role (2.14.0 and above for Web UI configuration)
• Cluster running Qumulo Core 2.14.1 and above for Data-Administrators and Observers roles
• Command line (CLI) tools installed via API & Tools in the Web UI
• Existing Qumulo Administrator privileges

DETAILS

With Qumulo, specific privileges can be granted to any user or group, local or in Active Directory, via role-based access control (RBAC). Assigning any one of the following roles using the Qumulo Core Web UI or QQ CLI will control access so that management responsibilities for the cluster can be shared while still restricting certain actions.

NOTE: Users with a newly assigned role will need to re-log in or experience a session timeout for the change to take effect.

Administrators Role

Qumulo Administrators will have full access and control of the cluster. Once a user or group is assigned the Administrators role, they will have the privilege to perform the following actions:

• Configure and manage general cluster settings for audit logging, snapshots, replication, quotas, etc. via the Web UI, API, or QQ CLI
• Create files and directories in the current and all future directories
• Read all files and file attributes and list all directories in the current and all future directories
• Delete or rename all files and directories in the current and all future directories
• Change ownership and permissions for all files and directories in the current and all future directories

Data-Administrators Role

The Data-Administrators role is ideal for API/CLI users. With this role, a user or group will not have access to the Web UI but will have the same file privileges as the Administrators role along with the following:

• Read/write permissions for all NFS/SMB/Quotas/Snapshots APIs
• Read-only permissions to APIs for local-users
• Access to the analytics and miscellaneous fs-related APIs including tree-deletes, permissions modes, and reading/releasing locks (NLM) on files

Observers Role

With the Observers role, you can grant any user or group the privilege to access the Web UI and read-only APIs with a few exceptions (debug APIs and authentication settings). This role is assigned to the "Everyone" group by default on clusters running Qumulo Core 2.14.1 or above.

TIP! If needed, you can assign a user both the Data-Administrators and Observers role to give them the ability to manage the data on your Qumulo cluster via the Web UI without giving them full admin access.

Role Management via the UI

1. Login to the Qumulo Core Web UI.
   
2. Hover over the Cluster menu and click Role Management.
   
   
   
   
3. Click Add Members for the role you wish to assign.
   
   
   
   
4. Use any one of the following trustee inputs to assign the role:
   
   
   
   
5. Click Yes, Assign Role.
   
   
   

The new user or group will be added to the list of Administrators, Data-Administrators, or Observers on the Role Management page. To unassign a role, simply click the blue trash can icon on the user or group listing.

Role Management via QQ CLI

To assign a role to a user or group, include the credential information for the trustee in the command below:

qq auth_assign_role --role ROLE --trustee TRUSTEE

Role options include:

• administrators
• data-administrators
• observers

Supported credentials for the trustee include the following:

• UID
• GID
• SID
• Local username
• Active Directory credentials with DOMAIN\name
• auth_id

EXAMPLE: Running the command below would assign the Administrators role to the user with UID 1000.

qq auth_assign_role --role administrators --trustee uid:1000

To unassign a role, include the credential information for the trustee in the command below:

qq auth_unassign_role --role ROLE --trustee TRUSTEE

EXAMPLE: The Observers role would be unassigned to the user with UID 2000 using the command below.

qq auth_unassign_role --role observers --trustee uid:2000 

To review the list of users and groups that have role-based access control on your cluster, use the command below:

qq auth_list_roles

RESOLUTION

You should now be able to successfully use role-based access control (RBAC) for users and groups in Qumulo Core

ADDITIONAL RESOURCES

Default File permissions in Qumulo Core

QQ CLI: Admins, Users and Groups

Like what you see? Share this article with your network!