The ObjectScale Management Service manages management users and roles and is used for establishing trust with other external identity providers. It provides an API for authentication/authorization that allows for secure token generation which will be accepted by other ObjectScale services.
The ObjectScale management service provides the following functionality:
Defines roles for management users.
Supplies the
/mgmt APIs.
Provides method to process Access Token correctly for the IAM, Federation Service, and Object Control Service in an object store.
Modifies the IAM and Federation Service client to transparently handle Access Token interactions.
A user first logs in to the
/mgmt/auth/login endpoint. The returned Access Token will have the roles associated with the user.
The user can then present this Access Token to request services from IAM, Federation Service, and Object Control in an object store.
These ObjectScale services will first authenticate the Access Token with Management service and based on the roles available in the token a determination is made whether the user is authorized to access the requested resource.
Objectscale Access Token (OSTOKEN) format
Access Token, also known as an OSTOKEN, is based on JSON Web Token (JWT) and is used as the auth token for system resource access.
You can refresh an Access Token using the
/mgmt/auth/token API.
The default expiration for
/mgmt/auth/login is 900 seconds (15 minutes).
NOTE:All Access Tokens are opaque and are intended to be used as is. ObjectScale exposes some APIs to determine the expiry time of the Access Token.
ObjectScale Management User Roles
A management user in the ObjectScale Management API must be assigned one or more roles.
Table 1. Management user roles for ObjectScale on ObjectScale Software BundleDescribes the management user roles available when ObjectScale is deployed on ObjectScale Software Bundle.
Role name
Role description
Role ID
admin
Full control over all management operations.
admin
operations_admin
Full control over all management operation except for security operations. Read access to user and public certs.
operations_admin
readonly
Read access only, to everything other than security information. Read access to user and public certs.
readonly
security_admin
Full control over security operations only, read access for others.
security_admin
storage_admin
Full control over storage management, including the ability to create and delete object stores.
storage_admin
storage_operator
Full control over storage management, except the ability to create and delete object stores.
storage_operator
Table 2. Management user roles for ObjectScale on Red Hat OpenShiftDescribes the management user roles available when ObjectScale is deployed on a Red Hat OpenShift cluster.
Role name
Role description
Role ID
Security Administrator
Manages certificates, administering other management users, and the federation of other ObjectScale instances.
SECURITY_ADMIN
System Administrator
Manages IAM accounts, ObjectScale licensing, object stores, and monitoring (alerts and auditing).