Skip to content

img0

Logging in to the CMC

Information

HyperStore 8.2.5 introduces IAM login to the CMC - we will briefly investigate this feature.

Disable View User Data

Disabling the View User Data feature for Administrators

  1. Leaving the View User Data function enabled for any user is considered a security risk therefore when not needed it is recommended to be disabled
  2. We will disable the feature now using the CLI and the root account 
    hsctl config set cmc.ui.admin.manageUsers.view.objectDataGrantees=[]
  3. Next we need to push the new config setting to the other nodes in the cluster 
    hsctl config apply cmc
  4. Finally we need to restart the cmc to allow the changes to populate the User Interface 
    hsctl service restart cmc --nodes=all

Login using an admin account

Info

We will now log back in to the CMC as admin, you may need to refresh the web browser to ensure the updated CMC is presented. You may also need to flush cache or open a new Private Window to see the updated login screen correctly.

Confirm HyperStore User count

  1. From the main dashboard, confirm the number of HyperStore users that exist on the system.
  2. To ensure we do not have access to any administrative functionality, log back in with the user account.
  3. Remember to select the Group Name of Users
  4. Leave the sign in option as root account (meaning the traditional IAM root)

Login using a user account

Login as a HyperStore Storage User

  1. Select the IAM menu
  2. Select IAM User sub-menu
  3. Next click + ADD NEW User
  4. Define a sensible IAM username
  5. Select Save

Enable IAM login through the CMC

  1. Select the newly created IAM User
  2. under the Security Tab toggle CMC Access to on (green)
  3. A popup box appears which requires a password to be added
  4. After entering a correct password, select enable

Create create Access Key and Secret Key pair

After successfully enableing CMC access to the new IAM User:

  1. Select + NEW ACCESS KEY
  2. A popup box appears with a the secret key displayed in it
  3. Copy the secret key and store it somewhere safe
  4. If you navigate away the secret key will be hidden from further view

Assign an IAM policy to the user

We need to assign a policy (permissions) for our new IAM user

  1. From the IAM user menu, select the IAM POLICIES tab
  2. Select Managed Policy and in the Managed Policy Name field type A

  1. A list of 4 options will be displayed - we want to select the AmazonS3ReadOnlyAccess policy.
  2. Select ADD to add the policy to our User

Login using an IAM account

Login and test IAM access

We should now test access for new IAM user

  1. Log out of the CMC as our HyperStore user (IAM root) account
  2. Log back in to the CMC as the readonly IAM delegate
  3. you must know the account name of the IAM root in addition to the IAM delegate name.
  4. enter the correct password and select LOGIN

Prove access is correct

We should have logged in as the new IAM user

  1. Select the OBJECTS Tab
  2. Next click on the 50k filename (key) to download (GET) the object
  3. It will be shown in the top right hand side as a download as 50k(1) - this confirms read access

  1. Let us now prove that writing (PUT) objects is prohibited
  2. Attempt to upload our 50k(1) object
  3. The attempt should be rejected

  1. We should also prove that deletion of objects is also prohibited
  2. Select Delete against any object in the bucket.
  3. A pop up box appears asking for confirmation - select Ok
  4. A warning message is displayed in red Unable to perform [DeleteObject] Access is denied