EFA users are validated with Unix authentication or LDAP and managed with Role-based Access Control (RBAC).
For more information, see Assign and View EFA Roles and EFA RBAC Policy Enforcement.
Users who perform operational or maintenance tasks are propagated to SLX devices through OAuth2 and JWT access tokens. TLS is used for connections with SLX devices. The OpenStack ML2 plugin also uses TLS and OAuth2 tokens. When EFA is installed in secure mode, traffic to northbound interfaces uses TLS. For more information about secure mode, see the "EFA Installation Modes" topic in the Extreme Fabric Automation Deployment Guide, 2.4.0.
After EFA is deployed, the installing user has the role of SystemAdmin and has complete access to EFA functionality. For installation on TPVM, this user has the user name of ‘extreme‘. By default, no other host OS users can access EFA unless the SystemAdmin assigns the appropriate roles. RBAC occurs on EFA and API.
Use the following logs to troubleshoot authentication, authorization, or RBAC issues.
Log source | Filepath |
---|---|
EFA server |
/var/log/efa/auth/auth-server.log /var/log/efa/rbac/rbac-server.log |
EFA TPVM |
/apps/efa_logs/auth/auth-server.log /apps/efa_logs/rbac/rbac-server.log |
SLX device |
/var/log/pam-oauth2.log |