Table of Contents Previous Next


2 EDB Ark - Overview : 2.5 Prerequisites

The /var/ppcd/ppcd.properties file and the /var/ppcd/.edb directory contain sensitive information (including plain-text connection information) that should be accessed only by the Administrative user. You should restrict access to the /var/ppcd/ppcd.properties file and the /var/ppcd/.edb directory, ensuring that only trusted individuals have access.
By default, the ppcd user has read, write and execute privileges on the directory (0700), while group and other users cannot access the directory.
2.
Connect to the Keystone server(s) and edit the keystone.conf file; by default, the file is located in /etc/keystone/keystone.conf.
3.
Modify the [identity] section of the keystone.conf file, setting the default_domain_id property to the ID of the chosen domain. For example:
C:\Users\susan\Desktop\Screen shot 2015-05-11 at 3.28.39 PM.png
If a user encounters an overLimit error, you should connect to the OpenStack management console and increase resource limits to meet user requirements.
Please note that all OpenStack users that are assigned the OpenStack admin role will also have access to EDB Ark administrative features. Administrative users are able to register server images and create database engines, as well as retrieve information about system resources and users. For more information about the administrative features of the Ark console, see Section 4.
the Amazon external ID that will be used by the Ark service user (ppcd) in the aws.service.account.externalid property.
the AWS_ACCESS_KEY_ID associated with the AWS role used for account administration in aws.cross.account.accesskey property.
the AWS_SECRET_ACCESS_KEY associated with the AWS role used for account administration in aws.cross.account.secretkey property.
To create the Ark console's service user account, connect to the Amazon AWS management console, and navigate to the Users dashboard; select the Add user button to open the Add user dialog (shown in Figure 2.7).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\b45ad010\Screen Shot 2017-01-06 at 4.02.26 AM.png
On the Add user dialog:
Check the box to the left of Programmatic access.
Click Next: Permissions to continue.
When the Permissions dialog opens, click the button labeled Attach existing policies directly, then click the Create policy button. When the Create Policy dialog opens, click the button to the right of Create Your Own Policy.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9a47dbd\Screen Shot 2017-01-06 at 4.10.45 AM.png
On the Review Policy dialog:
Click Create Policy to continue.
Then, return to the Add user dialog, and click the Refresh button above the list of policies. Select the new policy from the list (see Figure 2.9), and click Next.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\b653d682\Screen Shot 2017-01-06 at 4.16.35 AM.png
Confirm that the correct policy has been attached, and click Create user. The AWS console will confirm that the user has been added successfully. Click Show to display the Secret access key value (see Figure 2.10).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\b4d1d181\Screen Shot 2017-01-06 at 4.21.43 AM.png
Provide the Access key id in the aws.cross.account.accesskey parameter.
Provide the Secret access key in the aws.cross.account.secretkey parameter.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\69bef57d\Screen Shot 2017-01-05 at 4.19.11 PM.png
Navigate to the Roles page, and click the Create New Role button.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\b365d2ab\Screen Shot 2017-01-06 at 2.54.31 PM.png
When the Create Role dialog opens (shown in Figure 2.12), specify a name for the new role and click Next Step to specify a role type.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e93d7cf7\Screen Shot 2017-01-05 at 4.21.31 PM.png
Select the AWS Service Roles radio button (shown in Figure 2.13), and then the Select button to the right of Amazon EC2 to continue to the Attach Policy dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9377ce9\Screen Shot 2017-01-05 at 4.22.29 PM.png
When the Attach Policy dialog (shown in Figure 2.14) opens, do not select a policy; instead, click Next Step to continue to the Review dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\22e56068\Screen Shot 2017-01-06 at 3.02.18 PM.png
When the Review dialog opens (see Figure 2.15), review the information displayed, and then click Create Role to instruct the AWS management console to create the described role.
C:\Users\susan\Desktop\Screen Shot 2017-01-06 at 3.03.07 PM.png
The role will be displayed in the role list on the Amazon IAM Roles page (see Figure 2.16). You can click the role name to display detailed information about the role. Please note that the Summary tab will display a Role ARN, but the ARN will not be enabled until the security policy and trust policy are updated.
After completing the Create Role wizard, you must modify the inline security policy and trust relationship to allow Ark to use the role. Highlight the role name, open the Inline Policies menu, and select click here to add a new policy.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9be7df3\Screen Shot 2017-01-05 at 4.25.34 PM.png
When the Set Permissions dialog opens, select the Custom Policy radio button, and then click the Select button (see Figure 2.18).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\a4cae180\Screen Shot 2017-01-05 at 4.25.59 PM.png
C:\Users\susan\Desktop\Screen Shot 2017-01-06 at 3.12.46 PM.png
Use the fields on the Set Permissions dialog (Figure 2.19) to define the security policy:
Copy the security policy text into the Policy Document field. For a sample security policy that you can use when creating the service role, please see Reference – AWS Service Role Security Policy and Trust Relationship.
After providing security policy information, click Apply Policy to return to the Role information page. Then, select the Edit Trust Relationship button (located in the Trust Relationships section) to display the Policy Document (see Figure 2.20).
C:\Users\susan\Desktop\2.21.png
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\38f55e91\Screen Shot 2017-01-06 at 3.41.53 PM.png
The Summary dashboard will display values that you must provide in the ppcd.properties file when configuring your Ark console:
The Role ARN associated with the service role must be provided in the aws.service.account.rolearn parameter.
The external ID associated with the service role must be provided in the aws.service.account.externalid parameter. In the example shown, the external id is EDB-ARK-SERVICE; you can find this value under the Conditions section of the Trust Relationships tab.

2 EDB Ark - Overview : 2.5 Prerequisites

Table of Contents Previous Next