Security services

Security services

A security service stores configuration information for clients for authentication and authorization (AuthN/AuthZ). For example, a share server will be the client for an existing service such as LDAP, Kerberos, or Microsoft Active Directory.

You can associate a share with from one to three security service types:

  • ldap. LDAP.
  • kerberos. Kerberos.
  • active_directory. Microsoft Active Directory.

You can configure a security service with these options:

  • A DNS IP address.
  • An IP address or host name.
  • A domain.
  • A user or group name.
  • The password for the user, if you specify a user name.

The security service can be added to the share network.

To create a security service, specify the security service type and optionally name, description of a security service, DNS IP address used inside tenant’s network, security service IP address or hostname, domain, security service user or group used by tenant, a password of user.

Create a ldap security service:

$ manila security-service-create ldap --dns-ip 8.8.8.8 --server 10.254.0.3 --name my_ldap_security_service
+-------------+--------------------------------------+
| Property    | Value                                |
+-------------+--------------------------------------+
| status      | new                                  |
| domain      | None                                 |
| password    | None                                 |
| name        | my_ldap_security_service             |
| dns_ip      | 8.8.8.8                              |
| created_at  | 2015-09-25T10:19:06.019527           |
| updated_at  | None                                 |
| server      | 10.254.0.3                           |
| user        | None                                 |
| project_id  | 20787a7ba11946adad976463b57d8a2f     |
| type        | ldap                                 |
| id          | 413479b2-0d20-4c58-a9d3-b129fa592d8e |
| description | None                                 |
+-------------+--------------------------------------+

To create kerberos security service, run:

$ manila security-service-create kerberos --server 10.254.0.3 --user demo --password secret --name my_kerberos_security_service --description "Kerberos security service"
+-------------+--------------------------------------+
| Property    | Value                                |
+-------------+--------------------------------------+
| status      | new                                  |
| domain      | None                                 |
| password    | secret                               |
| name        | my_kerberos_security_service         |
| dns_ip      | None                                 |
| created_at  | 2015-09-25T10:26:03.211849           |
| updated_at  | None                                 |
| server      | 10.254.0.3                           |
| user        | demo                                 |
| project_id  | 20787a7ba11946adad976463b57d8a2f     |
| type        | kerberos                             |
| id          | 7f46a447-2534-453d-924d-bd7c8e63bbec |
| description | Kerberos security service            |
+-------------+--------------------------------------+

To see the list of created security service use manila security-service-list:

$ manila security-service-list
+--------------------------------------+------------------------------+--------+----------+
| id                                   | name                         | status | type     |
+--------------------------------------+------------------------------+--------+----------+
| 413479b2-0d20-4c58-a9d3-b129fa592d8e | my_ldap_security_service     | new    | ldap     |
| 7f46a447-2534-453d-924d-bd7c8e63bbec | my_kerberos_security_service | new    | kerberos |
+--------------------------------------+------------------------------+--------+----------+

You can add a security service to the existing share network that is not used yet (is not associated with a share).

Add a security service to the share network with share-network-security-service-add specifying share network, security service and print the information about the security service. You can see new attribute share_networks with associated share network ID.

$ manila share-network-security-service-add share_net2 my_ldap_security_service

$ manila security-service-show my_ldap_security_service
+----------------+-------------------------------------------+
| Property       | Value                                     |
+----------------+-------------------------------------------+
| status         | new                                       |
| domain         | None                                      |
| password       | None                                      |
| name           | my_ldap_security_service                  |
| dns_ip         | 8.8.8.8                                   |
| created_at     | 2015-09-25T10:19:06.000000                |
| updated_at     | None                                      |
| server         | 10.254.0.3                                |
| share_networks | [u'6d36c41f-d310-4aff-a0c2-ffd870e91cab'] |
| user           | None                                      |
| project_id     | 20787a7ba11946adad976463b57d8a2f          |
| type           | ldap                                      |
| id             | 413479b2-0d20-4c58-a9d3-b129fa592d8e      |
| description    | None                                      |
+----------------+-------------------------------------------+

It is possible to see the list of security services associated with given share network. List security services for share_net2 share network:

$ manila share-network-security-service-list share_net2
+--------------------------------------+--------------------------+--------+------+
| id                                   | name                     | status | type |
+--------------------------------------+--------------------------+--------+------+
| 413479b2-0d20-4c58-a9d3-b129fa592d8e | my_ldap_security_service | new    | ldap |
+--------------------------------------+--------------------------+--------+------+

You also can dissociate a security service from the share network and see that a security service now has empty list of share networks:

$ manila share-network-security-service-remove share_net2 my_ldap_security_service

$ manila security-service-show my_ldap_security_service
+----------------+--------------------------------------+
| Property       | Value                                |
+----------------+--------------------------------------+
| status         | new                                  |
| domain         | None                                 |
| password       | None                                 |
| name           | my_ldap_security_service             |
| dns_ip         | 8.8.8.8                              |
| created_at     | 2015-09-25T10:19:06.000000           |
| updated_at     | None                                 |
| server         | 10.254.0.3                           |
| share_networks | []                                   |
| user           | None                                 |
| project_id     | 20787a7ba11946adad976463b57d8a2f     |
| type           | ldap                                 |
| id             | 413479b2-0d20-4c58-a9d3-b129fa592d8e |
| description    | None                                 |
+----------------+--------------------------------------+

Shared File Systems Storage allows you to update a security service fields using manila security-service-update command with optional arguments such as --dns-ip, --server, --domain, --user, --password, --name, or --description.

To remove a security service, that is not assosiated with any share networks, run:

$ manila security-service-delete my_ldap_security_service
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/legalcode.

See All Legal Notices