Nexfs Identity Management System
Nexfs Identity Management System (Users and Accounts)
Nexfs Users and Accounts (Identity Management System)
Nexfs enabled accounts are required to access the Nexfs managment console, the Nexfs Managment API and the Nexfs Content Server (S3 API).
The system default account "nexfsadmin" with the password "nexfsadminsecret" is created after a fresh install or when starting Nexfs without existing Nexfs accounts. The default "nexfsadmin" account is configured with an administration-level management console and API access.
No accounts with the content server (S3 API) access are created by default. Content Server access can be granted to the "nexfsadmin" account, or new accounts can be created.
The default "nexfsadmin" account may be removed, but note that if the nexfs server is restarted without any stored accounts, nexfs will automatically recreate the "nexfsadmin" account with default settings.
Nexfs accounts can have management rights, content-server rights or both management and content-server rights assigned.
Nexfs accounts require separate secrets (passwords) for authentication to management services and the content server. An account can use the same phase for both services but must be set for each. Updating the secret for one service does not automatically update the secret for the other service.
Accounts are assigned "User Content Roles" and "Management Roles" that restrict and allow the operations an account can action. An account can be assigned a maximum of 16 content and 16 management roles. Each Role can allow or disable zero up to all actions specific to the relevant service. Note: If a action is explicitly denied through any assigned role, then that action account be used by the user even if the action is allowed through another assigned role.
Accounts can be configured with POSIX UIDs and GIDs, when configured the account will assume the POSIX account with the same UID or primary group as the POSIX GID when using the S3 API to access buckets/files etc, in the Nexfs filesystem. When no UID or GID is set, the accounts will assume the default configured UID and GID.
If an email address is configured on an account, that email address can be matched in S3-style policy statements.