Authorization and Authentication
Last updated
Was this helpful?
Last updated
Was this helpful?
System -> User Management -> Container
Enhancing your network's SMB authorization involves adopting best practices and understanding its components to boost security and efficiency.
Privileged access to containers is controlled individually for each container. On this page, you can view the list of users and groups with access.
Rights and privileges of data stored in the container adhere to these guidelines
When a workflow copies data into a container, the rights and privileges of the original data are maintained. It is essential to properly configure the container's user permissions to ensure to authorize users access.
When end users copy files through the container using SMB protocols, the rights are determined by the access rights defined within the container and its associated permission schema.
Three types of authorization and authentication are available to access Container:
Local users and groups
Active Directory
LDAP
By default, local user and group settings are applied.
Click on the button '+' to add a new user:
Fill out the form in the modal and click "Save."
User Name: Name of the User you would like to create,
Password: Password for this User,
Confirm Password: Retype the password to confirm it,
Optional: Select the group you want this user associated with.
To create a new group, navigate to the "Group" tab
Complete the form in the modal and save it:
Group Name: Name of the Group you would like to create.
Select the user(s) you want to include in this group.
The configuration enables setting up an Active Directory connection.
Validate all settings before saving them using the "Test connection" button.
The "Save" button confirms the connection to the selected Active Directory server and integrates the Nodeum server into the Active Directory domain.
Configure a connection to an LDAP service using this setup.
Before saving, click "Test Connection" to validate all settings. Use the "Save" button to finalize the connection to the chosen LDAP server
Define the rights and privileges for each user to control and authorize access. This will allow and authorize the access of the container.
To set this authorization:
Navigate to the Container section and select it.
To change user permissions, select "User" and click the "Edit" button. Set the permissions to Read/Write, Read Only, or no access
You can create an S3 policy to grant a local user access to an S3 bucket within a container.
To create the user, adhere to the instructions provided in the prior section. Afterward, edit the user by following these steps:
Instructions:
Find the URL and credentials for the S3 object storage console in the panel.
Copy the generated S3 policy to your clipboard
Access the Minio Console using the Root User and Root Password.
Navigate to the Access menu, create a new policy, and paste the policy from the clipboard.
Create a user, define your own password, and attach the defined policy to this user.
After completing the setup, you can access the container via S3 using the user credentials you created. By default, this access occurs through port 9000.
To maintain UID and GID consistency between an NFS client and a container accessed via NFS:
UID/GID Matching: Ensure that the User ID (UID) and Group ID (GID) used in the NFS client match those in the container.
ID Mapping: Configure ID mapping on both the client and the container to handle any discrepancies. This can be done by editing the /etc/idmapd.conf
file or using other mechanisms supported by your system.
Consistent User/Group Database: Use a unified system like LDAP to keep the user and group names synchronized across both environments.
NFS Export Options: Set the NFS server's export options to maintain UID/GID, such as options no_root_squash
or anonuid
and anongid
settings, to ensure correct access permissions.
To setup idmap on both the client and the Nodeum server.
Edit the idmap.conf file
Activate 'idmapping':
Configure the export:
Where uid=1000 is already existing
Where gid=2000 is a new group which has to be created
And restart the service
uid=1000 is customeruser user
gid=2000 is customergroup group
Edit the idmap.conf file
Activate 'idmapping':
And restart the service
Manage properly the group rights in a folder and all members of the groups to create file in or read files.
user1:
user2:
Implement group inheritance in POSIX by ensuring that files created within a directory automatically inherit the directory's group membership. This streamlines permissions management and maintains consistent access control across all files
Network File System version 4 (NFSv4) Access Control Lists (ACLs) provide a mechanism to manage permissions for files and directories.
Mainly composed by :
ACL Entries: Consist of a type (allow or deny), a set of permissions, and a principal (user or group).
Permissions: Include operations such as read, write, and execute. They can be fine-tuned to control access granularly.
Principal: Specifies whom the permissions apply to, such as a specific user, group, or everyone.
To set ACLs on a file:
To check ACLs on a file:
How It Works?
When you set an ACL with inheritance attributes on a directory, any new file or subdirectory will automatically inherit these attributes, streamlining permissions management.
Example
To apply a default ACL that inherits to both files and directories, you can use the following command: