Kiosk Users: Observability for Everyone

While the Fishworks team was developing our new storage server, we enlisted the help of several dozen experts in the enterprise storage field to help us define useful and necessary features. In addition to meeting the basic needs of storage administrators, we also wanted to provide additional features which administrators would find convenient. Across many enterprise domains, we continually heard one common complaint: storage servers were being blamed for performance problems, when the real performance problem lay somewhere else in the IT infrastructure.

At large companies, the storage infrastructure is consolidated into a single team of administrators who manage storage for the entire company. This team of administrators has service agreements which stipulate certain capacity, performance, and uptime requirements for other groups, and they must address problems if those service levels are not maintained. Storage administrators complained that they often spent time debugging performance problems with a particular group's application, only to find the storage was performing exactly as prescribed. Storage administrators could not gain any insight into a particular server's operation; instead, they wasted hours proving to application developers that the storage was not the source of the problem.

Our revolutionary analytics interface helps storage administrators understand how the box is performing. The dashboard page provides a summary view of key metrics, including a weather metaphor for each statistic. While this information is useful to storage administrators, it can also be useful to application developers who are actually using the storage. With this idea in mind, we created a new kind of administrator: a kiosk user. Kiosk users are created using the normal user dialog:

Storage administrators can add the application developers as kiosk users, or create a kiosk account for an entire team. By setting the screen to which kiosk users are restricted, administrators control the level of access application developers have to analytics data. For example, a kiosk user may be able to only view the dashboard, but not more specific worksheets. Likewise, a different kiosk user may be restricted to a worksheet for a particular project instead of having access to analytics data across all projects.

We anticipate that our customers will find this kiosk feature most useful for granting access to the dashboard and analytics data, though there are many other useful scenarios:

  • Clients who have connectivity problems can use the services pages to check the state of system and data services.
  • By viewing the audit logs, auditors can understand who accessed the appliance what changes those users have made.
  • Network administrators can inspect the networking and routing configuration to understand and troubleshoot any problems.

One important note about kiosk users: even though they are restricted to viewing a certain screen, a malicious Javascript client can still make XML-RPC calls. A kiosk user cannot navigate to any other screen in the UI; however, that user will be able to see the results from raw XML-RPC calls which are not associated with that screen. Because of the appliance's fine-grained access control, a kiosk user with no roles or authorizations will not be able to change any configuration. Do not make the mistake of assuming a kiosk user will not be able to view the current shares, users, or other configuration parameters even if their kiosk screen would not normally allow them to access that data.

I hope our customers are able to find many and varied uses for kiosk users; please share your experiences with them in the comments.

Comments:

Post a Comment:
Comments are closed for this entry.
About

The blog of Bill Pijewski, a member of the Fishworks engineering team.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today