By default, nodes do not have any roles assigned to them. The only exception is the Central management node, which you specifically promoted to fulfill that role. To assign a role to a node in the cluster, complete the following steps.
To assign roles to nodes in your cluster
On the web interface of your Central management node, navigate to Basic Settings > Cluster management. This page displays all nodes in the cluster.
Click at the right side of the row of the node that node that you want to update. The node row is expanded, showing the node address and the available roles.
Select the role that you want to assign to the node. For details on what each role means, see Cluster roles.
|
Caution:
Configuration options that you set on a node before joining it to the cluster will be overwritten by the configuration of the Central management node. For example, policies and protocol-specific settings will be overwritten once you assign the Managed host role to the node. Managed host roles periodically fetch the configuration of the Central management node and merge it into their own. This is called configuration synchronization. To avoid the loss of policies and settings that are specific to your Managed host node, use a configuration synchronization plugin. Such plugins enable you to limit the scope of configuration synchronization. For more information, see Configuration synchronization across nodes in a cluster. |
NOTE: When assigning search roles, consider the following:
Figure 115: Basic Settings > Cluster management — Assigning the Search local role to the selected node
Click Update to apply the selected roles. The role you assigned (in this case, the Search local role) is then displayed next to the node, under the Roles column.
Figure 116: Basic Settings > Cluster management — Search local role is assigned to node
You can assign roles to your nodes through the REST API, too. For details, see "Assign a role to a node" in the REST API Reference Guide.
Nodes fetch their configuration from the Central management node, and merge it into their own configuration. Depending on their role, nodes may merge the whole configuration into their own (Managed host nodes), or only the cluster-specific parts (nodes with no roles assigned). Whenever a configuration change is made on the Central management node and the change is committed, it is synchronized to all nodes in the cluster as soon as the nodes fetch the latest configuration from the Central management node.
Configuration synchronization in Safeguard for Privileged Sessions (SPS) has some implications for the SSH keys (if any) that have been recorded on your nodes before they were joined to the cluster. For details, see Configuration synchronization and SSH keys.
In some cases, you may want to keep certain parts of the configuration on your nodes outside the scope of configuration synchronization. In that case, use a configuration synchronization plugin. For more information, see Using a configuration synchronization plugin.
The following configuration settings are never overwritten by configuration synchronization, even when not using a configuration synchronization plugin:
For more information, see the following resources:
The only SSH keys present on Managed host nodes will always be the ones that have been recorded by the Central management node. This is because the SSH keys stored on the Central management node get synced to the Managed host nodes during configuration synchronization. This means that the SSH keys recorded on the Managed host nodes before they were joined to the cluster are overwritten by the keys stored on the Central management node.
The Central management node records new SSH keys in the following cases:
These are the keys that get synced to your Managed host nodes.
When synchronizing the central configuration across nodes, you may want to:
Keep certain parts in the configuration of individual nodes unchanged.
Customize certain parts of the central configuration to specific needs of individual nodes in the cluster (for example, your nodes may access external services through different network addresses).
You can achieve all of these by using a configuration synchronization plugin that contains transformations for the problematic parts. The plugin only runs on nodes that have the Managed host role.
Customizing certain parts or features of a node using a configuration synchronization plugin has the same limitations as configuring Safeguard for Privileged Sessions (SPS) through the REST API. In other words, whatever you can configure through the REST API, you can configure the exact same settings using the plugin. One notable difference between the REST API and the plugin is that using the REST API, you can only read certain types of data (such as keys and passwords), while using the configuration synchronization plugin, you can write these types of data as well.
For details on how to configure SPS using the REST API, see REST API Reference Guide.
Data structures in the plugin are represented as nested JSON objects. For object references, the plugin uses keys.
The plugin works with the following key parameters:
For example, an RDP connection policy on a Managed host node specifies the following client and target addresses:
$ curl ... https://<url-of-Central-Management-node>/api/configuration/rdp/connections/<id-of-the-connection-policy>
{ "body": { "network": { "clients": [ "0.0.0.0/0" ], "ports": [ 3389 ], "targets": [ "10.30.255.28/24" ] }, }, ... }
In the following example, an RDP connection policy is configured with the following details on the Central management node:
$ curl ... https://<url-of-Managed-Node>/api/configuration/rdp/connections/<id-of-the-connection-policy>
{ "body": { "network": { "clients": [ "0.0.0.0/0" ], "ports": [ 3389 ], "targets": [ "10.30.255.8/24" ] }, }, ... }
To ensure that the details of the connection policy on the Managed host node are kept as-is after configuration synchronization, add the following lines to the plugin main.py file:
$ cat main.py def merge(local_config: dict, merged_config: dict, node_id: str, plugin_config: str, **kwargs): merged_config['rdp']['connections'][<id-of-the-connection-policy>]['network']['targets'][0] = "10.30.255.8/24" return merged_config
Due to possible new (as yet undefined) parameters, it is good practice to close the parameter list of the merge function with **kwargs.
In case you need assistance with writing customized transformations, contact our Professional Services Team, and a One Identity Service Delivery Engineer will be able to help you.
NOTE: Configuration settings related to networking (Basic Settings > Network), local services (Basic Settings > Local Services), and the license of SPS (Basic Settings > System > License) are not overwritten on the nodes by configuration synchronization even if you are not using a plugin.
For the management of SPS (Basic Settings > Management), the following configuration settings are not overwritten:
To use a configuration synchronization plugin
Upload a configuration synchronization plugin:
Navigate to Basic Settings > Plugins.
Browse for the file, and click Upload plugin.
NOTE: It is not possible to upload or delete plugins if SPS is in Sealed mode.
Enable the plugin:
Navigate to Basic Settings > Cluster management > Configuration synchronization.
Select the plugin you have uploaded.
Figure 117: Basic Settings > Cluster management — Select configuration synchronization plugin
(Optional) Once you selected the plugin, click Configure next to the plugin drop-down box to open the Plugin Configuration dialog.
Enter the configuration of the plugin in the Configuration field. Specifying the configuration of the plugin enables you to run configuration synchronization on each cluster with different parameters if you have multiple clusters. Click Save to save your changes and return to the Cluster management window.
You can also upload and enable the configuration synchronization plugin through the REST API. For details, see "Upload and enable a configuration synchronization plugin" in the REST API Reference Guide.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center