Accounts and Users¶
Managing Accounts¶
Object Storage Accounts are a collection of containers and are typically associated with a tenant. Object Storage Account Management allows you to view/configure account properties, permissions, and storage usage, and see lists of users associated with the account.
Creating an account¶
Scope: Object Storage Administrator
When the system is first built, a default account is created, called
zios_admin. At that point only the Object Storage Admin has access
to this account. In order to provision Object Storage to customers, the
Object Storage Admin needs to create accounts.
To create additional accounts, first select the Accounts entity in the Main Navigation Panel (left panel) under Account Management, and then click the Create button in the top toolbar above the account pane.
In the dialog that opens, give a name to the new account and click Add. The new account will be added.
Note
An account name can comprise only the following characters, or any combination of them up to a maximum of 128 characters in length:
Uppercase and lowercase English letters (A-Z, a-z)
Numbers (0-9)
.period_underscore+plus-dash/minus@at
An account cannot contain spaces, other special characters and other language letters.
Accounts Properties¶
Scope: Object Storage Administrator Account Administrator
Properties - the following account properties are displayed in the account pane in the Account Management > Account view.
Note
Parameters marked with (*) in table below are only available to Object Storage Administrators.
Property
Description
ID
An internally assigned unique ID
Name
The name of the account
Status (*)
Normal / Deleting / Deleted, awaiting cleanup
Enabled (*)
Yes/No
Public URL
The URL that identifies this account. To be used by the REST API
Containers
Number of containers in the selected account
Objects
Number of objects stored in the selected account
Used Capacity
Amount of written data in the account
Policies
Show statistics per each policy (e.g. 2-way protection) used by this account. Details include:
Containers: Number of containers this account keeps in this policy
Objects: Number of objects this account keeps in this policy
Used Capacity: Capacity consumed by this account, kept in this policy
Permissions - account permissions are displayed in the details pane, permission tab in the Account Management > Account view. For more information on account permissions, see Setting Account Permissions.
Users - lists of users per account are displayed in the users pane in the Account Management > Users view, and in the Users tab in the Account Management > Account view.
Capacity Metering - provide live metering of the capacity usage associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Used Capacity
Total storage capacity consumed in the selected account
Containers
Total numbers of containers belonging to the selected account, by storage policy
Objects
Total numbers of objects belonging to the selected account, by storage policy
Frontend Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Bandwidth (MB/s)
Total throughput (in MB) of read and write commands issued to proxy for the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Account Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Container Metering - provide live metering of the IO workload at the Object Storage frontend associated with the selected account.
The charts display the metering data as it was captured in the past 20 intervals. An interval length can be one of the following: 10 second, 1 minute, 10 minutes, or 1 hour, 1 day, 1 week. The Refresh button forces a refresh of the data displayed in the graphs. The Auto button lets you see continuously-updating live metering info.
The following charts are displayed:
Chart
Description
Throughput (OP/s)
The number of operations (PUT/GET/DELETE) issued to objects that belong to the selected account.
Latency (ms)
Average response time of all operations (PUT/GET/DELETE) issued to objects of the selected Account per selected interval.
Account Quota Management¶
Version: 23.09
Scope: Object Storage Administrator Account Administrator
Quotas are a useful way to control capacity consumption on a specific account or container.
Capacity quotas can be set:
Per container by the Account Administrator
Globally per account by the Object Storage Administrator
Note
The sum of actual usage capacities of all the containers in an account are tracked, so that cumulatively they do not exceed the account’s quota.
For purposes such as future planning, it is also possible to specify container quotas such that their sum or even an individual container’s quota can be higher than the account quota. Although it is possible to specify higher quotas at container level, the system will prevent consumption of extra storage when the account quota has been reached.
Configurations are available for alert notifications when the quota’s warning, emergency and 100% utilization thresholds are reached:
Quota alerts to Object Storage Administrator: see Quota Alerts on the Settings page.
Quota alerts to Account Administrator: see Account Admininstrator Quota Alerts.
Note
Once enabled, it will take up to 10 minutes for the quota management to be activated.
Account Level Quota Management¶
Scope: Object Storage Administrator
Navigate to Account Management > Accounts.
In the top pane select the desired account, and open the Quotas tab in the bottom Details pane.
Mark the Enable capacity quota checkbox.
Enter the Capacity (GiB) quota. The minimum is 1 GiB.
Click Update.
Note
When the quota is enabled, the actual Used capacity (GiB) also displays in the same tab.
In the Account Management > Accounts > Quotas tab, an Account Administrator cannot configure the account’s capacity quota, but can view:
Whether the capacity quota feature is enabled or disabled for the account.
If enabled, the capacity quota and used capacity amounts.
Account Admininstrator Quota Alerts¶
Scope: Account Administrator
Quota alerts to the Object Storage Administrator are configured in the account’s Settings. See Quota Alerts on the Settings page.
By default, alert notifications are not sent to the Account Administrator.
To configure the system to issue alert notifications to the Account Administrator when the quota’s warning, emergency and 100% utilization thresholds are reached:
Navigate to Account Management > Accounts.
In the bottom account details pane, open the Quota Alerts tab.
Mark the Notify the account administrator(s) with quota alerts checkbox.
Select the Alert frequency option to determine notification repetition on reaching a quota alert threshold:
Single alert (default) notification without further repetition, when the usage capacity reaches the threshold.
Once a day, for as long as the usage capacity reaches the threshold, repeat the notification alert.
Click Update.
Deleting an account¶
Scope: Object Storage Administrator
To delete an account, navigate to Account Management > Account, select the account to be deleted, and click Delete in the top toolbar.
Note
Deleting an account is an irreversible operation, and requires double confirmation
Once an account is deleted, all account user data is removed. However account billing information still exists in the system for usage report generation. Click Cleanup in top toolbar to completely remove it from the system.
Disabling an account¶
Scope: Object Storage Administrator
To disable an account, navigate to Account Management > Account, select the account to be deleted, and click Disable in the top toolbar.
Note
Once an account is disabled, the account is no longer available for read or write operations. However, Object Storage maintains the account entities (users, access rights, etc.), as well as all the containers and objects.
Self Service Account Creation¶
Scope: Account Administrator
In addition to creation of a new account by the Object Storage administrator as described in Creating an account, a user can be given permission to create his own account. In this case, a user will request creation of a new account via a provided URL. The Object Storage Admin will receive and must then approve the request. The account will then be created and the user who initiated the request will be set as the Account Administrator.
The detailed procedure for account self-creation is as follows:
Use the GUI URL received from Object Storage Admin to access the login screen.
On the login screen, click Create new account. In the overlay that displays, enter the following information:
Name for the new account
Your username as the Account Admin
Your email address
Select a password
Note
While account name and the username for a given user are unique across the Object Storage, the same email address can be used for multiple users. This is useful in cases the same entity needs visibility to more than a single account.
Click Create Account. This will create an account creation request that will go to the Object Storage Admin for approval. Once approved, You will automatically become the Account Admin of your new account.
The user initiating the request will receive an automated email response confirming the request.
The Object Storage Admin will receive an email informing about the pending request:
The Object Storage Admin should open the GUI, select Users in the Main Navigation Panel (Left Panel) under Account Management, select the pending account request, and either Approve or Deny it.
Upon approval, the new account will be created, the account admin will be defined with the given credentials, and receive an email notification with the following information:
Object Storage Account Management & Console URL
Object Storage API Endpoint URL
Account Name
User Name
Managing Users¶
Understanding User Roles¶
The Object Storage supports the following roles:
Object Storage Admin - responsible for the administration of the Object Storage. This is the user that created the VPSA Object in the Zadara Provisioning Portal.
Object Storage Admin - Read Only - dedicated read-only role for cross-accounts monitoring and reporting purposes. The Read-Only role is available for the zios_admin account only. Read-Only users will have access to the Object Storage RestAPI, however they will not have data access. The user role is designated for monitoring and reporting purposes, such as:
Performance monitoring
Capacity monitoring
Usage reports and billing automation
Account Administrators - responsible for the administration of their accounts.
Account Member - can perform Object Storage operations according to the given permissions within the limits of that account.
User Information¶
Information about the logged-in user of the current session is displayed by clicking the user name in the upper right corner of the GUI.
Some of the displayed properties have optional actions associated with them, such as viewing, copying and resetting passwords.
The following User’s properties are displayed:
Property |
Description |
|---|---|
Account Information |
|
Username |
The login ID of the User |
User’s email address |
|
Account |
The account where the user belongs |
User ID |
An internally assigned unique ID |
Account ID |
An internally assigned unique ID |
Dual Factor Authentication |
Indicates if this user has dual factor authentication activated. Option to activate/deactivate dual factor authentication. |
Authentication |
|
S3 Access Key |
To be used by client using the S3 interface Option to copy the access key to the clipboard. |
S3 Secret Key |
To be used by client using the S3 interface Options to view the key, copy it to the clipboard, or reset it. |
Region |
Region name |
API Token |
Token to be used for authentication by the REST API The token expires in 24 hours. Good practice is for every script to start with a new token. See API guide: http://zios-api.zadarastorage.com Options to view the token, copy it to the clipboard, or reset it. |
Connectivity - Front End Network |
|
API Endpoint |
The effective Front End private address for REST API for all IO requests |
V3 Auth Endpoint |
The effective Front End private address for REST API auth requests |
Account URL |
The Front End private network URL that identifies this user’s account. To be used by the REST API. |
Connectivity - Public Network |
|
Public IP |
Public IP of the Object Storage (see: Assigning Public IPs) |
Public API endpoint |
The public address for REST API for all IO requests |
Public V3 Auth Endpoint |
The public address for REST API auth requests |
Public Account URL |
The public network URL that identifies this user’s account. To be used by the REST API |
Note
Connected users can reset their Object Storage Access/Secret keys. The existing access and secret keys will be revoked.
Creating a User¶
Scope: Object Storage Administrator Account Administrator
To create a new user in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the top toolbar on the Users pane, click Create.
In the Add User dialog which opens, enter the following:
Username
A Username can comprise only the following characters, or any combination of them up to a maximum of 128 characters in length:
Uppercase and lowercase English letters (A-Z, a-z)
Numbers (0-9)
.period_underscore+plus-dash/minus@at
A Username cannot contain spaces, other special characters and other language letters.
Email
Role
Note
Everything an Account admin does, is within the context of that Account. So, when an Account admin creates users, there is no need to select an Account.
Note
Users with Object Storage Admin role can only be created in the zios_admin account.
Selecting the admin role displays the Notify on Events checkbox. When the Notify on Events checkbox is marked, the Minimum Severity Level dropdown displays. Object Storage Administrators will receive notifications on tickets generated by system events, at the specified severity level or higher. Ticket severity levels are not related to Events Log severity levels.
Click Add User. The new user will receive an email with the following information:
Object Storage Account Management & Console URL
Object Storage API Endpoint URL
Account Name
User Name
Assigned User Role
Temporary Password
Note
The new user should use the temporary password for the first login, and then change the password after logging on.
Viewing Users Properties¶
Scope: Object Storage Administrator Account Administrator
To view user properties in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users. User properties are displayed in the top pane of the console.
To view additional properties in the lower details pane, select a single user from the displayed list in the top pane.
The following user properties are displayed:
Property |
Description |
|---|---|
Name |
The login ID of the User |
User’s email address |
|
ID |
An internally assigned unique ID |
Account Name |
The account where the user belongs |
Account ID |
An internally assigned unique ID |
Role |
Object Storage Admin, Account Admin, Member |
Locked |
Indicates if the user is locked and blocked from access |
Notify on Events |
Object Storage Administrator can activate or deactivate notifications to themselves on tickets generated by system events at a specified severity level or higher. Ticket severity levels are not related to Events Log severity levels. |
Dual Factor Authentication |
Indication if this user has dual factor authentication activated |
Enabled |
User is active or not. A disabled user can’t login and can’t perform any operation. |
Deleting users¶
Scope: Object Storage Administrator Account Administrator
To delete a user in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user to be deleted and click Delete from the top toolbar.
In the Confirm Deletion dialog which opens, click Yes. Note that the deletion process may take a few minutes.
Disabling/Enabling users¶
Scope: Object Storage Administrator Account Administrator
A disabled user cannot log in to the GUI or perform any operation via the REST API. However the system remembers the user with all the properties and permissions. Once users are enabled, they can resume operations as before.
To disable a user in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user to be disabled and click Disable from the top toolbar.
In the Confirm Action dialog which opens, click Yes. Note that the process may take a few minutes.
Note
To enable a user who has been disabled, repeat the process above and select Enable from the toolbar instead of Disable.
Reset password¶
Scope: Object Storage Administrator Account Administrator
Object Storage Admins and Account Admins can reset users’ passwords. When resetting a password, the user will receive an email with a temporary password that they will have to change at the next login.
To reset a user password in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user whose password is to be reset and click Reset Password from the top toolbar.
In the Confirm Password Reset dialog which opens, click Yes.
The user will receive an email with a temporary password.
Note
Users who have forgotten their password do not need to refer to the admin to reset their password. They can click the Forgot Password link on the login screen.
Change Role¶
Scope: Object Storage Administrator Account Administrator
An Account Member can be changed to an Account Admin, and vice versa. Users that are members of the system zios_admin account can be promoted to Object Storage Admin only by someone who currently has the Object Storage Admin role.
To change a user role in an Object Storage account:
In the Object Storage console, navigate to Account Management > Users.
From the displayed list, select the user whose role is to be changed, and click Change Role from the top toolbar.
In the Change Role dialog which opens, enter the new user role and click Change Roles.
Dual Factor Authentication¶
It is a common practice to protect access in cases of compromised passwords. For this purpose, the Object Storage supports Dual Factor Authentication using a mobile Authenticator application. Each user can turn Dual Factor Authentication on or off. The Object Storage Admin can force Dual Factor Authentication on all users.
To use Dual Factor Authentication, install a mobile Authenticator app (e.g. Google Authenticator) from Google Play or Apple AppStore on your mobile device.
Important
If the Object Storage administrator requires Dual Factor Authentication to be set for all Object Storage accounts, all system users must enable Dual Factor Authentication for their account in the next login. This setting cannot be disabled for a specific user.
Enabling Dual Factor Authentication¶
In the Object Storage console, click on user name on top, right corner of screen. Current user property details will be displayed.
For Dual Factor Authentication, click Activate or Deactivate. Close the properties dialog, and logout.
The next time you login, a confirmation screen will open with a QR code. Scan the code with your mobile device, and enter the token.
From now on, during every login, you will be asked to enter the Dual Factor Authentication token from the Authenticator app on your mobile device.
Important
The mobile device that runs the Authenticator app is needed for login. if the device was lost or replaced, the user must ask the Object Storage Admin to reset their Dual Factor Authentication settings. The Object Storage Admin must contact Zadara support to reset the Dual Factor Authentication.
Enforcing Dual Factor Authentication¶
The Object Storage Admin can force Dual Factor Authentication for all users. In setting/Security click Edit on Dual Factor Authentication, select the checkbox and Save. This setting change does not have immediate effect. The next time each user will login, the Dual Factor Authentication token from the mobile device’s Authenticator app be required.
Note
When MFA enforcement is removed, the users with Dual Factor Authentication configured are still required to use the temporary code when logging in. However each user can change their settings in the user properties as described above.
Unified Identity¶
Version: 25.07
Scope: Object Storage Administrator
Managing separate identities across multiple Object Storage instances can lead to fragmented access control and operational complexity.
Zadara Object Storage’s Unified Identity consolidates multiple identities, authentication and user access into a single, cohesive system across multiple Object Storage instances. By implementing Unified Identity, organizations can reduce the complexity of managing multiple accounts and passwords, while also improving security and the user sign-on experience.
Unified Identity addresses this by enabling identity replication between instances, allowing users to access all linked Object Storage instances with a single set of credentials.
Unified Identity operates on an Active instance that replicates identity data such as accounts, users and credentials, to one or more Standby instances.
A Unified Identity Object Storage instance must be configured to fulfil one role:
Active Instance: An Object Storage instance that acts as the identity authority, managing automatic replication and propagation of identity data changes such as additions, modifications and deletions, to Standby instances.
Standby Instance: An Object Storage instance enabling seamless user access, based on identity data synchronized from the Active instance.
Note
A Standby instance is a regular instance for all Object Storage purposes and functionality, except for the identity data which is managed solely on the Active instance.
Unified Identity constitutes a centralized identity management system while maintaining flexibility for distributed deployments.
Note
The initial Version: 25.07 Unified Identity implementation limits the configuration to a single Standby instance per Active instance.
Replication is unidirectional, from the Active instance to the Standby instance.
Although Unified identity replicates accounts and users from the Active NGOS to the Standby NGOS, it does not replicate the account level ACLs.
Transitioning an Object Storage’s role from Standby to Active requires manual intervention.
During activation of the Unified Identity feature on Active and Standby instances, the Object Storage UI is not accessible for a few minutes.
To facilitate communication between the Active and Standby Object Storage instances during scenarios like registration, promotion, upgrade and reboot, a Witness service runs on an Identity Witness Server. The Witness service cannot run on the same server as either the Active or Standby Object Storage instances. The Identity Witness Server is an external, lightweight server used for quorum detection to help prevent split-brain scenarios when the Active and Standby Object Storage instances lose connectivity.
Caution
Unified Identity can be implemented on all existing Object Storage instances, after they are upgraded to a version supporting this feature.
Any Object Storage instance can be configured as an Active instance, and it will retain its identity data.
However, it should also be taken into consideration that configuring an existing instance as a Standby instance will cause it to inherit the identity data from its Active instance, resulting in the loss of all of its own original account and container information.
It is recommended to use a new Object Storage instance for Standby.
Enabling Unified Identity¶
Since user sign-on is at Object Storage instance level, the Unified Identity feature is also configured at Object Storage instance level.
By default, Unified Identity is disabled.
Unified Identity must be enabled separately on both the Active and Standby instances.
Prerequisites for Unified Identity¶
A Zadara Object Storage instance designated as the Active Instance, with administrator access to the instance’s UI.
A Zadara Object Storage instance designated as the Standby Instance, with administrator access to the instance’s UI.
Network connectivity between the Active and Standby instances, via FQDN.
An Identity Witness Server: A lightweight server that is external to both the Active and Standby instances.
Contact Zadara Support for the Identity Witness Server details.
Configuring a Unified Identity Active Instance¶
A Unified Identity Active Instance is an Object Storage instance that is configured to act as the identity authority, managing automatic replication and propagation of identity data changes to any instance registered to it as a Standby instance.
To configure an Object Storage instance as a Unified Identity Active Instance:
In the Object Storage UI’s left navigation tree, go to Settings, and open the Security tab.
Configure the Identity Witness Server:
On Identity Witness Server, click Edit.
The Identity Witness Server section expands, displaying its configuration.
Enter the Identity Witness Server parameters, as supplied by Zadara Support:
IP/DNS Name: The Identity Witness Server’s IP address or DNS Name.
Connect via:
From the dropdown, select the relevant network option:
Front End
Outnet
Click Save.
Connectivity to the Identity Witness Server is checked and verified.
Failure to connect to the Identity Witness Server must be resolved in order to enable Unified Identity on the Object Storage instance.
Configure the Active instance:
On Unified Identity, click Edit.
The Unified Identity section expands, displaying its configuration.
Click the Unified Identity toggle to On.
Select Active to designate this Object Storage instance as the primary identity source.
Changes to identity data in this instance are propagated to the Standby instance.
Add connectivity details of the Standby instance that is synchronized with identity data from this Active instance.
Note
The initial Version: 25.07 Unified Identity implementation limits the configuration to a single Standby instance per Active instance.
In the Members Table:
Add Member: Enter the FQDN of the Standby instance, and click Add.
The Standby instance is added to the Members Table, with its initial State set at Pending Registration. During the registration process, a connectivity test checks that the new Standby member is reachable.
Note
Failure to connect to the new Standby instance displays the error message Add USO Standby Node Failed. Retry later.
A Standby instance entry in the Members table can be deleted while its State value is Pending Registration.
Click Show Credentials to display the Unified Access credentials.
Take a note of these credentials. They will be required for Registering a Unified Identity Standby Instance.
Click Save.
Deleting a Unified Identity Standby instance from the Members Table¶
A Standby instance entry can be deleted from the Active instance’s Members Table only when its status in the Members Table is Pending.
The Pending status indicates that the Standby instance has been entered in the Members Table, but on its own Object Storage instance, the Unified Identity configurations have not yet been set, and it is not yet being synchronized with identity data from the Active instance.
To delete a Standby instance from the Active instance’s Members Table:
In the Active instance’s UI left navigation tree, go to Settings, and open the Security tab.
On Unified Identity, click Edit.
The Unified Identity section expands, displaying its configuration.
In the Members Table, click Delete on the Standby instance’s entry.
Click Save.
Registering a Unified Identity Standby Instance¶
A Standby instance hosts a replica of the Active instance’s identity data, that is synchronized with changes in the Active instance’s identity data.
To configure an Object Storage instance as a Unified Identity Active Instance:
In the Object Storage UI’s left navigation tree, go to Settings, and open the Security tab.
Configure the Identity Witness Server:
On Identity Witness Server, click Edit.
The Identity Witness Server section expands, displaying its configuration.
Enter the Identity Witness Server parameters, as supplied by Zadara Support:
IP/DNS Name: The Identity Witness Server’s IP address or DNS Name.
Click Save.
Connectivity to the Identity Witness Server is checked and verified.
Failure to connect to the Identity Witness Server must be resolved in order to enable Unified Identity on the Object Storage instance.
Configure the Standby instance:
On Unified Identity, click Edit.
The Unified Identity section expands, displaying its configuration.
Click the Unified Identity toggle to On.
Select Standby to designate this Object Storage instance as an instance that hosts a synchronized replica of the Active instance’s identity data.
Enter the connectivity details of the Active Object Storage instance, that manages the source identity data synchronized to this Standby instance:
FQDN of Remote Object Storage: The Active Object Storage instance’s FQDN.
Active node Access Key: The Access Key displayed in Settings > Security > Unified Identity > Show Credentials of the associated Active instance.
Active node Secret Key: The Secret Key displayed in Settings > Security > Unified Identity > Show Credentials of the associated Active instance.
Connect via:
From the dropdown, select the relevant network option:
Front End
Outnet
Click Test connection to confirm connectivity to the Active instance with the configured settings.
Click Save.
In the Active instance’s Unified Identity Members Table, the Standby instance’s State transitions from Pending Registration to Normal.
On later sign-ons to the Standby instance’s UI, a red top banner indicates that the instance is a Standby instance, and that account and user management operations are permitted only on the Active instance.
Viewing the Unified Identity Status¶
The configurations in both the Active and Standby Object Storage instances indicate whether Unified Identity is functioning correctly:
In the Object Storage UI’s left navigation tree of both the Active and Standby Object Storage instances, go to Settings, and open the Security tab.
Identity Witness Server: In the contracted view, the display shows:
Witness Server address
Witness Server Status and Last sync date and time.
Unified Identity: In the contracted view, the display shows:
Enabled or Disabled.
When Enabled, the following information is also displayed:
Active or Standby, indicating the instance’s role.
State: Normal indicates correct functioning.
For any other State value that persists, contact Zadara Support.
The Standby instance also displays the Replication lag in seconds.
This indicates the delay between when an identity data change is made on the Active instance and when that change is reflected on the Standby instance.
Disabling Unified Identity¶
Disabling Unified Identity in an orderly manner involves the following flow:
Disabling Unified Identity on a Standby instance¶
Caution
After disabling Unified Identity on a Standby instance, that Object Storage instance cannot be registered again as a Standby instance for Unified Identity, neither on the original Active instance, nor on a new Active instance.
To disable Unified Identity on a Standby instance:
In the Standby instance’s UI left navigation tree, go to Settings, and open the Security tab.
On Unified Identity, click Edit.
The Unified Identity section expands, displaying its configuration.
Click the Unified Identity toggle to Off.
Click Save.
Click Close on the expanded Unified Identity section.
The status should appear as Disabled.
The Events Log should have an entry stating “Successfully detached the local node from the USO cluster.”
In the Active instance’s Members Table, the disabled Standby instance’s State will change to detached. After a few minutes, the detached Standby instance will automatically be removed from the Active instance’s Unified Identity Members Table.
Disabling Unified Identity on an Active instance¶
Note
Unified Identity can be disabled on an Active instance when there are no Standby members in its Members Table, or if all Standby members are in the detached State.
To disable Unified Identity on an Active instance:
In the Active instance’s UI left navigation tree, go to Settings, and open the Security tab.
On Unified Identity, click Edit.
The Unified Identity section expands, displaying its configuration.
Click the Unified Identity toggle to Off.
Click Save.
Click Close on the expanded Unified Identity section.
The status should appear as Disabled.
The Events Log should have an entry stating “Successfully detached the local node from the USO cluster.”