Identity and Access Management

AIStor Key Manager uses a Policy-Based Access Control (PBAC) system where each user ‘identity’ has a corresponding attached ‘policy’. A policy controls what operations the identity can perform within a given enclave.

Key Manager provides three classes of user privilege by default:

• root or superadmin with full access to all operations (read, write, delete) within all enclaves, plus cluster management
• admin has full access to all operations (read, write, delete) within an enclave
• user has limited policy-controlled access to operations (read) within an enclave. Users with no policy attached cannot perform any operations.

Without an explicit root or superadmin identity, the Key Manager uses the configured HSM to generate an API key for the purpose of performing client operations against the cluster.

Key Manager prints the superadmin API key to the system log at startup. You can retrieve the key by reviewing the system logs with the journalctl utility:

journalctl -u minkms -g "API Key" -o cat --output-fields "MESSAGE"

The k1:-prefixed value represents the API key to use when performing client operations.