ECS: How to Lock or Unlock Remote Access to Nodes
摘要: Node locking provides another layer of security against remote node access from all accounts.
本文适用于
本文不适用于
本文并非针对某种特定的产品。
本文并非包含所有产品版本。
说明
This article is an extract from the ECS 3.0 Administrator's Guide that is available on Dell Support.
Use the portal to lock and unlock remote SSH access to ECS nodes.
This task is done by the Lock Admin (login -
Locking a node only prevents remote access to the operating system of the node by SSH or the CLI. Locking or unlocking a node has no effect on ECS Portal, ECS REST, Management API functions, or directly connecting to a node locally and then using the CLI or SSH.
The node states are:
Lock and unlock nodes
Use the portal to lock and unlock remote SSH access to ECS nodes.
Before beginning:
This task is done by the Lock Admin (login - emcsecurity).
Locking a node only prevents remote access to the operating system of the node by SSH or the CLI. Locking or unlocking a node has no effect on ECS Portal, ECS REST, Management API functions, or directly connecting to a node locally and then using the CLI or SSH.
Procedure:
- Log in as
emcsecurity:
If this is the first login from this account, it requires a change of password and re-login.
- From the left side of the navigation pane, select Settings > Platform Locking.
The screen lists the nodes in the cluster and displays their lock status.
The node states are:
- Unlocked: This displays an open green lock icon and the Lock action button
- Locked: This displays a closed red lock icon and the Unlock action button
- Offline: This displays the circle-with-slash icon and no action button because the node is unreachable and the lock state cannot be determined
- Choose
| Option | Description |
|---|---|
| Lock | To lock an unlocked node. Any user who is remotely logged in by SSH or CLI is given five minutes to exit before their session is terminated. An impending shutdown message appears on the user's terminal screen. |
| Unlock | To unlock a locked node. A privileged user can remotely log in to the node by SSH or the CLI after a few minutes. |
| Lock the VDC. | This convenience feature locks all unlocked nodes in the VDC as long as they are online. It does not set a state where any new or offline node is automatically locked once detected. |
其他信息
Locking remote access to nodes
Use the ECS Portal to lock remote access to nodes.
Access types
ECS can be configured in the following ways:
Access types
ECS can be configured in the following ways:
- Using the ECS Portal or the ECS Management API
- By directly connecting to a node through the management switch, with a service laptop and using SSH or the CLI to directly access the node's operating system
- By remotely connecting to a node over the network using SSH or the CLI, directly access the node's operating system
Node locking provides another layer of security against remote node access from all accounts. Without node locking, any privileged node-level account such as the admin, service, or Dell accounts, can remotely access nodes at any time to collect data, configure hardware, and run Linux commands. If all the nodes in a cluster are locked, remote access can be planned and scheduled for a defined window minimizing the opportunity for unauthorized activity.
Using the ECS Portal or the ECS Management API, you can lock selected nodes in a cluster or all the nodes in the cluster. Doing so only affects the ability to remotely access (SSH to) the locked nodes. Locking does not change the way the ECS Portal and ECS Management APIs access nodes, and it does not affect the ability to directly connect to a node.
Using the ECS Portal or the ECS Management API, you can lock selected nodes in a cluster or all the nodes in the cluster. Doing so only affects the ability to remotely access (SSH to) the locked nodes. Locking does not change the way the ECS Portal and ECS Management APIs access nodes, and it does not affect the ability to directly connect to a node.
Lock Admin
To lock and unlock nodes, requires the Lock Admin user. The Lock Admin is a pre-provisioned local user called
emcsecurity. Lock Admins can only change their passwords and lock and unlock nodes. The Lock Admin role cannot be assigned to another user. System Admins and System Monitors can view the lock status of the nodes.
Maintenance
If node maintenance using remote access is periodically required, you can unlock a single node to allow remote access to the entire cluster using SSH with the admin or Dell account. Once the authorized user successfully logs in to the unlocked node using SSH, the user can SSH from that node to any other node in the cluster by way of the private network.
It is necessary to unlock a node to remotely use commands that provide OS-level read-only diagnostics.
It is necessary to unlock a node to remotely use commands that provide OS-level read-only diagnostics.
Auditing
A node lock and a node unlock event is captured in audit logs and also sent to Syslog. Errors from lock or unlock attempts are also logged.
ECS Management API
The following APIs allow the managing of node locks.
| Resource |
Description |
|---|---|
| GET /vdc/nodes. |
Gets the data nodes that are configured in the cluster. |
| GET /vdc/lockdown. |
Gets the locked or unlocked status of a VDC. |
| PUT /vdc/lockdown |
Sets the locked or unlocked status of a VDC. |
| PUT /vdc/nodes/{nodeName}/lockdown |
Sets the Lock or unlock status of a node. |
| GET /vdc/nodes/{nodeName}/lockdown. |
Gets the Lock or unlock status of a node. |
受影响的产品
Elastic Cloud Storage产品
ECS, ECS Appliance文章属性
文章编号: 000019556
文章类型: How To
上次修改时间: 04 7月 2024
版本: 4
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。