EFA users are validated with Unix authentication or LDAP and managed with Role-based Access Control (RBAC).
In addition, at installation time, starting with EFA 2.5.0, all EFA users of services such as MySQL and RabbitMQ are assigned random passwords that are stored in EFA configuration files. This satisfies the requirement to enforce the change of default passwords, and no two EFA installations share identical passwords.
For more information, see EFA RBAC Policy Enforcement and Assign and View EFA Roles.
Operational or maintenance tasks are propagated to SLX devices through OAuth2 and JWT access tokens. TLS is used for connections with SLX devices. The OpenStack ML2 plugin also uses TLS and OAuth2 tokens. When EFA is installed in secure mode, traffic to northbound interfaces uses TLS. For more information about secure mode, see the "EFA Installation Modes" topic in the Extreme Fabric Automation Deployment Guide, 2.7.0 .
After EFA is deployed, the installing user has the role of SystemAdmin and has complete access to EFA functionality. For installation on TPVM, this user has the user name of ‘extreme.‘ By default, no other host OS users can access EFA unless the SystemAdmin assigns the appropriate roles. RBAC occurs on EFA and API.
Use the following logs to troubleshoot authentication, authorization, or RBAC issues.
Log source | Filepath |
---|---|
EFA server |
/var/log/efa/auth/auth-server.log /var/log/efa/rbac/rbac-server.log |
EFA TPVM |
/apps/efa_logs/auth/auth-server.log /apps/efa_logs/rbac/rbac-server.log |
SLX device |
/var/log/pam-oauth2.log |