Overview
User Types
You can provision the following types of users to enable access to DataEngine on a given tenant:
Tenant admin users. As administrators with access to a specific tenant's VMS for management purposes, these users can be authorized to enable DataEngine on the tenant, add Kubernetes clusters and container registries, and create buckets to trigger events. They automatically have permission to use all DataEngine features.
Application user. This is a type of user that you can provision for users in your organization who have no administration role on the cluster or the tenant. This type of user can access DataEngine on the tenant without any of the VMS tenant administration functionality. These users do not have automatic permission to use all DataEngine features. Specific permissions are granted through identity policies. These include creating and managing triggers, serverless functions, and pipelines, deploying pipelines, and observing telemetry logs and traces.
Provisioning Application Users
Application users are provisioned through user groups on authentication providers. The following provider types are supported:
VAST providers.
Note
To enable cluster admin and/or tenant admin users to configure user provisioning using a local provider, make sure the provider has management enablement for the relevant user type. See {TBD}.
The default VAST provider is initially, by default, enabled for management by cluster admin users and not tenant admin users.
LDAP
Active Directory
Granting DataEngine Access and Permissions to Application Users
In order to grant application users access to DataEngine, you add the users to a group. The group must be on a provider that is connected to the tenant. In the tenant configuration, the group must be explicitly granted Data Engine access.
In order to perform tasks such as creating triggers and pipelines on DataEngine, application users must be granted permissions through identity policies.
The procedure below guides you to select an option within the tenant configuration to add the group to a predefined DataEngine role and to assign the group to a predefined identity policy that grants specific permissions.
Provisioning Tenant Admin Users for DataEngine
Tenant admin type users automatically have access to Data Engine regardless of their specific VMS permissions.
For the ability to create and manage source views (buckets) for triggering events, a Tenant admin user requires permission for the Logical realm.
For the ability to set up DataEngine provisioning on the tenant, a Tenant admin user requires permission for the Security realm.
For details about VMS administrator realms and how to create a Tenant admin user, see VMS Administrator Users and Permissions.
Provisioning Application Users for DataEngine
This procedure creates a user group on a provider that has access DataEngine, adds users to the group and grants permissions to the users in the group to perform DataEngine tasks such as creating triggers and functions and building pipelines.
Create a user group on a provider.
Tip
If you are using a local (VAST) provider, you can do the following to create a user group:
From the left navigation menu, choose User Management and then Local Groups.
Click Create Local Group and complete the following fields:
Field
Description
Name (required)
The group name.
GID
A GID number for the user.
Local Provider (required)
Select the VAST provider with which the group will be associated.
Click Create. The group is created.
Connect the provider to the tenant and add the user group to the tenant for Data Engine access:
In the Tenants tab of the Element Store page, right-click the tenant and select Edit.
Under Providers and Users Access, select the provider on which you created the group.
Under Who Can Access This Tenant (Data Engine), in the Users Group field, start typing the name of the user group and select the group from the autocomplete suggestions.
Enable Assign Group to DataEngine role. This setting adds the group to a VMS role that is created automatically for DataEngine.
Note
This setting is technically optional. If you do not select this option, you will need to separately add the user group to a VMS RBAC role as described in Managing Administrative Roles in VAST Web UI. This is because membership of a role that belongs to the tenant is required to enable login access to the tenant.
Enable Assign DataEngine identity policy to group. This setting assigns the data-engine-TENANT_NAME identity policy to the group, where TENANT_NAME is the name of the tenant. This policy grants users permission to create and manage DataEngine resources.
Note
Enabling this policy is optional. If you choose not to enable it, the group will not have any permissions to perform any Data Engine related tasks until you assign another identity policy to the group. See Configuring Identity Policies for DataEngine.
The content of the data-engine-TENANT_NAME identity policy is:
{ "Id": "DataEnginePolicy1757876601", "Version": "2012-10-17", "Statement": [ { "Sid": "DataengineTablesAccess", "Action": [ "s3:HeadBucket", "s3:Tabular*Transaction", "s3:TabularList*", "s3:TabularGet*", "s3:TabularQueryData" ], "Effect": "Allow", "Resource": [ "dataengine-*", "dataengine-*/*" ] }, { "Sid": "DataEngineDefault", "Action": [ "dataengine:CreateTrigger", "dataengine:CreateFunction", "dataengine:CreatePipeline" ], "Effect": "Allow", "Resource": [ "vast:dataengine:triggers:*", "vast:dataengine:functions:*", "vast:dataengine:pipelines:*" ] } ] }Note
The
CreateTrigger,CreateFunctionandCreatePipelineactions allow the user to create triggers, functions and pipelines and also to update, modify and view those triggers, functions and pipelines that the user created. TheCreatePipelineaction includes permission to configure function deployment.Click Update.
Create users on the provider. Assign them to the user group. If the user is on a local provider, assign a password.
Tip
If you are using a local provider, you can do this to create a user:
From the left navigation menu, choose User Management and then Users.
In the Users page that opens, click Create User and complete the following fields:
Field
Description
Name (required)
The user name.
UID
The user's POSIX UID.
Local Provider (required)
Select the local provider with which the user will be associated.
Leading group
The name of the user's leading group.
This is the group assigned by default as the owning group of any files created by the user.
Select the group you created in the previous step from the dropdown.
Groups
Names of other groups that the user belongs to beside the leading group. Also known as auxiliary groups.
Select groups from the dropdown. If a group has not been added to the local provider, add the group first.
Select tenant to see user details
Select the tenant from the list. Tenants associated with the selected local provider (if any) are shown, as well as the default tenant.
Allow Create Bucket
Enable this setting.
Allow Delete Bucket
Enable this setting.
In the User Password section, enter a temporary password for the user, or click Generate Password to have one randomly generated. The password can be any string matching the password requirements set in the VMS Settings. The user will be required to change the password when they first log in using it. If the user has access to multiple tenants, the same password is used to login to all of them.
Click Create. The user is created.
Grant each user an S3 access key pair. See Managing S3 User Access from the VAST Web UI.
Note
S3 access key pairs are per tenant, even when a user belongs to multiple tenants that all use the same provider.
Application users can also manage their own S3 access key pairs. If the user does not have s3 access keys, the user will be prompted to create a pair after logging into the tenant.
Attach identity policies as needed to the user and/or user group. If you applied the data-engine-TENANT_NAME identity policy to the user group you specified for DataEngine access in the tenant configuration, you may not need to apply further identity policies. See Configuring Identity Policies for DataEngine.
Configuring Identity Policies for DataEngine
DataEngine requires permissions to create buckets and to perform queries against VAST databases. For application users, these are granted through identity policies.
The predefined data-engine-TENANT_NAME identity policy grants users all permissions needed for DataEngine tasks. In the tenant configuration, if you select the Assign DataEngine identity policy to group option, this policy is applied to all the users in the user group specified under Who Can Access This Tenant (Data Engine) (as described in step 2 of the procedure described above).
If for some reason, you don't choose to apply that identity policy to the user group, you can create custom identity policies and attach them to each user or to the group. For general information about creating and modifying identity polices and assigning them to users and groups, see Creating Identity Policies .
Note
The vast-data-engine-collector-policy is automatically created and applied to the DataEngine telemetry collector, to enable the collector to query DataEngine telemetries.
DataEngine Permissions Granted through Identity Policies
The following supported S3 actions apply to DataEngine resources (triggers, functions and pipelines):
Action | Description |
|---|---|
| Create trigger |
| Delete trigger |
| List triggers |
| Modify triggers |
| Create function |
| Delete function |
| List Functions |
| Modify Function |
| Create pipelines |
| Delete pipelines |
| List pipelines |
| Modify pipelines |