2.5 Prerequisites2.5.1 Disable Pop-Up BlockersSome features of the Ark Administrative console will not work properly when pop-up blocker (or Ad blocker) software is enabled. To take full advantage of console features, you should disable pop-up blocker software from restricting pop-ups from the URL/s used by the Ark console or Ark clusters.The /var/ppcd/ppcd.properties file and the /var/ppcd/.edb directory contain sensitive information (including plain-text connection information) that should be accessed only by the Administrative user. You should restrict access to the /var/ppcd/ppcd.properties file and the /var/ppcd/.edb directory, ensuring that only trusted individuals have access.By default, the ppcd user has read, write and execute privileges on the directory (0700), while group and other users cannot access the directory.By default, OpenStack Mitaka enables the Keystone identity service version 3.0 API; version 3.0 is not supported by EDB Ark. Before using EDB Ark on an OpenStack Mitaka host, you must enable the Keystone identity service version 2.0 API. Use the following process to enable the version 2.0 API for your domain:(openstack) domain list
| ID | Name | Enabled | Description |
| b77a32b08b2345faa81f5fa706369b1d | default | True | Default Domain |
2. Connect to the Keystone server(s) and edit the keystone.conf file; by default, the file is located in /etc/keystone/keystone.conf.
3. Modify the [identity] section of the keystone.conf file, setting the default_domain_id property to the ID of the chosen domain. For example:If your installation requires you to restart the Keystone service directly, you can use the command:Each time the Ark console creates a cluster, a volume is created in the OpenStack management console. Each volume will have a corresponding security group, security group rules, and (if applicable) volume snapshots.Before using the Ark console, you should ensure that OpenStack resource limits are set to values high enough to meet the requirements of your end-users. If users attempt to exceed the resource limit, the console will display an error, prompting you to increase the resource limits (see Figure 2.6).
• If a user encounters an overLimit error, you should connect to the OpenStack management console and increase resource limits to meet user requirements.When you terminate a cluster that has no backups (through the Ark console), the OpenStack management console will terminate the corresponding volume and free the associated resources. If a backup of the cluster exists, the volume will persist until you delete the backup. Deleting backups of obsolete clusters will free up system resources for use.You must create a dedicated OpenStack user account for use by the EDB Ark service. EDB Ark uses the service account when performing OpenStack management functions. The service account user must be a member of and be assigned the OpenStack admin role (which is created during OpenStack installation) for all tenants that are allowed to run EDB Ark clusters.For more information about creating an OpenStack administrative user, please consult your version and platform-specific OpenStack documentation.When configuring EDB Ark, you must specify the name of the OpenStack administrative role, the EDB Ark service account user name, and the password associated with the service account in the ppcd.properties file.Please note that all OpenStack users that are assigned the OpenStack admin role will also have access to EDB Ark administrative features. Administrative users are able to register server images and create database engines, as well as retrieve information about system resources and users. For more information about the administrative features of the Ark console, see Section 4.Before configuring the Ark console on an Amazon host and creating users, you must create an Amazon service user and service role. Ark uses the service role when performing Ark management functions (such as console backups). The Ark console uses the service role credentials (the cross account keys) to assume the IAM roles assigned to Ark users. This enables Ark to securely manage AWS resources.When configuring the Ark console, you are required to provide details about the AWS service user and the service role in the ppcd.properties file. Specify:
• the Amazon Role ARN (resource name) that will be used by the Ark service in the aws.service.account.rolearn property.
• the Amazon external ID that will be used by the Ark service user (ppcd) in the aws.service.account.externalid property.
• the AWS_ACCESS_KEY_ID associated with the AWS role used for account administration in aws.cross.account.accesskey property.
• the AWS_SECRET_ACCESS_KEY associated with the AWS role used for account administration in aws.cross.account.secretkey property.To create the Ark console's service user account, connect to the Amazon AWS management console, and navigate to the Users dashboard; select the Add user button to open the Add user dialog (shown in Figure 2.7).On the Add user dialog:
• Provide a name for the service user account in the User name field.
• Check the box to the left of Programmatic access.Click Next: Permissions to continue.When the Permissions dialog opens, click the button labeled Attach existing policies directly, then click the Create policy button. When the Create Policy dialog opens, click the button to the right of Create Your Own Policy.On the Review Policy dialog:
• Provide a name for the policy in the Policy Name field.
• Provide a description of the policy in the Description field.
• Click Create Policy to continue.Then, return to the Add user dialog, and click the Refresh button above the list of policies. Select the new policy from the list (see Figure 2.9), and click Next.Confirm that the correct policy has been attached, and click Create user. The AWS console will confirm that the user has been added successfully. Click Show to display the Secret access key value (see Figure 2.10).Copy the access key values displayed on the console; you must provide the values in the ppcd.properties file when configuring your Ark console:
• Provide the Access key id in the aws.cross.account.accesskey parameter.
• Provide the Secret access key in the aws.cross.account.secretkey parameter.22.214.171.124 Creating the AWS Service RoleAfter creating the service user, you must create a service role. To define a service role, connect to the Amazon management console, and navigate to the Identity and Access Management Dashboard (see Figure 2.11).Navigate to the Roles page, and click the Create New Role button.When the Create Role dialog opens (shown in Figure 2.12), specify a name for the new role and click Next Step to specify a role type.Select the AWS Service Roles radio button (shown in Figure 2.13), and then the Select button to the right of Amazon EC2 to continue to the Attach Policy dialog.When the Attach Policy dialog (shown in Figure 2.14) opens, do not select a policy; instead, click Next Step to continue to the Review dialog.When the Review dialog opens (see Figure 2.15), review the information displayed, and then click Create Role to instruct the AWS management console to create the described role.The role will be displayed in the role list on the Amazon IAM Roles page (see Figure 2.16). You can click the role name to display detailed information about the role. Please note that the Summary tab will display a Role ARN, but the ARN will not be enabled until the security policy and trust policy are updated.After completing the Create Role wizard, you must modify the inline security policy and trust relationship to allow Ark to use the role. Highlight the role name, open the Inline Policies menu, and select click here to add a new policy.When the Set Permissions dialog opens, select the Custom Policy radio button, and then click the Select button (see Figure 2.18).Use the fields on the Set Permissions dialog (Figure 2.19) to define the security policy:
• Provide a name for the security policy in the Policy Name field.
• Copy the security policy text into the Policy Document field. For a sample security policy that you can use when creating the service role, please see Reference – AWS Service Role Security Policy and Trust Relationship.After providing security policy information, click Apply Policy to return to the Role information page. Then, select the Edit Trust Relationship button (located in the Trust Relationships section) to display the Policy Document (see Figure 2.20).Replace the displayed content of the policy document with the content of the security policy included in Reference – AWS Service Role Security Policy and Trust Relationship. Click the Update Trust Policy button to finish and close the Edit Trust Relationship dialog .The Summary dashboard will display values that you must provide in the ppcd.properties file when configuring your Ark console:
• The Role ARN associated with the service role must be provided in the aws.service.account.rolearn parameter.
• The external ID associated with the service role must be provided in the aws.service.account.externalid parameter. In the example shown, the external id is EDB-ARK-SERVICE; you can find this value under the Conditions section of the Trust Relationships tab.