Dell DX6004S DX Object Storage Administration Guide - Page 27
Using Override to Resolve Authorization Specification Issues
View all Dell DX6004S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 27 highlights
4.7.1.3. Using Override to Resolve Authorization Specification Issues This section discusses how to resolve issues with authorization specifications that render objects inaccessible. You can perform these tasks to reset the authorization specification for any object, even an object for which an authorized user name and password are not known. To resolve this issue, you must PUT to the object the user list and the authorization specification using the admin query argument, authenticating with your cluster administrator credentials. Important Do not use this procedure if the current Castor-Authorization header uses owner@ or @owner syntax because the CAStor administrator realm becomes the owner of the object and, as a result, no other realm can change the authorization specification later. A sample procedure follows. 1. Create the user list. A user list (also referred to as a security realm or realm) is a collection of user credentials, each of which includes an MD5 hash using the HTTP Digest authentication algorithm. You compute user list or realm from the string username:realm:password. Important The realm name must exactly match the name of the domain or bucket. For example to create a user list for a domain, htdigest cluster_example_com cluster.example.com sample.username To create a user list for mybucket in the same domain, htdigest cluster_example_com_mybucket cluster.example.com/mybucket sample.username 2. HEAD the current value of the Castor-Authorization header for the object. curl --anyauth -u "your-username:your-password" --location-trusted "http://node-ip[/bucket-name]?admin[&domain=name]" [-D log-file-name] You must specify domain=name in a HEAD for a domain. If the HEAD is for a bucket, the domain name is required as the Host in the request if the domain is not the default cluster domain. Important If the Castor-Authorization header includes @owner or owner@, stop. GET the user list for the object and confirm whether or not any realm has post or change privileges to the object. (For example, if the Castor-Authorization header includes change=@owner, any user in the object owner's realm can modify the object.) Ask one of those users to modify the Castor-Authorization header. If no user can modify a Castor-Authorization header that includes @owner or owner@, you can either take ownership of the object permanently by continuing with Copyright © 2010 Caringo, Inc. All rights reserved 22 Version 5.0 December 2010