Configuring User Access Controls
QoreStor allows you to specify user access controls for individual RDA containers. User access controls allows for multiple containers of the same type while ensuring that access to each container is isolated to specific users. User access controls (UACs) can be set at the container level to assign RWD (read-write-delete) or RW (read-write) permissions on that container to individual user accounts.Data within the containers can be access or deleted by users with both permission types, but the container can only be deleted by a user with RWD permissions.
The backup_user account is assigned by default to RDA containers, and is granted RWD permissions. Additional user access can be configured through the GUI or CLI.
|
NOTE: User Access Controls is currently only supported on RDA containers. |
Requirements for using User Access Controls
- The user account to which access is going to be assigned should be created before creating the container or configuring UAC.
To configure User Access Controls
- In the navigation menu, click Containers. The Containers page is displayed.
- In the list of containers, find the container for which you add user access controls, and then click User Access Control.
- The backup_user account is listed by default. To configure other accounts with permissions, user the Search field to find the account. Click the desired account to add it to the users list.
- For each listed account, select the appropriate permissions. Options are:
- Read/Write - gives the account read and write permissions on the container.
- Read/Write/Delete - gives the account read, write, and delete permissions on the container.
- Click Finish.
|
NOTE: To add user access controls to a container through the command line, use the command: container --add --name <name> [--group_name <name>]container --add_uac --name <name> --user <user name> --mode <RW|RWD>
Refer to the QoreStor Command Line Reference Guide for more information. |
Adding an NFS or CIFS connection type container
To add an NFS or a CIFS connection type container, complete the following steps:
- In the navigation menu, click Containers. The Containers page is displayed.
- Click Add Container.
- For the container Name, type the name of the container, and then click Next.
Container names cannot exceed 32 characters in length, must start with a letter, and can be composed of any combination of the following characters:
- A-Z (uppercase letters)
- a-z (lowercase letters)
- 0-9 (numbers). Do not start a container name with a number.
- dash (-) or underscore (_) special characters
|
NOTE:QoreStor does not support the use of the following special characters in container names: /, #, or @. |
- In the Storage Group drop-down, select the Storage Group for this container.
- For Protocol, select NAS (NFS, CIFS)..
- Click Next.
- For Marker Type, select the appropriate marker that supports your Data Management Application (DMA).
- Auto — Automatically detects CommVault, Tivoli Storage Manager (TSM), ARCserve, and HP Data Protector marker types. In addition, select this option if you need to support EMC Networker 2.0.
- ARCserve—Supports the ARCserve marker.
- BridgeHead — Supports the BridgeHead HDM marker.
- CommVault—Supports the CommVault marker.
- HP DataProtector—Supports the HP Data Protector marker.
- Networker — Supports EMC Networker 3.0. If you need to support EMC Networker 2.0, select Auto.
- Time Navigator—Supports the Time Navigator marker.
- TSM—Supports the TSM marker.
- Unix Dump — Supports the Amanda marker, among others.
|
IMPORTANT: Improper marker selection can result in non-optimal savings. As a best practice, if you have only one type of DMA with traffic directed to a container, it is best to select the marker type that supports your DMA (for example, BridgeHead, Auto, or another). Conversely, as a best practice, if you have traffic from a DMA that is not one of the supported marker types, it is best to disable marker detection for the container by selecting the None marker type. |
- For Access Protocols, select NFS and CIFS as appropriate.
(Use NFS to back up UNIX or LINUX clients. Use CIFS to back up Windows clients.)
- Click Next.
- If you selected NFS as the connection type, configure NFS access as follows. For CIFS connections, proceed to step 11.
- NFS Options — Defines the type of access to the container. Select one of the following options.
- Read Write Access — To allow read-write access to the container.
- Read Only Access — To allow read-only access.
- Root Mapping— Select one of the following options from the drop-down list to define the user level you want mapped to this container.
- Root — to specify a remote user with root access to read, write, and access files on the system.
- Nobody — to specify a user on the system without root access permissions.
- Administrator — to specify the system administrator.
- NFS Client Access — Define the NFS client(s) that can access the NFS container or manage the clients that can access this container by selecting one of the following options.
- Open (allow all clients) — To allow open access for all clients to the NFS container you create. (Select this option only if you want to enable access for all clients to this NFS container.)
- Create Client Access List — To define specific clients that can access the NFS container. In the Client FQDN or IP text box, type the IP address (or FQDN hostname) and click the Add icon. The “added” client appears in the Allow Clients list box. (To delete an existing client from this list box, select the IP address (or FQDN hostname) of the client you want to delete, and click the Delete icon. The “deleted” client disappears from the list box.)
- If you selected CIFS as the connection type, configure CIFS access as follows.
- Client Access — Define the CIFS client(s) that can access the container or manage the clients that can access this container by selecting one of the following options.
- Open (allow all clients) — To allow open access for all clients to the container you create. (Select this option only if you want to enable access for all clients to this container.)
- Create Client Access List — To define specific clients that can access the container. In the Client FQDN or IP text box, type the IP address (or FQDN hostname) and click the Add icon. The “added” client appears in the Allow Clients list box. (To delete an existing client from this list box, select the IP address (or FQDN hostname) of the client you want to delete, and click the Delete icon. The “deleted” client disappears from the list box.)
|
NOTE: The QoreStor administrator that manages the system has a different set of privileges than does the CIFS administrator user. Only the QoreStor administrator can change the password for the CIFS administrator user. To change the password that allows access for the CIFS administrator user, use the authenticate --set --user administrator commands. For more information, see the QoreStor Command Line Reference Guide. |
- Click Next.
A Configuration Summary of the options you selected for creating the container appears.
- Click Finish.
Creating an Object container
Adding an object container can be accomplished through the QoreStor UI or via the object_container command in the QoreStor CLI. Refer to the QoreStor Command Line Reference Guide for more information on the object_container command.
|
NOTE: QoreStor object container does not support object lifecycle management, which means transitioning storage classes or server side expiration of objects is not supported. |
To create an object container
- In the navigation menu, click Containers.
- On the Containers pane, click Add Container. The Add Container dialog will be displayed.
- In the Protocol field, select Object (S3 Compatible). The Name and Storage Group are populated by default.
- Click Next.
- To apply encryption, select Encryption and enter the following:
- Passphrase — the passphrase is user-defined and is used to generate a passphrase key that encrypts the file in which the content encryption keys are kept. The passphrase is a human readable key, which can be up to 255 bytes in length. It is mandatory to define a passphrase to enable encryption.
|
NOTE: It is mandatory to define a passphrase to enable encryption. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. |
- Confirm Passphrase — re-enter the passphrase used above.
- Encryption Mode — Select either static or internal.
- static - A global mode of key management in which a fixed key is used to encrypt all data.
- internal - A mode of key lifecycle management in which the keys are periodically generated and rotated. The minimum key rotation period before the content encryption key can be rotated and a new key is generated is 7 days. This rotation period is user-configurable and can be specified in days.
- Optionally, configure a Quota by entering an amount and setting the unit (GiB or TiB). If no value is set, the quota will be unlimited.
- Optionally, select Use HTTP instead of HTTPS. To use an HTTP connection, you must also follow the steps below:
-
On the QoreStor server, copy the aws.conf file to a new location:
cp /etc/oca/aws.conf.oca /etc/oca/aws.conf
-
Open the aws.conf file and update the endpoint connection protocol to http:
vi /etc/oca/aws.conf
Find the line containing AWS_ENDPOINT_PROTOCOL and set the value to http .
-
|
NOTE: The QoreStor implementation of object storage uses a self-signed certificate. If your data management application requires third party certificates, you must use HTTP to connect to the object container. |
- Click Next
- Review the summary and click Finish.
When the process is completed and the object container has been added to QoreStor, you will see the storage group ObjectContainer and the container ObjectStorageGroup added to the Storage Groups and Container pages, respectively. See the topics below for information on working with object storage.
Adding an object container through the command line
To add an object container, complete the following steps.
-
- Access the QoreStor CLI. Refer to Using the QoreStor command line for more information.
- Add an object tier using the command
object_container --add [--quota <Quota value in GiB or TiB][--use_http <yes|no>]
Refer to the QoreStor Command LIne Reference Guide for more information.
- To apply encryption to the data in this object tier, use the command:
object_container --encryption [--set <ON | OFF>] [--mode <static|internal> <--interval <7 days to 70 years>]
|
NOTE: Due to export regulations, the encryption at rest feature is not available in certain markets, and, therefore, may not be available in your locale. For more information about recommended guidelines for encryption, see Understanding Encryption at Rest |
|
NOTE: It is mandatory to define a passphrase to enable encryption. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. |
|
NOTE: After encryption is enabled, all of the data that is backed up is encrypted and is kept encrypted until it is expired and cleaned by the system cleaner. Note that encryption is an irreversible process. |
|
NOTE: When QoreStor is installed in Object direct mode, only Static encryption is supported. |
For more information, refer to the QoreStor Command Line Reference Guide.
- After creating an object container, you must configure user access for the container. By default, the backup_user account is configured with the object role and read/write access. To set the user policy for additional user accounts, use the command:
object_container --policy [--set] [--policy_type <readonly|readwrite|none>] --name <user name> [--show] --name <user name>
|
IMPORTANT: The backup_user and password are to be used as access key and secret key respectively when connecting to QoreStor from the S3 clients. The default values are:
Access key: backup_user
Secret key: St0r@ge!
To see the S3 endpoint, use the command object_container CLI /opt/qorestor/bin/object_container --show --endpoint
The endpoint is displayed in the format https://<QoreStor IP address>:9000
Make sure port 9000 is allowed for access through the firewall. |
Creating a VTL type container
To create a virtual tape library (VTL) type container, complete the following steps.
|
NOTE: The number of supported VTL containers varies depending on the QoreStor installation mode. Refer to the QoreStor Interoperability Guide for more information. |
- In the navigation menu, click Containers. The Containers page is displayed.
- Click Add Container.
- For Name, type the name of the container.
|
NOTE: QoreStor does not support spaces or the following special characters in container names: /, #, or @. VTL container names cannot exceed 32 characters in length, must start with a letter, and can be composed of any combination of the following characters:
- A-Z (uppercase letters)
- a-z (lowercase letters)
- 0-9 (numbers). (Do not start a container name with a number.)
- underscore (_) special characters
- hyphen (-) special character
|
|
NOTE: iSCSI VTL containers do not support the following characters:
- ASCII CONTROL CHARACTERS and SPACE through ,
- ASCII /
- ASCII ; through @
- ASCII [ through `
- ASCII { through DEL
|
- For Protocol, select Virtual Tape Library (VTL).
- Click Next.
- For Robot Model, select the type of virtual tape library for the VTL container.
- STK L700—This is the standard emulation of the StorageTek L700 library.
- QUEST DR_L700 - This is a Quest OEM version of StorageTek L700 library.
|
NOTE: The Quest version of the VTL issupported only with Symantec Backup Exec and Netbackup data management applications (DMAs). |
- For Tape Size, select the size of the tapes for your tape library from one of the following options.
- 800 GB
- 400 GB
- 200 GB
- 100 GB
- 50 GB
- 10 GB
|
NOTE: Creating a VTL container type creates a tape library of type Storage Tek L700 with 10 tape drives of type IBM Ultrium LTO-4 and 60 tape slots holding 60 tapes. Additional tapes can be added as required. For more information, see VTL and QoreStor specifications. |
- For Access Protocol, select one of the following options. Each protocol has different configuration requirements, as listed below.
- NDMP
- Enter DMA’s FQDN or IP address that will access the VTL container.
- For Marker Type, select the appropriate marker that supports your DMA from the options below:
- None — Disables marker detection for the container.
- Auto — Automatically detects CommVault, Tivoli Storage Manager (TSM), ARCserve, and HP Data Protector marker types. In addition, select this option if you need to support EMC Networker 2.0.
- ARCserve—Supports the ARCserve marker.
- BridgeHead — Supports the BridgeHead HDM marker.
- CommVault—Supports the CommVault marker.
- HP DataProtector—Supports the HP Data Protector marker.
- Acronis —Supports the Acronis marker
- Networker — Supports EMC Networker 3.0. If you need to support EMC Networker 2.0, select Auto.
- TSM—Supports the TSM marker.
- Unix Dump — Supports the Amanda marker, among others.
- iSCSI
- Enter the FQDN, IQN, or IP address of the iSCSI initiator that can access the VTL container.
- For Marker Type, select the appropriate marker that supports your DMA from one of the following options:
|
NOTE: Improper marker selection can result in non-optimal savings. As a best practice, if you have only one type of DMA with traffic directed to a container, it is best to select the marker type that supports your DMA. Conversely, as a best practice, if you have traffic from a DMA that is not one of the supported marker types, it is best to disable marker detection for the container by selecting the None marker type. |
- None — Disables marker detection for the container.
- Auto — Automatically detects CommVault, Tivoli Storage Manager (TSM), ARCserve, and HP Data Protector marker types. In addition, select this option if you need to support EMC Networker 2.0.
- ARCserve—Supports the ARCserve marker.
- BridgeHead — Supports the BridgeHead HDM marker.
- CommVault—Supports the CommVault marker.
- HP DataProtector—Supports the HP Data Protector marker.
- Acronis —Supports the Acronis marker
- Networker — Supports EMC Networker 3.0. If you need to support EMC Networker 2.0, select Auto.
- TSM—Supports the TSM marker.
- Unix Dump — Supports the Amanda marker, among others.
- No Access.
|
NOTE: QoreStor allows you to create a VTL container type without configuring it with a specific protocol (that is, by selecting No Access). You can configure the container at a later date. |
- Click Next.
A summary of the options you selected for creating the container appears.
- Click Finish.