Skip to main content
Start a Conversation

Unsolved

Closed

C

CendresMetaux

1 Rookie

 • 

62 Posts

238

May 6th, 2023 01:00

Zone based RBAC and administration

With newer OneFS releases apparently zone administration can be delegated to "zone admins" (zRBAC). According to documentation, zone administration can be done by these "zone admins" via Web-UI from within the zone, without having to have connectivity/access to subnets/IPs linked to the system zone.

In older OneFS releases Access to administration (Web-UI, API, ssh, etc.) was limited to subnets/IPs linked to the system zone (via Groupnet). This is one of our "main pillars" of Isilon/Powerscale security architecture and hardening. We have a "pseudo air-gapped" network for the system access zone with no possibility of access to the system zone and system administration from subnets/IPs related to "data" access zones (the "pseudo air-gap" design is out of scope in this discussion, but assume access to administration is impossible from access zone networks except for attacks with unlimited funding/time which we don't count ourselves as possible targets).

According to documentation, ssh still seems to be disabled outside the system access zone, so that's good. But is there a way to force OneFS back into the "old" design, removing Web-UI, API and any other administration option from all "non-system" access zones?

Thanks a lot for any input and help, as this pulls our Powerscale impementation and usage badly into "high risk" territory from a CISO/CSO department point of view!

CendresMetaux

1 Rookie

 • 

62 Posts

May 6th, 2023 09:00

Addendum: Could it be that I am simply misinterpreting things and access to the WebUI/API etc. is still only possible on subnets/IPs linked to the system access zone, but users can be created with limited administrative access via WebUI to specific access zones - zRBAC - if they have network access to the system access zone subnets/IPs?

DELL-Josh Cr

Moderator

 • 

8.6K Posts

May 8th, 2023 06:00

Hi,

Thanks for your question. I do not see a way to force it back to the old design, but probably could not assign any users as zone admin so it isn’t used. Maybe another user can say what they did to work around it. Could also try to remove the privileges from the role. Page 103 https://dell.to/3B6Kj1S

Let us know if you have any additional questions.

View More

View All

No Events found!

Top