W E K A
W E K A
Website
Support
Downloads/Licensing
AWS Self-Service Portal
Weka Documentation
Weka System Overview
About the Weka System
SSD Capacity Management
Filesystems, Object Stores & Filesystem Groups
Weka Networking
Data Lifecycle Management
Weka Client & Mount Modes
Glossary
Getting Started with Weka
Quick Install Guide
Managing the Weka System
CLI Overview
GUI Overview
Serving IOs with WekaFS
Planning & Installation
Prerequisites for Installation
Bare Metal Installation
AWS Installation
Performance
Testing Weka Performance
WekaFS Filesystems
Managing Filesystems, Object Stores & Filesystem Groups
Advanced Data Lifecycle Management
Mounting Filesystems
Snapshots
Snap-To-Object
Quota Management
Additional Protocols
NFS Support
SMB Support
Operation Guide
Alerts
Events
Statistics
System Congestion
Security
User Management
Organizations
Expanding & Shrinking Cluster Resources
Background Tasks
Upgrading Weka Versions
Billing & Licensing
Overview
Classic License
Pay-As-You-Go License
Support
Prerequisites and Compatibility
Getting Support for Your Weka System
The Weka Support Cloud
Diagnostics CLI Command
Appendix
Weka CSI Plugin
External Monitoring
Snapshot Management
ClusterSpecs
REST API
Powered by GitBook

Security

This page describes important security consideration for the Weka cluster management.

Overview

General security considerations are described below.

  • For data security features, such as encryption via KMS, refer to the KMS Management section.

  • For security around mounting and separation of organizations, refer to the Organizations section.

  • Different user roles and AD/LDAP authentication is described in the User Management section.

Obtaining an Authentication Token

An authentication token is used to access the Weka cluster API, and allow mounting secure filesystems.

It is first required to log in to obtain an access token. Log in via the CLI (using the weka user login CLI command, a token file is created in ~/.weka/auth-token.json) or via the API (using the POST /login API).

This provides an access token to be used to authenticate the command, as long as a longer-lived refresh-token, to allow re-obtaining additional access-tokens without providing the username/password again.

Access-Token for API usage

When working with REST API, it is sometimes desired to use a longer-lived token (one that doesn't require a refresh every 5 minutes). It is possible to generate such a token for internal Weka users using the weka user generate-token [--access-token-timeout timeout] CLI command (default to 30 days).

Access-tokens are revoked when calling the weka user revoke-tokens CLI command.

TLS

By default, the Weka system deploys a self-signed certificate to access the GUI, CLI, and API via HTTPS.

The Weka system allows using only TLS 1.2 and higher with at least 128-bit ciphers.

You can deploy your certificates using the weka security tls set CLI command. The command receives an unencrypted private key.

For example, this is a similar command to what Weka uses to generate the self-signed certificate using OpenSSL:openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days <days> -nodes

Certificate Replacement/Rotation

To replace the certificate, use the weka security tls set CLI command to set a new one. Once a certificate has been issued, it is used for connecting to the cluster (for the time it has been issued), while the revocation is handled by the CA and propagating its revocation lists into the various clients.

Password Management

Password Requirements

  • at least 8 characters

  • an uppercase letter

  • a lowercase letter

  • a number or a special character

The First User created by default is admin (with admin password), and the password is prompt to change on the first login.

Account Lockout

To prevent brute force attacks, if several login attempts fail (5 by default), the user account will be locked out for several minutes (2 by default).

The defaults can be controlled using the weka security lockout-config show/set/reset CLI commands.

GUI

  • The Weka GUI is (only) accessible from the backend servers via port 14000.

  • The GUI session will automatically be terminated, and the user will get logged out after 30 minutes of inactivity.

Operation Guide - Previous
System Congestion
Next
User Management
Last updated 7 hours ago
Contents
Overview
Obtaining an Authentication Token
TLS
Certificate Replacement/Rotation
Password Management
Password Requirements
Account Lockout
GUI