No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor 9000 V300R006C00 Object Storage Service (Compatible with OpenStack Swift APIs) Administrator Guide 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Access Security Policies

Configuring Access Security Policies

Access security policies of the object storage service include the IP Account policy, Account policy, IP access policy.

Context

  • An Object Storage Controller (OSC) is an access point for object storage service. It provides an object storage service API. The OSC processes requests initiated by clients and sets up object transmission channels to implement access control over requests initiated by the clients. In addition, it manages metadata, collects information about user traffic and operations, and provides functions such as data routing, striping, and slicing.
  • A Provisioning Orchestration Engine (POE) implements user management, including subscriber creation, subscribers' service suspension and resumption, subscriber deletion, and service subscription.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Object Storage Settings > Secure Access Policy.
  3. Choose the secure access policies you want to enable and set the parameters as shown in Figure 12-1.

    Figure 12-1  Secure Access Policy
    • To implement suspension for a specific account and a specific IP address, select Enable the IP Account Policy.

      Within a statistical period, if the number of access failures related to an account with a specific IP address is greater than the value of threshold for access failures, and the percentage of the number of access failures to the total number of access attempts is greater than the value of threshold for the access failure rate, service denial is implemented for the account and the IP address.

    • To implement suspension for a specific Account, select Enable the Account Policy.

      Within a statistical period, if the number of access failures related to an account is greater than the value of the threshold for access failures, and the percentage of the number of access failures to the total number of access attempts is greater than the value of the threshold for the access failure rate, service denial is implemented for the account. In this case, if the account is shared by multiple users, suspension is triggered. Other users of the account cannot access the service during the suspension.

    • To implement suspension for a specific IP address, select Enable the IP Access Policy.

      Within a statistical period, if the number of access failures related to an IP address is greater than or equal to the threshold for access failures, and the percentage of the number of access failures to the total number of access attempts is greater than or equal to the threshold for the access failure rate, service denial is implemented for the IP address.

    NOTE:

    When IP Account Policy, Account Policy, IP Access Policy are all selected, the policies are independent from each other.

    Table 12-4 describes the parameters.

    Table 12-4  Parameters for secure access policies

    Policy

    Parameter

    Description

    Value

    IP Account Policy

    Account Policy

    IP Access Policy

    Statistical Time Interval(seconds)

    Interval for counting the number of system access failures for users based on the Account, user access IP address, or a combination of the Account and user access IP address.

    • Services for an Account and IP address will be denied simultaneously if the number of both the Account and IP address access failures is larger or equal to the threshold and the rate of access failures to the total access number is larger or equal to the threshold in the statistical period.
    • Services for an Account will be denied if the number of Account failures is larger or equal to the threshold and the rate of access failures to the total access number is larger or equal to the threshold in the statistical period.
    • Services for an IP address will be denied if the number of IP address access failures is larger or equal to the threshold and the rate of access failures to the total access number is larger or equal to the threshold in the statistical period.

    Service denial duration = (Number of access failures/Threshold) x (Service denial time baseline). The Denial of Service (DoS) must not exceed 30 minutes. The value of Number of access failures/Threshold is rounded down.

    [Value range]

    1-300

    [Default value]

    1

    Service Denial Time Baseline(minutes)

    Time baseline for OceanStor 9000 to deny services.

    [Value range]

    1-30

    [Default value]

    1

    Threshold for Access Failures

    Maximum allowed number of a user's access failures.

    [Value range]

    1-999999999

    [Default value]

    10

    Threshold for Access Failure Rate(%)

    Maximum allowed percentage of the number of access failures to the total number of access attempts by a user.

    [Value range]

    1-99

    [Default value]

    90

  4. Click Save and then click OK.
Translation
Download
Updated: 2019-04-28

Document ID: EDOC1000122524

Views: 11178

Downloads: 86

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next