Local users¶
The VPSA’s User Management system supports multiple users. There are two distinct user types:
Admin - When the VPSA is created via the Provisioning Portal a default ‘admin’ user is created. This default ‘admin’ user cannot be deleted and the password associated with this account should be complex and stored securely. The email address could be a single person, but might be better if it was a distribution list. This Admin user can add, update and delete other Users and reset Users’ passwords through the VPSA GUI. It also has full control over all VPSA functions. This should not be confused with a standard User account which has been assigned the ‘Admin’ privilege.
User - A User who was added by the Admin User. This User has rights to manage the VPSA either through the GUI or REST API, according to their assigned Roles. Each User has their own Password and Access Key.
User Roles¶
User Roles define the access rights given to a User. By default, all Users have read rights to all Objects. In addition, the roles define the User’s create/update/delete rights for each object type (Pools, Volumes, Backups, etc.). Roles are assigned to each User at creation time and can also be updated later.
Creating a new User Role¶
When creating a new User Role, give it a name and select the access rights to be granted to the new role. Press Add Role.
Adding and Deleting Users¶
Adding a new User¶
Log in to the VPSA the ‘admin’ user credentials, or as a User who has been assigned the ‘Admin’ privilege. Go to the Users page and click Add User.
Enter the Username and Email address and specify if this new User will be assigned the ‘Admin’ privilege (full control), or select specific Roles. Select the Notify on events checkbox if you want this User to receive email notifications from this VPSA. Then press the Add User button to complete the operation.
Once the new User is created, a dialog with a temporary passcode will appear. This passcode is also sent to the Admin User’s email. The new User will need to use this temporary passcode when logging into the VPSA for the first time.
Changing a User’s Role¶
The Roles of any given User can be changed at any time. Log in to the VPSA with the ‘admin’ user credentials, or as a User who has been assigned the ‘Admin’ privilege. Go to the Users page, select the User from the list and click the Change Roles button.
Deleting a User¶
Log in to the VPSA with ‘admin’ user credentials, or as a User who has been assigned the ‘Admin’ privilege. Go to the Users page, select the User from the list and click the Delete User button.
The User will be deleted, but this operation will not affect any other entities that were created or managed by that User.
Managing User Passwords¶
The VPSA stores a cryptographic hash value (using a one-way SHA-3 hash function) of the VPSA User Password. When you log in to the VPSA the entered password’s hash value is compared with the one stored.
Changing your password¶
Log in to the VPSA and click your user name on the right upper corner of the screen. Your account page will open. Click Change Password.
Enter your current password, a new password and confirm the new password. Click Change Password to submit the operation.
Note
This operation is available to Admin and to all regular Users. Each User can only change their own password.
Resetting User Password¶
This operation is available only to the Admin User. The Admin User (or User with Admin privilege) can reset any User’s password. A new temporary passcode will be created and sent to the User’s email. The User will be requested to set a new password on next log in.
Log in to the VPSA with Admin User credentials. Go to the Users page, select a User from the list, and click Reset Password.
Resetting API Key¶
Zadara Storage employs a session-based authentication mechanism as a means to identify a user for every HTTP request to a VPSA.
You initiate a session by logging in with the VPSA User Password. Upon successful authentication a Secret API Token is sent back to the client application for any subsequent REST API communication with the VPSA to identify the authenticated User and validate the session.
At any time you can generate a new Secret API Token, thus invalidating the previous token and any sessions using it.
Log in to the VPSA, click your user name on the upper right corner of the screen. Your account page will open. Click Reset Access Key.
Managing Password Policy¶
The VPSA Admin can control the VPSA Password Policy. For details, see VPSA Settings > Security.
Dual Factor Authentication¶
The VPSA’s User Management system supports Dual Factor Authentication (DFA) using Authenticator mobile application. It is a common practice to protect access in case of compromised password, as a password is not enough in order to login. Each user can turn Dual Factor Authentication on/off for herself. The VPSA admin can force Dual Factor Authentication on all users.
Enabling Dual Factor Authentication¶
To enable DFA open the current User Properties by clicking the user name on the upper right corner of VPSA GUI screen.
Click Activate or Deactivate. Close the properties dialog, and log out.
The first time you log in again, a Confirmation dialog with a QR code opens.
Install an Authenticator mobile app. (e.g. Google Authenticator) from Google Play or Apple AppStore, and scan the QR code. Enter the code you get on the Authenticator. You are now set.
Every login, from now on will require the temporary code from the Authenticator app.
Important
The mobile device that runs the Authenticator app is needed for login. If the device was lost or replaced, the user must ask the VPSA admin to reset their DFA settings. The VPSA admin must contact Zadara support for reseting the DFA.
Enforcing Dual Factor Authentication¶
A VPSA administrator can force DFA for all users. In Settings > Security click Edit on the Dual Factor Authentication, check the Enforce dual factor for all users checkbox and click Save.
This setting change does not have immediate effect. The next time each user will login, they will be required to set their mobile device Authenticator app as described above.
Note
When DFA enforcement is removed, the users with DFA configured are still required to use the temporary code when logging in. However each user can change their settings in the user properties as described above.