Managing Users and RBAC
Cisco Container Platform provides Role-based Access Control (RBAC) through built-in static roles, namely the Administrator and User roles. Role-based access allows you to use local accounts and LDAP for authentication and authorization.
Configuring Local Users
Cisco Container Platform allows you to manage local users. An administrator can add a user, and assign an appropriate role and cluster(s) to the user.
Caution |
Use of local authentication is not recommended and is considered less secure for production data. |
Before you begin
For more information, see Configuring AD Servers.
Procedure
Step 1 |
In the left pane, click User Management, and then click the Users tab. |
||
Step 2 |
Click ADD USER. |
||
Step 3 |
In the USERNAME field, enter a username. |
||
Step 4 |
From the ROLE drop-down list, choose one of the following roles:
|
||
Step 5 |
If you want to generate a passphrase automatically: |
||
Step 6 |
If you want to type a passphrase of your own, enter a passphrase in the PASSPHRASE field.
|
Modifying Local Authentication Policy
Caution |
There will be a temporary downtime for the Cisco Container Platform API during this procedure. |
Follow these steps to modify the local authentication policies for the local accounts.
Procedure
Step 1 |
SSH to a control plane master node. |
Step 2 |
Edit the API auth configmap
|
Step 3 |
Modify the local authentication parameters under For example:
|
Step 4 |
Delete the pod to restart the API service.
|
Local Authentication Parameters
The following table describes the parameters used for local authentication.
Parameter |
Default Setting |
Description |
---|---|---|
VALIDATOR_MIN_LEN |
8 |
Minimum character length of passphrase. |
PASSWORD_LIFETIME_DAYS |
0 (Forever) |
Number of days for which a passphrase is valid before requiring a change |
PASSWORD_WARNING_DAYS |
14 |
Number of days for which a warning is sent to the user to warn expiry of passphrase |
PASSWORD_GRACE_DAYS |
0 |
Number of days after a passphrase has expired during which you are allowed to continue to login |
PASSWORD_HISTORY_COUNT |
0 |
Passphrase reuse limitation value |
PASSWORD_HISTORY_DAYS |
0 |
Number of days after which passphrase reuse is allowed |
VALIDATOR_FORBIDDEN_WORDS |
{"cisco123", "ccp123"} |
Explicit list of restricted passphrases |
VALIDATOR_COMMON_ENABLE |
True |
Restrict passphrases based on a common dictionary |
VALIDATOR_STRENGTH_ENABLE |
True |
Enable passphrase complexity requirement |
PASSWORD_MIN_STRENGTH |
0.20 |
Passphrase complexity requirement (range 0.00..0.99) |
LOGIN_THROTTLE_ENABLED |
True |
Enable rate-limiting on login endpoint |
THROTTLE_ANON_LOGIN_BURST |
'60/min' |
Rate-limiting burst limit for unsuccessful login attempts |
THROTTLE_ANON_LOGIN_SUSTAINED |
False |
Rate-limiting sustained limit for unsuccessful login attempts, for example: '100/day' |
Note |
Rate limit applies to each worker process of an API service. An API service is backed by 10 worker processes, which serve requests in a round-robin fashion. The overall number of requests before throttle occurs is calculated using the formula: Rate value x 10 For example: The default allowed overall requests for login attempts is calculated as follows: (THROTTLE_ANON_LOGIN_BURST) * 10 = (60) x 10 = 600 requests/mins |
Changing Login Passphrase
Procedure
Step 1 |
In the left pane, click User Management, and then click the Users tab. |
||
Step 2 |
From the drop-down list displayed under the ACTIONS column, choose Change passphrase corresponding to your name.
|
||
Step 3 |
If you want to generate a passphrase automatically: |
||
Step 4 |
If you want to use a passphrase of your own:
|
Recovering Login Passphrase for Local Admin
Procedure
Step 1 |
Perform one of the following steps:
|
Step 2 |
List the available pods.
|
Step 3 |
Search for the pod that has the following format:
|
Step 4 |
Reset the login passphrase for the admin user.
|
Restoring Login Access Using a Breakglass Account
If you are an admin user and you are unable to log in to Cisco Container Platform, you can use a breakglass account to restore your login access.
Follow these steps to restore your login access:
Procedure
Step 1 |
SSH in to the Cisco Container Platform control plane master node. |
Step 2 |
Create a breakglass account.
|
Step 3 |
Log in to the Cisco Container Platform web interface using the newly created breakglass account credentials and make the required LDAP configuration changes to restore your login access. |
Step 4 |
Disable the breakglass user account.
|
Configuring AD Servers
LDAP authentication is performed using a service account that can access the LDAP database and query for user accounts. You will need to configure the AD server and service account in Cisco Container Platform.
Procedure
Step 1 |
In the left pane, click User Management, click the Active Directory tab, and then click EDIT. |
||
Step 2 |
In the SERVER IP ADDRESS field, type the IP address of the AD server. |
||
Step 3 |
In the PORT field, type the port number for the AD server. |
||
Step 4 |
For improved security, we recommend that you check STARTTLS. |
||
Step 5 |
In the BASE DN field, type the domain name of the AD server for all the accounts that you have. For example: CN=Users,DC=example,DC=com
|
||
Step 6 |
2. In the ACCOUNT USERNAME field, enter an LDAP CN. For example: CN=UserName,OU=Folder,DC=example,DC=cisco,DC=com |
||
Step 7 |
In the PASSPHRASE field, type the passphrase of the AD account. |
||
Step 8 |
Click SUBMIT. |
Troubleshooting AD User Credentials
Procedure
Step 1 |
Run the Command:
Example:
|
Step 2 |
When prompted, type the passphrase of the AD account. If the user credential validation fails, an |
Configuring AD Groups
Cisco Container Platform allows you to manage users using AD groups. An administrator can add users to AD groups, and then assign appropriate roles and clusters to the groups.
Before you begin
Ensure that you have configured the AD server that you want to use.
For more information on configuring AD servers, see Configuring AD Servers.
Procedure
Step 1 |
In the left pane, click User Management, and then click the Groups tab. |
||
Step 2 |
Click ADD GROUP. |
||
Step 3 |
In the ACTIVE DIRECTORY GROUP field, type the list of distinguished names for all the accounts that you have. For example, type CN=CCP-Cluster1-Admin,CN=Users,DC=aervacan-lab,DC=local, where the distinguished names are entered using a comma-separated list. |
||
Step 4 |
Specify information such as the name of the AD group and the role you want to assign to the group.
|
||
Step 5 |
From the CLUSTERS drop-down list, choose the names of the cluster that you want to assign to the AD group. |
||
Step 6 |
Click SUBMIT. |
Troubleshooting AD Groups
Consider an AD group with the following parameters:
-
SERVER IP ADDRESS: 10.10.10.100
-
PORT: 389
-
BASE DN: dc=example,dc=org
-
ACCOUNT USERNAME: cn=admin,dc=example,dc=org
Procedure
Step 1 |
Run the
|
Step 2 |
Run the
|