This article is an extract from the "ECS 3.0 Administrator's Guide" what can be downloaded here:
https://support.emc.com/docu79367_ECS_3.0_Administrator's_Guide.pdf?language=en_US
Lock and unlock nodes.
Use the portal to lock and unlock remote SSH access to ECS nodes.
Before beginning:
This task is done by the Lock Admin (login: emcsecurity).
Locking a node only prevents remote access to the operating system of the node by
SSH or the CLI. Locking or unlocking a node has no effect on ECS Portal or REST
Management API functions or on directly connecting to a node locally and then using
SSH or the CLI.
Procedure
1. Login in as emcsecurity:
If this is the first login from this account, require the change of the password and relogin.
2. From the left side of the navigation pane, select Settings > Platform Locking.
The screen lists the nodes in the cluster and displays their lock status.
The node states are:
- Unlocked: Displays an open green lock icon and the Lock action button
- Locked: Displays a closed red lock icon and the Unlock action button
- Offline: Displays the circle-with-slash icon and no action button because the node is unreachable and the lock state cannot be determined
3. Choose:
Option |
Description |
Lock |
To lock an unlocked node. Any user who is remotely logged in by SSH or CLI is given five minutes to exit before their session is terminated. An impending shutdown message appears on the user's terminal screen. |
Unlock |
To unlock a locked node. A privileged user can remotely log in to the node by SSH or the CLI after a few minutes. |
Lock the VDC |
This convenience feature locks all unlocked nodes in the VDC as long as they are online. It does not set a state where any new or offline node is automatically locked once detected. |
Locking remote access to nodes
Use the ECS Portal to lock remote access to nodes.
Access types
ECS can be configured in the following ways:
-
Using the ECS Portal or the ECS Management API.
-
By directly connecting to a node through the management switch with a service
laptop and using SSH or the CLI to directly access the node's operating system.
-
By remotely connecting to a node over the network using SSH or the CLI to
directly access the node's operating system.
Node locking provides another layer of security against remote node access from all
accounts. Without node locking, any privileged node-level account. Such as the
admin, service, or Dell accounts, can remotely access nodes at any time. To collect
data, configure hardware, and run Linux commands. If all the nodes in a cluster are
locked, then remote access can be planned and scheduled for a defined window
minimizing the opportunity for unauthorized activity.
Using the ECS Portal or the ECS Management API, can lock selected nodes in a
cluster or all the nodes in the cluster. Doing so only affects the ability to remotely
access (SSH to) the locked nodes. Locking does not change the way the ECS Portal
and ECS Management APIs access nodes and it does not affect the ability to directly
connect to a node.
Lock Admin
To lock and unlock nodes, requires the Lock Admin user. The Lock Admin is a preprovisioned
local user called emcsecurity. Lock Admins can only change their
passwords and lock and unlock nodes. The Lock Admin role cannot be assigned to
another user.
System Admins and System Monitors can view the lock status of the nodes.
Maintenance
If node maintenance using remote access is periodically required, can unlock a
single node to allow remote access to the entire cluster using SSH with the admin or
Dell account. Once the authorized user successfully logs in the unlocked node using
SSH, the user can SSH from that node to any other node in the cluster by way of the
private network.
It is necessary to unlock a node to remotely use commands that provide OS-level
read-only diagnostics.
Auditing
Node lock and unlock events are captured in audit logs and also sent to Syslog. Errors
from lock or unlock attempts are also logged.
ECS Management API
The following APIs allow the managing of node locks.
Resource |
Description |
GET /vdc/nodes |
Gets the data nodes that are configured in the cluster |
GET /vdc/lockdown |
Gets the locked or unlocked status of a VDC |
PUT /vdc/lockdown |
Sets the locked or unlocked status of a VDC |
PUT /vdc/nodes/{nodeName}/lockdown |
Sets the Lock or unlock status of a node. |
GET /vdc/nodes/{nodeName}/lockdown |
Gets the Lock or unlock status of a node. |