Links

Right - Authentication & Authorization

Right Preservation

Once Nodeum performs a Data Movement between two different types of storage, the normal behavior is to preserve the rights, ownership and metadata from the source storage.

Authentication & Authorization mechanism

Storage Access

The normal behavior is to execute any movement under root privilege and then access all different storage with this level of credential.
The requirement is to get access to storage systems which doesn't allow accessibility with root account. This mean that the Data Mover service needs to access the storage in using the user context instead of a root context.
The Nodeum Data Mover allows to switch to the user context for each task execution. This context switch is integrated into the user authentification mechanism, it means that the Data Mover service will use the authenticated user information to perform the storage authentication. This authentication depends of the type of storage.
  • For Posix File System, the Data Mover will switch the user context and then run the task movement on behalf of the user's uid and gid.
  • For Object Storage, the Data Mover can use JWT token based mechanism to authentication to Object Storage. Protocol like OpenID is supported.

Nodeum Access

The Nodeum service is accessible through its different interfaces in using different user management mechanism.
The main options are: local user management, LDAP, Active Directory
Nodeum allows advanced configuration to handle the user authentication and authorization mechanism. The interface integrates the capability to request a JWT token from an identify provider and verify if the user is authorized to use the Data Mover service.
The process includes the possibility to directly use this token and do a search within a LDAP server to request the user UID and GID, and perform the storage connection as described in the previous section.
Last modified 2mo ago