W E K A
3.14
3.14
  • WEKA v3.14 Documentation
  • Weka System Overview
    • About the WEKA System
    • SSD Capacity Management
    • Filesystems, Object Stores & Filesystem Groups
    • Weka Networking
    • Data Lifecycle Management
    • Weka Client & Mount Modes
    • Glossary
  • Getting Started with Weka
    • Quick Install Guide
    • Managing the Weka System
    • CLI Overview
    • GUI Overview
    • Serving IOs with WekaFS
  • Planning & Installation
    • Prerequisites for Installation
    • Bare Metal Installation
      • Planning a Weka System Installation
      • Setting Up the Hosts
        • SR-IOV Enablement
      • Obtaining the Weka Install File
      • Weka System Installation Process Using the CLI
      • Adding Clients
    • AWS Installation
      • Self-Service Portal
      • CloudFormation Template Generator
      • Deployment Types
      • AWS Outposts Deployment
      • Supported EC2 Instance Types
      • Adding Clients
      • Auto Scaling Group
      • Troubleshooting
  • Performance
    • Testing Weka Performance
      • Test Environment Details
  • WekaFS Filesystems
    • Managing Filesystems, Object Stores & Filesystem Groups
      • Managing Object Stores
      • Managing Filesystem Groups
      • Managing Filesystems
      • Attaching/Detaching Object Stores to/from Filesystems
      • KMS Management
    • Advanced Data Lifecycle Management
      • Advanced Time-based Policies for Data Storage Location
      • Data Management in Tiered Filesystems
      • Transition Between Tiered and SSD-Only Filesystems
      • Manual fetch and release of data
    • Mounting Filesystems
    • Snapshots
    • Snap-To-Object
    • Quota Management
  • Additional Protocols
    • NFS
    • SMB
      • SMB Management Using CLIs
      • SMB Management Using the GUI
    • S3
      • S3 Cluster Management
      • S3 Buckets Management
      • S3 Users and Authentication
      • S3 Information Lifecycle Management
      • Audit S3 APIs
      • S3 Limitations
      • S3 Examples using boto3
  • Operation Guide
    • Alerts
      • List of Alerts
    • Events
      • List of Events
    • Statistics
      • List of Statistics
    • System Congestion
    • Security
      • User Management
      • Organizations
    • Expanding & Shrinking Cluster Resources
      • Expand & Shrink Overview
      • Stages in Adding a Backend Host
      • Expansion of Specific Resources
      • Shrinking a Cluster
    • Background Tasks
    • Upgrading Weka Versions
  • Billing & Licensing
    • License Overview
    • Classic License
    • Pay-As-You-Go License
  • Support
    • Prerequisites and Compatibility
    • Getting Support for Your Weka System
    • The Weka Support Cloud
    • Diagnostics CLI Command
  • Appendix
    • Weka CSI Plugin
    • External Monitoring
    • Snapshot Management
  • REST API
Powered by GitBook
On this page
  • Overview
  • Obtaining an Authentication Token
  • TLS
  • Certificate Replacement/Rotation
  • Custom CA Certificates
  • Password Management
  • Password Requirements
  • Account Lockout
  • GUI
  • Security Login Statement
  1. Operation Guide

Security

This page describes important security consideration for the Weka cluster management.

PreviousSystem CongestionNextUser Management

Last updated 3 years ago

Overview

General security considerations are described below.

  • For data security features, such as encryption via KMS, refer to the section.

  • For security around mounting and separation of organizations, refer to the section.

  • Different user roles and AD/LDAP authentication is described in the section.

Obtaining an Authentication Token

An authentication token is used to access the Weka cluster API, and allow mounting secure filesystems.

It is first required to log in to obtain an access token. Log in via the CLI (using the weka user login CLI command, a token file is created in ~/.weka/auth-token.json) or via the API (using the POST /login API).

This provides an access token to be used to authenticate the command, as long as a longer-lived refresh-token, to allow re-obtaining additional access-tokens without providing the username/password again.

Access-Token for API usage

When working with REST API, it is sometimes desired to use a longer-lived token (one that doesn't require a refresh every 5 minutes). It is possible to generate such a token for internal Weka users using the weka user generate-token [--access-token-timeout timeout] CLI command (default to 30 days).

Access-tokens are revoked when calling the weka user revoke-tokens CLI command.

TLS

By default, the Weka system deploys a self-signed certificate to access the GUI, CLI, and API via HTTPS.

The Weka system allows using only TLS 1.2 and higher with at least 128-bit ciphers.

You can deploy your certificates using the weka security tls set CLI command. The command receives an unencrypted private key.

For example, this is a similar command to what Weka uses to generate the self-signed certificate using OpenSSL:openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days <days> -nodes

Certificate Replacement/Rotation

To replace the certificate, use the weka security tls set CLI command to set a new one. Once a certificate has been issued, it is used for connecting to the cluster (for the time it has been issued), while the revocation is handled by the CA and propagating its revocation lists into the various clients.

Custom CA Certificates

Weka uses well-known CAs to establish trust with external services, e.g., when using a KMS. If a different CA is required for Weka servers to establish trust, use weka security ca-cert set CLI command to install this custom CA certificate on the Weka servers.

Password Management

Password Requirements

  • at least 8 characters

  • an uppercase letter

  • a lowercase letter

  • a number or a special character

Account Lockout

To prevent brute force attacks, if several login attempts fail (5 by default), the user account will be locked out for several minutes (2 by default).

The defaults can be controlled using the weka security lockout-config show/set/reset CLI commands.

GUI

  • The Weka GUI is (only) accessible from the backend servers via port 14000.

  • The GUI session will automatically be terminated, and the user will get logged out after 30 minutes of inactivity.

Security Login Statement

It is possible to set a security/legal login statement that will add a banner with that statement on the GUI login page.

To set the statement, use the weka security login-banner set|show|reset|enable|disable CLI command or the GUI Login Banner menu.

The created by default is admin (with admin password), and the password is prompt to change on the first login.

KMS Management
Organizations
User Management
First User