W E K A
4.4
4.4
  • WEKA v4.4 documentation
    • Documentation revision history
  • WEKA System Overview
    • Introduction
      • WEKA system functionality features
      • Converged WEKA system deployment
      • Redundancy optimization in WEKA
    • SSD capacity management
    • Filesystems, object stores, and filesystem groups
    • WEKA networking
    • Data lifecycle management
    • WEKA client and mount modes
    • WEKA containers architecture overview
    • Glossary
  • Planning and Installation
    • Prerequisites and compatibility
    • WEKA cluster installation on bare metal servers
      • Plan the WEKA system hardware requirements
      • Obtain the WEKA installation packages
      • Install the WEKA cluster using the WMS with WSA
      • Install the WEKA cluster using the WSA
      • Manually install OS and WEKA on servers
      • Manually prepare the system for WEKA configuration
        • Broadcom adapter setup for WEKA system
        • Enable the SR-IOV
      • Configure the WEKA cluster using the WEKA Configurator
      • Manually configure the WEKA cluster using the resources generator
        • VLAN tagging in the WEKA system
      • Perform post-configuration procedures
      • Add clients to an on-premises WEKA cluster
    • WEKA Cloud Deployment Manager Web (CDM Web) User Guide
    • WEKA Cloud Deployment Manager Local (CDM Local) User Guide
    • WEKA installation on AWS
      • WEKA installation on AWS using Terraform
        • Terraform-AWS-WEKA module description
        • Deployment on AWS using Terraform
        • Required services and supported regions
        • Supported EC2 instance types using Terraform
        • WEKA cluster auto-scaling in AWS
        • Detailed deployment tutorial: WEKA on AWS using Terraform
      • WEKA installation on AWS using the Cloud Formation
        • Self-service portal
        • CloudFormation template generator
        • Deployment types
        • AWS Outposts deployment
        • Supported EC2 instance types using Cloud Formation
        • Add clients to a WEKA cluster on AWS
        • Auto scaling group
        • Troubleshooting
    • WEKA installation on Azure
      • Azure-WEKA deployment Terraform package description
      • Deployment on Azure using Terraform
      • Required services and supported regions
      • Supported virtual machine types
      • Auto-scale virtual machines in Azure
      • Add clients to a WEKA cluster on Azure
      • Troubleshooting
      • Detailed deployment tutorial: WEKA on Azure using Terraform
    • WEKA installation on GCP
      • WEKA project description
      • GCP-WEKA deployment Terraform package description
      • Deployment on GCP using Terraform
      • Required services and supported regions
      • Supported machine types and storage
      • Auto-scale instances in GCP
      • Add clients to a WEKA cluster on GCP
      • Troubleshooting
      • Detailed deployment tutorial: WEKA on GCP using Terraform
      • Google Kubernetes Engine and WEKA over POSIX deployment
    • WEKA installation on OCI
  • Getting Started with WEKA
    • Manage the system using the WEKA GUI
    • Manage the system using the WEKA CLI
      • WEKA CLI hierarchy
      • CLI reference guide
    • Run first IOs with WEKA filesystem
    • Getting started with WEKA REST API
    • WEKA REST API and equivalent CLI commands
  • Performance
    • WEKA performance tests
      • Test environment details
  • WEKA Filesystems & Object Stores
    • Manage object stores
      • Manage object stores using the GUI
      • Manage object stores using the CLI
    • Manage filesystem groups
      • Manage filesystem groups using the GUI
      • Manage filesystem groups using the CLI
    • Manage filesystems
      • Manage filesystems using the GUI
      • Manage filesystems using the CLI
    • Attach or detach object store buckets
      • Attach or detach object store bucket using the GUI
      • Attach or detach object store buckets using the CLI
    • Advanced data lifecycle management
      • Advanced time-based policies for data storage location
      • Data management in tiered filesystems
      • Transition between tiered and SSD-only filesystems
      • Manual fetch and release of data
    • Mount filesystems
      • Mount filesystems from Single Client to Multiple Clusters (SCMC)
      • Manage authentication across multiple clusters with connection profiles
    • Snapshots
      • Manage snapshots using the GUI
      • Manage snapshots using the CLI
    • Snap-To-Object
      • Manage Snap-To-Object using the GUI
      • Manage Snap-To-Object using the CLI
    • Snapshot policies
      • Manage snapshot policies using the GUI
      • Manage snapshot policies using the CLI
    • Quota management
      • Manage quotas using the GUI
      • Manage quotas using the CLI
  • Additional Protocols
    • Additional protocol containers
    • Manage the NFS protocol
      • Supported NFS client mount parameters
      • Manage NFS networking using the GUI
      • Manage NFS networking using the CLI
    • Manage the S3 protocol
      • S3 cluster management
        • Manage the S3 service using the GUI
        • Manage the S3 service using the CLI
      • S3 buckets management
        • Manage S3 buckets using the GUI
        • Manage S3 buckets using the CLI
      • S3 users and authentication
        • Manage S3 users and authentication using the CLI
        • Manage S3 service accounts using the CLI
      • S3 lifecycle rules management
        • Manage S3 lifecycle rules using the GUI
        • Manage S3 lifecycle rules using the CLI
      • Audit S3 APIs
        • Configure audit webhook using the GUI
        • Configure audit webhook using the CLI
        • Example: How to use Splunk to audit S3
        • Example: How to use S3 audit events for tracking and security
      • S3 supported APIs and limitations
      • S3 examples using boto3
      • Configure and use AWS CLI with WEKA S3 storage
    • Manage the SMB protocol
      • Manage SMB using the GUI
      • Manage SMB using the CLI
  • Security
    • WEKA security overview
    • Obtain authentication tokens
    • Manage token expiration
    • Manage account lockout threshold policy
    • Manage KMS
      • Manage KMS using GUI
      • Manage KMS using CLI
    • Manage TLS certificates
      • Manage TLS certificates using GUI
      • Manage TLS certificates using CLI
    • Manage Cross-Origin Resource Sharing
    • Manage CIDR-based security policies
    • Manage login banner
  • Secure cluster membership with join secret authentication
  • Licensing
    • License overview
    • Classic license
  • Operation Guide
    • Alerts
      • Manage alerts using the GUI
      • Manage alerts using the CLI
      • List of alerts and corrective actions
    • Events
      • Manage events using the GUI
      • Manage events using the CLI
      • List of events
    • Statistics
      • Manage statistics using the GUI
      • Manage statistics using the CLI
      • List of statistics
    • Insights
    • System congestion
    • User management
      • Manage users using the GUI
      • Manage users using the CLI
    • Organizations management
      • Manage organizations using the GUI
      • Manage organizations using the CLI
      • Mount authentication for organization filesystems
    • Expand and shrink cluster resources
      • Add a backend server
      • Expand specific resources of a container
      • Shrink a cluster
    • Background tasks
      • Set up a Data Services container for background tasks
      • Manage background tasks using the GUI
      • Manage background tasks using the CLI
    • Upgrade WEKA versions
    • Manage WEKA drivers
  • Monitor the WEKA Cluster
    • Deploy monitoring tools using the WEKA Management Station (WMS)
    • WEKA Home - The WEKA support cloud
      • Local WEKA Home overview
      • Deploy Local WEKA Home v3.0 or higher
      • Deploy Local WEKA Home v2.x
      • Explore cluster insights
      • Explore performance statistics in Grafana
      • Manage alerts and integrations
      • Enforce security and compliance
      • Optimize support and data management
      • Export cluster metrics to Prometheus
    • Set up WEKAmon for external monitoring
    • Set up the SnapTool external snapshots manager
  • Kubernetes
    • Composable clusters for multi-tenancy in Kubernetes
    • WEKA Operator deployment
    • WEKA Operator day-2 operations
  • WEKApod
    • WEKApod Data Platform Appliance overview
    • WEKApod servers overview
    • Rack installation
    • WEKApod initial system setup and configuration
    • WEKApod support process
  • AWS Solutions
    • Amazon SageMaker HyperPod and WEKA Integrations
      • Deploy a new Amazon SageMaker HyperPod cluster with WEKA
      • Add WEKA to an existing Amazon SageMaker HyperPod cluster
    • AWS ParallelCluster and WEKA Integration
  • Azure Solutions
    • Azure CycleCloud for SLURM and WEKA Integration
  • Best Practice Guides
    • WEKA and Slurm integration
      • Avoid conflicting CPU allocations
    • Storage expansion best practice
  • Support
    • Get support for your WEKA system
    • Diagnostics management
      • Traces management
        • Manage traces using the GUI
        • Manage traces using the CLI
      • Protocols debug level management
        • Manage protocols debug level using the GUI
        • Manage protocols debug level using the CLI
      • Diagnostics data management
  • Appendices
    • WEKA CSI Plugin
      • Deployment
      • Storage class configurations
      • Tailor your storage class configuration with mount options
      • Dynamic and static provisioning
      • Launch an application using WEKA as the POD's storage
      • Add SELinux support
      • NFS transport failback
      • Upgrade legacy persistent volumes for capacity enforcement
      • Troubleshooting
    • Convert cluster to multi-container backend
    • Create a client image
    • Update WMS and WSA
    • BIOS tool
Powered by GitBook
On this page
  • Overview
  • Guidelines and considerations
  • Manage security policies using the CLI
  • List security policies
  • Display information of a security policy
  • Add a new security policy
  • Remove a security policy
  • Duplicate an existing security policy
  • Update security policy settings
  • Simulate the effect of one or more security policies
  • List security policies applied when joining containers
  • Set security policies for joining cluster
  • Attach a security policy when joining cluster
  • Detach a security policy when joining cluster
  • Remove all security policies applied when joining cluster
  • Manage organization security policies using the CLI
  • List the organization security policies
  • Set security policies for an organization
  • Remove all security policies from an organization
  • Attach new security policies to an organization
  • Detach security policies from an organization
  • Manage filesystem security policies using the CLI
  • List security policies for a filesystem
  • Set security policies for a filesystem
  • Remove all security policies from a filesystem
  • Attach new security policies to a filesystem
  • Detach security policies from a filesystem
  1. Security

Manage CIDR-based security policies

Manage CIDR-based security policies to control access to WEKA clusters based on client IP address ranges, enhancing security and simplifying administration.

Overview

-based policies allow administrators to control access to WEKA cluster management and filesystems over POSIX clients by specifying permitted and restricted IP address ranges. This network-level security measure complements traditional user authentication, providing organizations with finer control over cluster access.

Key benefits:

  • Enhanced security: Restrict access to the cluster by controlling which clients can connect based on their IP addresses.

  • No authentication required: Secure access through network-level restrictions, simplifying management for trusted environments.

  • Simplified management: Centralized control over client access without needing user credentials.

Guidelines and considerations

When implementing CIDR-based security policies in WEKA, consider the following:

  • Role requirement: Only users with the ClusterAdmin role can manage security policies for the root organization. For non-root organizations, only the OrgAdmin can manage security policies.

  • Active mounts remain unaffected: Client revocation is disabled, meaning any changes to policies do not impact active mounts. This ensures ongoing connections remain stable until they are manually disconnected.

  • Policy order matters: The order in which policies are attached determines the filtering sequence. For example, if the first policy denies access from IP1 and IP2, and the second policy allows IP1, the first policy takes precedence, overriding subsequent policies. Always review the order to ensure the desired access control.

  • Default access behavior: Clients without a related policy are allowed by default. To secure your organization or filesystem, always include a final policy that denies access to all other IPs after attaching the necessary policies.

  • Policy capacity:

    • 16 policies can be assigned per organization.

    • 16 policies can be assigned per filesystem.

    • 8 policies are allowed per client or backend join.

    • Each policy supports up to 32 IP address ranges.

    • A total of 5,120 policies can be defined system-wide.

Manage security policies using the CLI

Add and manage security policies so that you can apply them on the organization or filesystem. You can perform the following:

  • List security policies defined in the WEKA cluster.

  • Display information about a specific security policy.

  • Add a new security policy.

  • Remove a security policy.

  • Duplicate an existing security policy, creating a new one.

  • Update the settings of an existing security policy.

  • Simulate the effect of one or more security policies.

  • List security policies applied when joining containers.

  • Set security policies for joining cluster, replacing the existing set of policies.

  • Attach a security policy when joining cluster.

  • Detach a security policy when joining cluster.

  • Remove all security policies applied when joining cluster

List security policies

Command: weka security policy list

Use the following command line to list security policies defined in the WEKA cluster.

weka security policy list [--action action] [--roles roles]...[--ips ips]...

Parameters

Parameter
Description

action

Lists security policies that match a specific action. (format: allow or deny)

roles...

Lists security policies that include specific roles. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

ips...

Lists security policies that include specific IP address ranges. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

Display information of a security policy

Command: weka security policy show

Displays information about a specific security policy.

weka security policy show <policy>

Parameters

Parameter
Description

policy*

Name or ID of security policy.

Add a new security policy

Command: weka security policy add

Use the following command line to add a new security policy.

weka security policy add <name> [--description description] [--action action]
[--ips ips]...[--roles roles]...

Parameters

Parameter
Description

name*

Name of the new security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

description

Description of the security policy. (up to 256 characters)

action

Whether access is granted or denied when the security policy matches. (format: allow or 'deny)

ips...

IP address ranges to which the security policy applies. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

roles...

User roles to which the security policy applies. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

In this example a policy is created that allows access by users with the clusteradmin role from two specific subnets:

weka security policy create admin_network --action allow --ips 10.1.0.0/16,10.2.1.0/24 --roles clusteradmin

Remove a security policy

Command: weka security policy remove

Use the following command line to delete a security policy.

weka security policy remove <policy>

Parameters

Parameter
Description

policy*

Name or ID of security policy.

Duplicate an existing security policy

Command: weka security policy duplicate

Use the following command line to duplicate an existing security policy, creating a new one.

weka security policy duplicate <policy> <name>

Parameters

Parameter
Description

policy*

Name or ID of the security policy to duplicate.

name*

Name of the new security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

Example: 

weka security policy duplicate sourcePolicy newPolicyName

Update security policy settings

Command: weka security policy update

Use the following command line to update the settings of an existing security policy.

weka security policy update <policy> [--description description] [--action action] [--new-name new-name] [--roles roles]... [--add-roles add-roles]... [--remove-roles remove-roles]... [--ips ips]... [--add-ips add-ips]... [--remove-ips remove-ips]...

Parameters

Parameter
Description

policy*

Name or ID of security policy.

--description

Updates the description of the security policy. (up to 256 characters)

--action

Changes whether access is granted when the security policy matches. (format: allow or deny)

--new-name

New name of the security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

--roles...

User roles to which the security policy applies. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

--add-roles...

User roles to append to the security policy. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

--remove-roles...

User roles to remove from the security policy. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

ips

IP address ranges to which the security policy applies. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

add-ips

IP address ranges to append to the security policy. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

remove-ips

IP address ranges to remove from the security policy. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

In this example the readonly role is added to an existing security policy called admin_network:

weka security policy update admin_network --add-roles readonly --description "Limit Cluster Admin Access to HQ Network"

Simulate the effect of one or more security policies

Command: weka security policy test

Use the following command line to simulates the effect of one or more security policies.

weka security policy test [--role role] [--ip ip] [--join] [<policy>]...

Parameters

Parameter
Description

policy...

Policies to evaluate, with access verified in the order listed.

role

Simulate effect of policies on API access from the given user role. (format: clusteradmin, orgadmin, regular, readonly or s3)

ip

IP address to evaluate as the source address.

join

Simulate effect of policies when joining the cluster.

Example: 

weka security policy test policy1 policy2 policy3 --ip 10.2.1.0 --role clusteradmin

List security policies applied when joining containers

Command: weka security policy join list

Use the following command line to list security policies applied when joining containers.

weka security policy join list [--client] [--backend]

Parameters

Parameter
Description

client

List policies for clients.

backend

List policies for backends.

Set security policies for joining cluster

Command: weka security policy join set

Use the following command line to set security policies for joining cluster, replacing the existing set of policies.

weka security policy join set [--client] [--backend] [<policies>]...

Parameters

Parameter
Description

policies...

Security policy names or IDs applied to cluster join process.

client

Apply policies to clients.

backend

Apply policies to backends.

Attach a security policy when joining cluster

Command: weka security policy join attach

Use the following command line to attach security policies applied when joining cluster, adding them to the existing policies.

weka security policy join attach [--client] [--backend] [<policies>]...

Parameters

Parameter
Description

policies...

Security policy names or IDs to attach to cluster join process.

client

Apply policies to clients.

backend

Apply policies to backends.

Detach a security policy when joining cluster

Command: weka security policy join detach

Use the following command line to remove security policies applied when joining cluster.

weka security policy join detach [--client] [--backend] [<policies>]...

Parameters

Parameter
Description

policies...

Security policy names or IDs to remove from cluster join proces

client

Apply policies to clients.

backend

Apply policies to backends.

Remove all security policies applied when joining cluster

Command: weka security policy join reset

Use the following command line to remove all security policies applied when joining cluster.

weka security policy join reset [--client] [--backend]

Parameters

Parameter
Description

client

Apply policies to clients.

backend

Apply policies to backends.

Manage organization security policies using the CLI

Once security policies are defined, you can perform the following tasks at the organization level:

  • List security policies for a specified organization.

  • Set security policies for a specified organization.

  • Remove all security policies from a specified organization.

  • Attach new security policies to a specified organization.

  • Detach security policies from a specified organization.

List the organization security policies

Command: weka org security policy list

Use the following command to list the security policies of a specified organization.

weka org security policy list <org>

The command weka org also displays the attached policies for each organization.

Parameters

Parameter
Description

org*

Organization name or ID.

Set security policies for an organization

Command: weka org security policy set

Use the following command to set security policies for an organization, replacing the existing list of policies. If setting multiple policies, separate each with a space. 

weka org security policy set <org> [<policies>]...

Parameters

Parameter
Description

org*

Organization name or ID.

policies...

Security policy names or IDs to assign to the organization, space separated.

Remove all security policies from an organization

Command: weka org security policy reset

Use the following command to removes all security policies from an organization.

weka org security policy reset <org>

Parameters

Parameter
Description

org*

Organization name or ID.

Attach new security policies to an organization

Command: weka org security policy attach

Use the following command to attach new security policies to an organization, adding them to the existing policies. If attaching multiple policies, separate each with a space.

weka org security policy attach <org> [<policies>]...

Parameters

Parameter
Description

org*

Organization name or ID.

policies...

Security policy names or IDs to attach to the organization, space separated.

Detach security policies from an organization

Command: weka org security policy detach

Use the following command to detach (remove) security policies from an organization. If detaching multiple policies, separate each with a space.

weka org security policy detach <org>[<policies>]...

Parameters

Parameter
Description

org*

Organization name or ID.

policies...

Security policy names or IDs to remove from the organization, space separated.

Manage filesystem security policies using the CLI

Once security policies are defined, you can perform the following tasks at the filesystem level:

  • List security policies for a specified filesystem.

  • Set security policies for a specified filesystem.

  • Remove all security policies from a specified filesystem.

  • Attach new security policies to a specified filesystem.

  • Detach security policies from a specified filesystem.

List security policies for a filesystem

Command: weka fs security policy list

Use the following command to list security policies for a specified filesystem.

weka fs security policy list <fs-name>

Parameters

Parameter
Description

fs-name*

Filesystem name.

Set security policies for a filesystem

Command: weka fs security policy set

Use the following command to set security policies for a specified filesystem, replacing the existing list of policies. If setting multiple policies, separate each with a space.

weka fs security policy set <fs-name> [<policies>]...

Parameters

Parameter
Description

fs-name*

Filesystem name.

policies...

Security policy names or IDs to set for a filesystem, space separated.

Example to apply two security policies to a filesystem named fs0: 

weka fs security policy set fs0 fs0allow denyall

Remove all security policies from a filesystem

Command: weka fs security policy reset

Use the following command to remove all security policies from a specified filesystem.

weka fs security policy reset <fs-name>

Parameters

Parameter
Description

fs-name*

Filesystem name.

Attach new security policies to a filesystem

Command: weka fs security policy attach

Use the following command to attach additional security policies to the specified filesystem. If attaching multiple policies, separate each with a space. 

weka fs security policy attach <fs-name> [<policies>]...

Parameters

Parameter
Description

fs-name*

Filesystem name.

policies...

Security policy names or IDs to attach new security policies to the specified filesystem, space separated.

Detach security policies from a filesystem

Command: weka fs security policy detach

Use the following command to detach (remove) security policies from a filesystem. If detaching multiple policies, separate each with a space. 

weka fs security policy detach <fs-name> [<policies>]...

Parameters

Parameter
Description

fs-name*

Filesystem name.

policies...

Security policy names or IDs to remove from the specified filesystem, space separated.

PreviousManage Cross-Origin Resource SharingNextManage login banner

Last updated 25 days ago