Manage CIDR-based security policies
Manage CIDR-based security policies to control access to WEKA clusters based on client IP address ranges, enhancing security and simplifying administration.
Overview
-based policies enable administrators to control access to WEKA clusters by setting rules that allow or deny connections based on client IP address ranges. This network-based restriction provides greater control over which servers or devices can access the cluster, offering a more flexible alternative to traditional user authentication. Policies are managed at the organization level and filesystem for the root organization, ensuring only authorized clients can connect.
Key benefits:
Enhanced security: Restrict access to the cluster by controlling which clients can connect based on their IP addresses.
No authentication required: Secure access through network-level restrictions, simplifying management for trusted environments.
Simplified management: Centralized control over client access without needing user credentials.
Guidelines and considerations
When implementing CIDR-based security policies in WEKA, consider the following:
Role requirement: Only users with the Cluster Admin role can manage security policies, ensuring that access control remains in the hands of authorized administrators.
Applicable to all organizations and filesystems: CIDR-based security policies apply to all organizations and filesystems, ensuring centralized control across the cluster.
Active mounts remain unaffected: Client revocation is disabled, meaning any changes to policies do not impact active mounts. This ensures ongoing connections remain stable until they are manually disconnected.
Policy order matters: The order in which policies are attached determines the filtering sequence. For example, if the first policy denies access from IP1 and IP2, and the second policy allows IP1, the first policy takes precedence, overriding subsequent policies. Always review the order to ensure the desired access control.
Default access behavior: Clients without a related policy are allowed by default. To secure your organization or filesystem, always include a final policy that denies access to all other IPs after attaching the necessary policies.
Policy capacity:
16 policies can be assigned per organization.
16 policies can be assigned per filesystem.
8 policies are allowed per client or backend join.
Each policy supports up to 32 IP address ranges.
A total of 5,120 policies can be defined system-wide.
Manage security policies using the CLI
Create and manage security policies so that you can apply them on the organization or filesystem. You can perform the following:
List security policies defined in the WEKA cluster.
Display information about a specific security policy.
Create a new security policy.
Delete a security policy.
Duplicate an existing security policy, creating a new one.
Update the settings of an existing security policy.
Simulate the effect of one or more security policies.
List security policies applied when joining containers.
Set security policies for joining cluster, replacing the existing set of policies.
Attach a security policy when joining cluster.
Detach a security policy when joining cluster.
Remove all security policies applied when joining cluster
List security policies
Command: weka security policy list
Use the following command line to list security policies defined in the WEKA cluster.
Parameters
Display information of a security policy
Command: weka security policy show
Displays information about a specific security policy.
Parameters
Create a new security policy
Command: weka security policy create
Use the following command line to create a new security policy.
Parameters
Example:
Delete a security policy
Command: weka security policy delete
Use the following command line to delete a security policy.
Parameters
Duplicate an existing security policy
Command: weka security policy duplicate
Use the following command line to duplicate an existing security policy, creating a new one.
Parameters
Example:
Update security policy settings
Command: weka security policy update
Use the following command line to update the settings of an existing security policy.
Parameters
Example:
Simulate the effect of one or more security policies
Command: weka security policy test
Use the following command line to simulates the effect of one or more security policies.
Parameters
Example:
List security policies applied when joining containers
Command: weka security policy join list
Use the following command line to list security policies applied when joining containers.
Parameters
Set security policies for joining cluster
Command: weka security policy join set
Use the following command line to set security policies for joining cluster, replacing the existing set of policies.
Parameters
Attach a security policy when joining cluster
Command: weka security policy join attach
Use the following command line to attach security policies applied when joining cluster, adding them to the existing policies.
Parameters
Detach a security policy when joining cluster
Command: weka security policy join detach
Use the following command line to remove security policies applied when joining cluster.
Parameters
Remove all security policies applied when joining cluster
Command: weka security policy join reset
Use the following command line to remove all security policies applied when joining cluster.
Parameters
Manage organization security policies using the CLI
Once security policies are defined, you can perform the following tasks at the organization level:
List security policies for a specified organization.
Set security policies for a specified organization.
Remove all security policies from a specified organization.
Attach new security policies to a specified organization.
Detach security policies from a specified organization.
List the organization security policies
Command: weka org security policy list
Use the following command to list the security policies of a specified organization.
The command weka org also displays the attached policies for each organization.
Parameters
Set security policies for an organization
Command: weka org security policy set
Use the following command to set security policies for an organization, replacing the existing list of policies.
Parameters
Remove all security policies from an organization
Command: weka org security policy reset
Use the following command to removes all security policies from an organization.
Parameters
Attach new security policies to an organization
Command: weka org security policy attach
Use the following command to attach new security policies to an organization, adding them to the existing policies.
Parameters
Detach security policies from an organization
Command: weka org security policy detach
Use the following command to detach (remove) security policies from an organization.
Parameters
Manage filesystem security policies using the CLI
Once security policies are defined, you can perform the following tasks at the filesystem level:
List security policies for a specified filesystem.
Set security policies for a specified filesystem.
Remove all security policies from a specified filesystem.
Attach new security policies to a specified filesystem.
Detach security policies from a specified filesystem.
List security policies for a filesystem
Command: weka fs security policy list
Use the following command to list security policies for a specified filesystem.
Parameters
Set security policies for a filesystem
Command: weka fs security policy set
Use the following command to set security policies for a specified filesystem.
Parameters
Remove all security policies from a filesystem
Command: weka fs security policy reset
Use the following command to remove all security policies from a specified filesystem.
Parameters
Attach new security policies to a filesystem
Command: weka fs security policy attach
Use the following command to attach new security policies to the specified filesystem.
Parameters
Detach security policies from a filesystem
Command: weka fs security policy detach
Use the following command to detach (remove) security policies from a filesystem.
Parameters
Last updated