VAST Cluster has a role-based access control (RBAC) system for VAST Management System (VMS) users (managers) and permissions.
There is also a user type distinction that allows for admin users that have tenant-specific login access on clusters with multiple tenants, as well as regular cluster admin users that have login access to the cluster VMS.
VMS Login Access
Login access depends on user type. Each manager has a user type. There are two user types:
Cluster admin. These users can log into the cluster VMS web UI URL and the VMS CLI and authenticate to the VMS REST API.
Tenant admin. These users can log into a specific VMS web UI URL for a tenant. They can also authenticate to the REST API to manage resources specific to the tenant.
VMS Permissions
Permissions are divided by type (create, view, edit, and delete) and can be assigned per realm. Each realm is a category of objects that can be created, viewed, edited and deleted. There are built-in realms and custom realms. Custom realms can be tenant specific.
You can assign permissions to security groups called administrative roles and to managers.
An administrative role can be either:
Enabled for multiple tenants, which can be a specified restricted set, and assignable to cluster admins, or
Enabled for one tenant and assignable to tenant admins.
VMS Users
You can provision VMS access in the following ways:
You can configure managers in VMS itself. These users can be assigned a user type and specific VMS permissions directly and they can be assigned administrative roles. Managers inherit all permissions assigned to all roles that they are assigned.
Users that belong to an LDAP or Active Directory provider can be provisioned through groups as follows:
Set Cluster admin groups in the Active Directory or LDAPs configuration. This grants members of specified groups on the provider cluster admin type access to VMS.
Set a tenant admin group per tenant. This is a group on a provider that is enabled on the tenant. Members of this group are granted tenant admin access.
Members may not belong to both Cluster admin groups and tenant admin group.
To assign permissions to access and manage resources, you can add a group on the provider to a role (in VMS). This option is supported for any Active Directory or other LDAP-based authorization service that is configured on the cluster for protocol access. These users have all permissions that are assigned to all roles that they have.
Note
The provider must be configured and connected to the cluster and enabled on tenants as needed.
Note
Login fails for a member of Cluster admin groups or tenant admin group if the user is not also a member of a group that is explicitly mapped to a VMS manager role. For tenant admins, this needs to be a role on the tenant configured for tenant admin access.
For Web UI access only, you can authorize manager access, user type and role on a SAML identity provider. For information about this option, see Configure SSO Authentication in VMS.
There is a predefined manager admin with a predefined role administrators. It is not possible to delete all VMS users defined with the administrators role. At least one VMS admin user always remains, so that it's possible to access VMS without LDAP connectivity if needed.
LDAP users can log into VMS with their Active Directory/LDAP user name and password. Successful login requires connectivity with the Active Directory/LDAP server. Users are granted all permissions granted to all roles associated with groups to which they belong.
RBAC Realms
Predefined VMS permission realms enable access to the following configurations (some of which are not applicable to Tenant Admin type users):
Realm | Includes | Relevant VAST Web UI Menus/Pages/Tabs | VAST CLI Command Groups | VMS REST API Paths |
|---|---|---|---|---|
Events | Alarms, events, event definitions and global event definition settings. | Alarms and Events | event, alarm, eventdefinition, eventdefinitionconfig, webhook | /alarms/, /events/, /eventdefinition/, /eventdefinitionconfig/, /webhooks/ |
Hardware | The cluster object and all infrastructure components. | Infrastructure, Hardware, Settings/Cluster | carrier, cbox, cluster, cnode, dbox, dnode, dtray, ebox, fan, host, lock, nic, nvram, port, psu, rack, ssd, subnetmanager, switch | /carrier/, /cluster/, /dbox/, /cbox/, /cnode/, /dtray/, /dnode/, /eboxes/, /fan/, /host/, /nic/, /nvram/, /port/, /psu/, /racks/, /ssd/, /switch/, /subnetmanager/ |
Logical | Configuration of virtual IPs for network access, DNS service, Element Store views for protocol access, directory and user quotas, data protection features except for indestructibility, and S3 life cycle rules. | Element Store, Data Protection, Network Access | blockhost, dns, globalsnapshotclone, kafkabroker, lifecyclerule, protectionpolicy, protectedpath, qospolicy, quota, replicationpeer, replicationstream, restorepoint, snapshot, s3replicationpeer, userquota, vastauditlog, version, view, viewpolicy, vip, vippool, volume, vtask | /blockhosts/, /dns/, /globalsnapstreams/, /kafkabrokers/, /nativereplicationremotetargets/, /protectionpolicies/, /protectedpaths/, /qospolicies/, /quotas/, /quotaentityinfos/, /replicationrestorepoints/, /replicationstreams/, /replicationtargets/, /snapshots/,/s3lifecyclerules/, /userquotas/, /vastauditlog/, /vtasks/, /versions/, /vippools/, /vips/, /views/, /viewpolicies/, /volumes/, |
Monitoring | Analytics reports, capacity usage estimations, data flow analytics | Analytics | monitor | /analytics/, /capacity/, /metrics/, /monitors/, /monitors/topn/ |
Security | Users and groups for data client access, authentication providers, VMS Role Based Access Control (RBAC), indestructibility for snapshots and protection policies, S3 identity policies, VAST-support tunnels for remote support access. | User Management, Administrators, Settings/Indestructability, Support | activedirectory, apitoken, encryptiongroup, encryptedpath, group, identitypolicy, indestructibility, ldap, localprovider, manager, nis, realm, role, tenant, user | /activedirectory/, /apitokens/, /encryptiongroups/, /encryptedpaths/, /groups/, /indestructibility/, /ldaps/, /localproviders/, /locals3keys/, /managers/,, /nis/, /permissions/, /realms/, /roles/, /s3policies/, /tenants/, /users/ |
Settings | VMS settings | Settings/VMS | vms | /vms/ |
Support | Call Home configuration, Support bundles, licenses, envs, and modules. | Settings/Call Home, Support | callhomeconfig, env, license, module, supportbundle | /callhomeconfigs/, /supportbundles/, /licenses/, /envs/, /modules/ callhomeconfig", "supportbundle", "license", "systemsettingsdiff", "env", "module", "challengetoken" |
Applications | Managed applications that run on the cluster's CNodes | Applications | cnodegroups | /managedapplications/, /cnodegroups/ |
Database | VAST Database and any components that utilize VAST Database, such as VAST Catalog, VAST audit logs, VAST Event Broker event topics | VAST Database, VAST Catalog, VAST Audit Logs | column, projection, projectioncolumn, schema, table, topic, vastdatalogconfig, vastcatalogindexedcolumn |
|
You can also define custom realms that allow access to whichever object types you choose to include.
RBAC Auditing
The following are audited as events:
Changes to the VMS RBAC configuration.
Login attempts, including the time of the attempt, the attempting user and the login result.