IBM Spectrum Scale : Object Authentication

Every Object access request on IBM Spectrum Scale is authenticated before serving the data. IBM Spectrum Scale object store relies on keystone for validation of user before processing the request for object access. Keystone is the identity service used by various Openstack services for authentication. Basic Spectrum Scale Object access flow is depicted in following figure.

Figure 1 : Basic Object access request flow

     IBM Spectrum Scale supports configuring Keystone with various different identity backends like Microsoft Active Directory, LDAP, Postgres. Identity backend is the source of username and password. Before sending request to Spectrum Scale object store, the user/client sends a request to Keystone for obtaining a Token required for accessing the object service. The request to Keystone contains the Username and Password. Keystone validates the username and password with the configured Identity backed. On successful validation of username and password keystone returns a token to the user/client which then further uses it for object (swift) request. The Token gets expire after the predefined time. The token expiration period is configurable. The specific Token can be revoked from Keystone by sending Token DELETE request. User request with revoked Token will be rejected by Spectrum Scale object store.

Figure 2 :  High level Object authentication configuration and Security aspects addressed by IBM Spectrum Scale

The above diagram depicts the various ways to configure the Object Authentication and the various security aspect involved.

Object Authentication can be configured with one of the following type:

1. Local — User identities are stored locally in Postgres.
2. AD – Keystone uses Microsoft Active Directory as Identity backend.
3. LDAP – Keystone uses LDAP as Identity backend.
4. Userdefined – Keystone will be hosted outside of Spectrum Scale and Configuration of identity server is left with User.

In first three types of object authentication configuration, Keystone will be running on all protocol nodes for High Availability.

• The Keystone can be configured with https(ssl) for better security. The communication between object/keystone client and Keystone server will be over https(ssl) in this case.
• IBM Spectrum Scale provide the option to configure the communication between Keystone server and Identity server(Active Directory and LDAP) over TLS.
• For Advance user who want to make use of different features of keystone which are not provided by the keystone hosted on Spectrum Scale can configure the Spectrum Scale object with external keystone using type ‘userdefined’. The communication from swift to external keystone server can be over https(ssl)
• When configuring the Spectrum Scale object protocol, one can use either the install toolkit or the mmuserauth command. The mmuserauth command is for managing the object authentication. Same command is used for File authentication. mmuserauth command has various option like create, list, remove and check. For more details of mmuserauth command please refer manpage of mmuserauth.
  

  “These are my personal views and do not necessarily reflect that of my employer”