{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"d3902611-f932-4f43-9122-7c8b179a407b"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"86a6f59b-76e1-4545-9f65-86eb45229b1f"}},{"type":"paragraph","content":[{"text":"This page describes how a system administrator can configure a SciDB cluster for secure operation. After security mode is enabled, users must take additional steps to authenticate themselves. See ","type":"text"},{"text":"Using iquery in Security Mode","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395882782"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Supported Security Modes","type":"text"}]},{"type":"paragraph","content":[{"text":"SciDB supports three security modes:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"trust ","type":"text","marks":[{"type":"em"}]},{"text":"mode means that security features are disabled. This is the default mode.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"password ","type":"text","marks":[{"type":"em"}]},{"text":"mode enables security features, including user accounts. User account and password information is stored in the SciDB-internal metadata catalogue.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"pam ","type":"text","marks":[{"type":"em"}]},{"text":"mode enables security features, including user accounts. SciDB accesses user account and password information via the pluggable authentication modules (","type":"text"},{"text":"PAM","type":"text","marks":[{"type":"link","attrs":{"href":"http://linux-pam.org/"}}]},{"text":") client library.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"SEO: namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ffffff"}}]}]},{"type":"paragraph","content":[{"text":"Collectively, ","type":"text"},{"text":"password ","type":"text","marks":[{"type":"em"}]},{"text":"and ","type":"text"},{"text":"pam ","type":"text","marks":[{"type":"em"}]},{"text":"modes are sometimes referred to as ","type":"text"},{"text":"namespaces mode","type":"text","marks":[{"type":"em"}]},{"text":", because the namespace protection domains can only be used in these modes.","type":"text"}]},{"type":"paragraph","content":[{"text":"SEO: namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ffffff"}}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Configuring SciDB as a PAM Client","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395883017"}}]},{"text":" covers additional configuration steps for using SciDB with external authentication services. These steps are only needed if you select ","type":"text"},{"text":"pam ","type":"text","marks":[{"type":"em"}]},{"text":"mode.","type":"text"}]}]},{"type":"paragraph"},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"In release 19 and earlier, ","type":"text"},{"text":"password ","type":"text","marks":[{"type":"em"}]},{"text":"mode stores unsalted password hashes. This issue will be addressed in a future release. If this is a problem see ","type":"text"},{"text":"Configuring SciDB as a PAM Client","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395883017"}}]},{"text":".","type":"text"}]}]},{"type":"paragraph"},{"type":"panel","attrs":{"panelType":"error"},"content":[{"type":"paragraph","content":[{"text":"This assumes you have scidb running as a service. See ","type":"text"},{"text":"Running SciDB","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395882682"}}]},{"text":".","type":"text"}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Entering ","type":"text"},{"text":"password ","type":"text","marks":[{"type":"em"}]},{"text":"Or ","type":"text"},{"text":"pam ","type":"text","marks":[{"type":"em"}]},{"text":"Mode","type":"text"}]},{"type":"paragraph","content":[{"text":"To enable namespaces mode, do the following:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Load the namespaces library.","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ iquery -aq \"load_library('namespaces')\"","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Stop the SciDB cluster.","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config stop-server ","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Edit the cluster configuration file and set the ","type":"text"},{"text":"security","type":"text","marks":[{"type":"strong"}]},{"text":" parameter to either ","type":"text"},{"text":"password","type":"text","marks":[{"type":"strong"}]},{"text":" or ","type":"text"},{"text":"pam","type":"text","marks":[{"type":"strong"}]},{"text":". See ","type":"text"},{"text":"Configuring SciDB","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395882557"}}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Unregister the cluster by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config unregister-service ","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Reregister the cluster by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config register-service ","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Set up the initial authentication credentials. (This step should only be needed if ","type":"text"},{"text":"$HOME/.config/scidb/iquery.auth","type":"text","marks":[{"type":"code"}]},{"text":" does not yet exist. See ","type":"text"},{"text":"Using iquery in Security Mode","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395882782"}}]},{"text":".)","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ echo '{\"user-name\": \"scidbadmin\", \"user-password\": \"Paradigm4\"}' > $HOME/.config/scidb/iquery.auth\n$ chmod 600 $HOME/.config/scidb/iquery.auth","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart SciDB by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config start-server ","type":"text"}]},{"type":"paragraph"}]}]},{"type":"paragraph","content":[{"text":"This process enables the chosen security mode on all servers in the cluster. You can now create and manage user accounts in the SciDB cluster.","type":"text"}]},{"type":"paragraph","content":[{"text":"If you set ","type":"text"},{"text":"security=pam","type":"text","marks":[{"type":"strong"}]},{"text":" in the ","type":"text"},{"text":"config.ini ","type":"text","marks":[{"type":"em"}]},{"text":"file, read ","type":"text"},{"text":"Configuring SciDB as a PAM Client","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395883017"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Reverting To ","type":"text"},{"text":"trust ","type":"text","marks":[{"type":"em"}]},{"text":"Mode","type":"text"}]},{"type":"paragraph","content":[{"text":"In rare circumstances you may wish to revert a SciDB cluster back to ","type":"text"},{"text":"trust ","type":"text","marks":[{"type":"em"}]},{"text":"mode from one of the namespace modes.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"When a cluster reverts to ","type":"text"},{"text":"trust ","type":"text","marks":[{"type":"em"}]},{"text":"mode, array data stored in non-public namespaces is no longer accessible but still occupies storage space. Before reverting to ","type":"text"},{"text":"trust ","type":"text","marks":[{"type":"em"}]},{"text":"mode, move any array data you wish to save to the public namespace, and remove any remaining arrays in private namespaces.","type":"text"}]},{"type":"paragraph","content":[{"text":"If you revert to ","type":"text"},{"text":"trust","type":"text","marks":[{"type":"em"}]},{"text":" mode and then return to either ","type":"text"},{"text":"password ","type":"text","marks":[{"type":"em"}]},{"text":"or ","type":"text"},{"text":"pam ","type":"text","marks":[{"type":"em"}]},{"text":"mode, array data in private non-public namespaces will become accessible again. However, this procedure is ","type":"text"},{"text":"not ","type":"text","marks":[{"type":"em"}]},{"text":"recommended.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"If you want to switch back to ","type":"text"},{"text":"trust","type":"text","marks":[{"type":"em"}]},{"text":" mode, do the following:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Unload the namespaces library by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ iquery -aq \"unload_library('namespaces')\" ","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Stop the SciDB cluster by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config stop-server ","type":"text"}]},{"type":"paragraph"}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Edit the cluster configuration file and set the parameter ","type":"text"},{"text":"security=trust","type":"text","marks":[{"type":"strong"}]},{"text":". See ","type":"text"},{"text":"Configuring SciDB","type":"text","marks":[{"type":"link","attrs":{"href":"https://paradigm4.atlassian.net/wiki/spaces/scidb/pages/3395882557"}}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Unregister the cluster by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config unregister-service ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Reregister the cluster by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config register-service ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":".Restart SciDB by running:","type":"text"}]},{"type":"codeBlock","content":[{"text":"$ scidbctl.py --config start-server ","type":"text"}]},{"type":"paragraph","content":[{"text":"SciDB is now back in ","type":"text"},{"text":"trust","type":"text","marks":[{"type":"em"}]},{"text":" mode.","type":"text"}]}]}]},{"type":"paragraph"}],"version":1}

Browser not supported