Home > Storage > ObjectScale and ECS > Product Documentation > Dell ObjectScale: Overview and Architecture > Authentication
The ObjectScale Management Service facilitates authentication and authorization of users and other services to use and manage ObjectScale and platform resources. It manages users and roles and is used for establishing trust with other external identity providers. It provides an API for authentication and authorization that allows for secure token generation that other ObjectScale services will accept. The service is responsible for:
In ObjectScale, management users manage the ObjectScale instance. Management users can authenticate into the ObjectScale Portal, the ObjectScale API, and the Kubernetes command line. Assigned roles determine the actions that a management user is authorized to perform. Roles are predefined in ObjectScale and are specific to various storage use cases. A management user can have multiple roles.
Roles give management users authorizations to create and manage management users; create and manage IAM accounts; configure ObjectScale; and create, manage, and view object stores.
Note: IAM users are separate from management users. They are associated with S3 accounts. These users have permissions to read and write data into buckets in an ObjectScale account.
ObjectScale IAM protects data access. In ObjectScale, IAM is a shared service in a single ObjectScale instance that manages accounts and their IAM entities. IAM provides an AWS-compatible authentication and authorization mechanism that is availed by other ObjectScale services such as:
The upper-most level of the ObjectScale IAM hierarchy is an account. Administrators can define several accounts in an ObjectScale instance. Every account has a globally unique identifier assigned at creation. An IAM account contains other IAM entities such as users, groups, roles, policies, and service providers.
In ObjectScale, each account consists of local and replicated IAM entities. Local IAM entities remain local in the ObjectScale instance and are not replicated. Global entities are replicated to other ObjectScale instances. ObjectScale local and replicated IAM entities have separate APIs. The ObjectScale instance where the account was created initially owns that account and is known as the account owner. That account is a primary account on that ObjectScale instance. Within ObjectScale, only one account owner can exist for any given account and its underlying IAM entities.
Multiple ObjectScale instances can be connected to each other to form an ObjectScale federation. In this federation, all ObjectScale instances have a trust relationship established with each other. Any federation member is aware of other federation members through the ObjectScale federation service. The federation service provides an account registry. When a primary IAM account is replicated from an ObjectScale instance to another ObjectScale instance or instances in the federation, it becomes a secondary on the other ObjectScale instances.
Authorized users can perform CRUD operations on any entities associated with an account. When the IAM entity is changed, the effects of those changes might not take effect immediately. Replicated roles are used to set up bucket replication. IAM supports the following APIs:
A federation of ObjectScale systems is created to allow IAM entities to replicate from one ObjectScale system to other systems in the federation. In a federation, an ObjectScale instance can either be the primary instance or a secondary instance. A federation can have two or more secondary instances but only a single primary instance. Any instance not in a federation appears as not federated, which is the default state. A heartbeat is maintained between trusted ObjectScale instances to track their connectivity status (online or offline).
The following table defines ObjectScale IAM entities:
IAM entity | Description |
Account | A logical construct in ObjectScale that corresponds to a customer business unit, tenant, or project. The administrator and end users belong to accounts. |
End user account | The developer or application that creates buckets and objects in an account. |
IAM Group | An identity that represents a collection of users that will share permissions and policies. |
Policy | A document in JSON that defines the permissions for a role. |
Resource | An entity, such as a bucket or an object, whose access needs to be protected. |
IAM role | An IAM identity created in an account that has specific permissions. An IAM role is like an IAM end user, in that it is an ObjectScale identity with permission policies that determine what the identity can and cannot do in ObjectScale. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who requires it. |
IAM user | An entity that represents a physical person or a service. A user can be a local or a federated user. A user consists of a name, ID, tags, and credentials. |
ObjectScale supports the following types of external authentication providers:
Multiple external providers can be defined. User accounts are defined and maintained in the external provider systems.