UCS Security www.silantia.com 1 Management Hierarchy / ORG and RBAC RBAC Groups Remote RBAC Configuration Roles and Privileges Users Backup and Restore
Nov 17, 2014
www.silantia.com1
UCS Security
Management Hierarchy / ORG and RBAC RBAC Groups Remote RBAC Configuration Roles and Privileges Users Backup and Restore
www.silantia.com2
Organizations
Organizations are level of hierarchy that you can create within UCS system.
A single UCS system can be divided into multiple ORGs and users can be configured to do only certain task within and ORG.
E.g. A Company Acme Gizmo has multiple departments Engineering, Finanace, Marketing and Sales. But their all Compute resources are within a single UCS system sharing common SAN and LAN infrastructure.
Organizations are used to provide administrative hierarchy to the application of policy.
Organizations can be created under server, LAN and SAN tabs in UCS manager. Once created under any of this tab it appears in all tabs.
www.silantia.com3
Organizations
Depending on the tab context in UCS manager, ORGs can contain service profiles, identity pools, resource pools, policies and thresholds. All these pools and policies created within an ORG are localized to that ORG or can be used in its sub-organizations.
If MAC/UUID/WWN pool is exhausted within an ORG and more MAC/UUID/WWN is requested by service profile then it is borrowed from parent ORG.
Even if organizations are not created in UCS system, there is always one organization called root. All other ORGs are created under root
root
Engineering Finance Marketing
AcmeGizmo
www.silantia.com4
Organizations
www.silantia.com5
Locales
You can create one or more locale and assign Organizations to it.
In a Locale you can assign more than one Organizations. The purpose of creating locale is to restrict the
privileges of the user to a particular organization or a set of organizations.
Unlike Organizations, Locales are created under Admin tab.
www.silantia.com6
Locales To create Locale go to Admin tab user management -> user services -> right click on Local and create Locale.
www.silantia.com7
Locales You can then Drag and drop one or more than one Organizations.
www.silantia.com8
Locales You can then Drag and drop one or more than one Organizations.
www.silantia.com9
Roles and Privileges
Roles defines a collection of privileges that determines user privileges inside UCS manager
When user is authenticated with username and password the UCS manager authorization system is used o enforce the property of the least privilege.
Effective rights of a user, is an intersection of mapped roles and Locale.
www.silantia.com10
Roles and Privileges
There are about 10 predefined roles with UCS manager 2.0 Aaa Admin Facility manager Network Operations Read-only Server-equipment Server-profile Server security Storage
Each roles has certain priviledges assigned to it. You can create customer roles with own set of privileges. There are 34 system defined privileges. Privileges cannot be deleted and,
unlike roles, new privileges cannot be created.
www.silantia.com11
Roles and Privileges
www.silantia.com12
Role Based Access Control (RBAC)
RBAC and Organizations are complementary constructs, they can be used separately or together.
If no Locale is defined then user rights begin at root organization and flow to all sub-organizations.
If locale is applied to user profile, rights begin at sub-organizations contained in Locale and flow to all organizations beneath that sub-organizations
Admin has unrestricted privilege from root organization down to every sub-organization; cannot be restricted by locale
www.silantia.com13
RBAC Effective rights for user Bob are the intersection of the server-equipment, server-profile and
server-security roles and the Finance Locale.
www.silantia.com14
Local and remote Authentication
Local AAA is performed by Fabric interconnect The local user database is limited to 40 users
(39 plus admin user) . For additional scalability and security options,
UCS manager supports the LDAP and Active directory, RADIUS and TACACS protocols.
When remote authentication method is enabled, the local username database is no longer used.
UCS falls back to the local database only if all remote authentication servers are unresponsive.
www.silantia.com15
Configuration example TACACS+ Create TACACS+ providers : Go to Admin Tab user management right click on TACACS+
www.silantia.com16
Configuration example TACACS+
Create TACACS+ provider group
www.silantia.com17
LDAP
Create LDAP provider :Go to Admin Tab user management right click on LDAP
www.silantia.com18
LDAP Create LDAP provider :Go to Admin Tab user management right click on LDAP
www.silantia.com19
LDAP
Create LDAP provider group
www.silantia.com20
LDAP
UCS manager supports ability to map AD groups to user roles within UCS manager
This allows the UCS domain admin to assign UCS roles to the AD user groups
Allows for authenticating against multiple Active Directory domains
UCS manager Supports all authentication methods simultaneously user has to select their authentication domain during login.
www.silantia.com21
LDAP
Create LDAP group maps Which maps groups created on AD server to roles and Locales within UCS manager.
www.silantia.com22
LDAP
Create LDAP group maps Which maps groups created on AD server to roles and Locales within UCS manager.
www.silantia.com23
LDAP
Finally Create an Authentication domain
www.silantia.com24
UCS Backup and restore
Full State backups Performs a complete
binary dump of database; stored as a.tar.gz file
Contains all configuration, runtime state and status
Restored only through complete configuration wipe and reboot
Useful during UCS manager upgrades, out of date after associations have changed
It cannot be modified selectively
Configuration backups All configuration: Union of
cofig-logical and config-system
Logical configuration: service profiles, templates, VLANs, VSANs, ORGs, locales etc
System configuration: AAA config, RBAC, user database, UCSM configuration.
Stored as XML file. Preserve identities allowes
identities derived from pools to be preserved on restore.
Can be selectively modified inside xml file.
www.silantia.com25
UCS Backup and restore
www.silantia.com26
UCS Backup operation
www.silantia.com27
UCS restore operation
1. All, System, and Logical can be “on the fly”2. Full State must be imported at initial setup only3. Other options:
www.silantia.com28
Restoring Full State Backup at Startup
www.silantia.com29