Dell DX6004S DX Object Storage Application Guide - Page 49
Security Realm Overview
View all Dell DX6004S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 49 highlights
• Cluster administrators: The chapter on managing tenants in the DX Object Storage Administration Guide. • Application developers: Chapter 13, Managing Security for Application Developers • Domain managers: Chapter 14, Managing Security for Domain Managers 12.2. Security Realm Overview By default, domains, buckets, and objects are not secured so any user can perform any SCSP operation on them. This section discusses concepts related to how to restrict the SCSP operations that can be performed on buckets and objects. 12.2.1. Common Security Terminology This section discusses terminology commonly used with security. • Security realm: (Also referred to as a realm or a user list.) A list of user names and hashed passwords. You associate the user list with a bucket or object to give other users privileges to execute specific SCSP operations on the buckets or objects. • Authorization specification: List of SCSP operations users in a realm are allowed to execute. The authorization specification is specified by the Castor-Authorization header, as discussed in more detail in Section 12.3, "About Authorization Header Syntax". 12.2.2. About Security Realms A security realm (also referred to as a realm or user list) is an encoded list of user names, passwords, and optionally the name of the realm, using the HTTP Digest authentication algorithm. To encode the realm, you can use a programming language or a utility like Apache htdigest or md5sum as discussed in Section 12.6, "Creating Realms". Note • Realm names cannot contain a colon character (:) or a comma character (,). • The same users can belong to multiple realms. For more information about realms, see: • Section 12.3.1, "About Realm Names" • Section 12.6, "Creating Realms" 12.2.3. About Realm Caching and Security Your cluster administrator determines settings for realm cache, which determines the length of time changes to buckets or domains are propagated to all nodes in the cluster. The default setting is five minutes so at the default setting, it might take five minutes after an authorization change is made before the node you are accessing is aware of the change. DX Storage returns 401 (Unauthorized) or 404 (Not Found) responses if your client application attempts to access a bucket or domain before the realm update has been propagated to the node on which your client is attempting access. For example, if you authenticate as a user who is not in Copyright © 2010 Caringo, Inc. All rights reserved 44 Version 5.0 December 2010