EFA User Authentication and Authorization

EFA users are validated with Unix authentication or LDAP and managed with Role-based Access Control (RBAC).

In addition, at installation time, starting with EFA 2.5.0, all EFA users of services such as MySQL and RabbitMQ are assigned random passwords that are stored in EFA configuration files. This satisfies the requirement to enforce the change of default passwords, and no two EFA installations share identical passwords.

For more information, see EFA RBAC Policy Enforcement and Assign and View EFA Roles.

Authentication

EFA validates users and their credentials with the following mechanisms:
  • Unix authentication (local and remote) on the host where EFA is installed. Host credentials are the default validation method if LDAP validation fails.
  • External LDAP server. Users configured in LDAP use their LDAP credentials to log in to EFA.
Click to expand in new window
LDAP authentication example
sample

Operational or maintenance tasks are propagated to SLX devices through OAuth2 and JWT access tokens. TLS is used for connections with SLX devices. The OpenStack ML2 plugin also uses TLS and OAuth2 tokens. When EFA is installed in secure mode, traffic to northbound interfaces uses TLS. For more information about secure mode, see the "EFA Installation Modes" topic in the Extreme Fabric Automation Deployment Guide, 2.7.0 .

Authorization

After EFA is deployed, the installing user has the role of SystemAdmin and has complete access to EFA functionality. For installation on TPVM, this user has the user name of ‘extreme.‘ By default, no other host OS users can access EFA unless the SystemAdmin assigns the appropriate roles. RBAC occurs on EFA and API.

LDAP supports three modes for fetching the roles assigned to a user.
  • The role is available as an attribute in the user Distinguished Name (DN) entry. Group attribute definition is not needed.
  • The user has a "memberOf" attribute or any appropriate group DN attribute to identify the groups assigned to the user. Assign the corresponding LDAP group to a role in EFA.
  • LDAP groups have user entries in their group definitions. Assign the LDAP groups to roles in EFA.

Security troubleshooting

Use the following logs to troubleshoot authentication, authorization, or RBAC issues.

Table 1. Security log locations
Log source Filepath

EFA server

/var/log/efa/auth/auth-server.log

/var/log/efa/rbac/rbac-server.log

EFA TPVM

/apps/efa_logs/auth/auth-server.log

/apps/efa_logs/rbac/rbac-server.log

SLX device

/var/log/pam-oauth2.log

Use the following commands to see lists of commands that were run during a specified time, such as when an RBAC error occurred. This sort of information can help you identify potential causes.
  • efa auth execution show
  • efa rbac execution show
  • efa inventory execution show