VAST Cluster implements role-based access control (RBAC) for VAST Management System (VMS) users (manager users).
VMS Realms, Administrative Roles And Permission Types
Multiple permission types (create, view, edit, and delete) can be assigned per RBAC realm. Each RBAC realm is a category of objects that can be created, viewed, edited and deleted. There are built-in realms and custom realms. Custom realms can be tenant-specific.
You can assign permissions to administrative roles and/or manager users.
VMS Manager Users
You can configure manager users in the VMS. Manager users can be assigned administrative roles and/or specific VMS permissions directly. A manager user inherits all permissions granted by all the administrative roles that the user is assigned.
Manager users and their permissions can also be provisioned through groups on an Active Directory, LDAP or SAML provider, which can be attached to administrative roles. This setup is created for the tenant by the cluster admin through the cluster VMS.
LDAP users can log into VMS with their Active Directory/LDAP user name and password. Successful login requires connectivity with the Active Directory/LDAP server. Users are granted all permissions assigned by the roles associated with the groups to which they belong.
RBAC Realms
Predefined VMS permission realms enable access to the following configurations (some of which are not applicable to Tenant Admin type users):
Realm | Includes | Relevant VAST Web UI Menus/Pages/Tabs | VAST CLI Command Groups | VMS REST API Paths |
|---|---|---|---|---|
Events | Alarms, events, event definitions and global event definition settings. | Alarms and Events | event, alarm, eventdefinition, eventdefinitionconfig, webhook | /alarms/, /events/, /eventdefinition/, /eventdefinitionconfig/, /webhooks/ |
Hardware | The cluster object and all infrastructure components. | Infrastructure, Hardware, Settings/Cluster | carrier, cbox, cluster, cnode, dbox, dnode, dtray, ebox, fan, host, lock, nic, nvram, port, psu, rack, ssd, subnetmanager, switch | /carrier/, /cluster/, /dbox/, /cbox/, /cnode/, /dtray/, /dnode/, /eboxes/, /fan/, /host/, /nic/, /nvram/, /port/, /psu/, /racks/, /ssd/, /switch/, /subnetmanager/ |
Logical | Configuration of virtual IPs for network access, DNS service, Element Store views for protocol access, directory and user quotas, data protection features except for indestructibility, and S3 life cycle rules. | Element Store, Data Protection, Network Access | blockhost, dns, globalsnapshotclone, kafkabroker, lifecyclerule, protectionpolicy, protectedpath, qospolicy, quota, replicationpeer, replicationstream, restorepoint, snapshot, s3replicationpeer, userquota, vastauditlog, version, view, viewpolicy, vip, vippool, volume, vtask | /blockhosts/, /dns/, /globalsnapstreams/, /kafkabrokers/, /nativereplicationremotetargets/, /protectionpolicies/, /protectedpaths/, /qospolicies/, /quotas/, /quotaentityinfos/, /replicationrestorepoints/, /replicationstreams/, /replicationtargets/, /snapshots/,/s3lifecyclerules/, /userquotas/, /vastauditlog/, /vtasks/, /versions/, /vippools/, /vips/, /views/, /viewpolicies/, /volumes/, |
Monitoring | Analytics reports, capacity usage estimations, data flow analytics | Analytics | monitor | /analytics/, /capacity/, /metrics/, /monitors/, /monitors/topn/ |
Security | Users and groups for data client access, authentication providers, VMS Role Based Access Control (RBAC), indestructibility for snapshots and protection policies, S3 identity policies, VAST-support tunnels for remote support access. | User Management, Administrators, Settings/Indestructability, Support | activedirectory, apitoken, encryptiongroup, encryptedpath, group, identitypolicy, indestructibility, ldap, localprovider, manager, nis, realm, role, tenant, user | /activedirectory/, /apitokens/, /encryptiongroups/, /encryptedpaths/, /groups/, /indestructibility/, /ldaps/, /localproviders/, /locals3keys/, /managers/,, /nis/, /permissions/, /realms/, /roles/, /s3policies/, /tenants/, /users/ |
Applications | Managed applications that run on the cluster's CNodes | Applications | cnodegroups | /managedapplications/, /cnodegroups/ |
Database | VAST Database and any components that utilize VAST Database, such as VAST Catalog, VAST audit logs, VAST Event Broker event topics | VAST Database, VAST Catalog, VAST Audit Logs | column, projection, projectioncolumn, schema, table, topic, vastdatalogconfig, vastcatalogindexedcolumn |
|
RBAC Auditing
The following are audited as events:
Changes to the VMS RBAC configuration.
Login attempts, including the time of the attempt, the attempting user and the login result.