Skip to main content

Manage grid federation connections

Contributors netapp-madkat netapp-perveilerk ssantho3
PDFs

Managing grid federation connections between StorageGRID systems includes editing connection details, rotating the certificates, removing tenant permissions, and removing unused connections.

Before you begin

  • You are signed in to the Grid Manager on either grid using a supported web browser.

  • You have the Root access permission for the grid you are signed in to.

Edit a grid federation connection

You can edit a grid federation connection by signing in to the primary Admin Node on either grid in the connection. After you make changes to the first grid, you must download a new verification file and upload it to the other grid.

Note While the connection is being edited, account clone or cross-grid replication requests will continue to use the existing connection settings. Any edits you make to the first grid are saved locally but aren't used until they have been uploaded to the second grid, saved, and tested.

Start editing the connection

Steps

  1. Sign in to the Grid Manager from the primary Admin Node on either grid.

  2. Select NODES and confirm that all other Admin Nodes in your system are online.

    Note When you edit a grid federation connection, StorageGRID attempts to save a “candidate configuration” file on all Admin Nodes on the first grid. If this file can't be saved to all Admin Nodes, a warning message appears when you select Save and test.

  3. Select CONFIGURATION > System > Grid federation.

  4. Edit the connection details using the Actions menu on the Grid federation page or the details page for a specific connection. See Create grid federation connections for what to enter.

    Actions menu

    1. Select the radio button for the connection.

    2. Select Actions > Edit.

    3. Enter the new information.

    Details page

    1. Select a connection name to display its details.

    2. Select Edit.

    3. Enter the new information.

  5. Enter the provisioning passphrase for the grid you are signed in to.

  6. Select Save and continue.

    The new values are saved, but they will not be applied to the connection until you have uploaded the new verification file on the other grid.

  7. Select Download verification file.

    To download this file at a later time, go to the details page for the connection.

  8. Locate the downloaded file (connection-name.grid-federation), and save it to a safe location.

    Caution The verification file contains secrets and must be securely stored and transmitted.

  9. Select Close to return to the Grid federation page.

  10. Confirm that the Connection status is Pending edit.

    Note If the connection status was something other than Connected when you started editing the connection, it will not change to Pending edit.

  11. Provide the connection-name.grid-federation file to the grid admin for the other grid.

Finish editing the connection

Finish editing the connection by uploading the verification file on the other grid.

Steps

  1. Sign in to the Grid Manager from the primary Admin Node.

  2. Select CONFIGURATION > System > Grid federation.

  3. Select Upload verification file to access the upload page.

  4. Select Upload verification file. Then, browse to and select the file that was downloaded from the first grid.

  5. Enter the provisioning passphrase for the grid you are currently signed in to.

  6. Select Save and test.

    If the connection can be established using the edited values, a success message appears. Otherwise, an error message appears. Review the message and address any issues.

  7. Close the wizard to return to the Grid federation page.

  8. Confirm that the Connection status is Connected.

  9. Go to the Grid federation page on the first grid and refresh the browser. Confirm that the Connection status is now Connected.

  10. After the connection has been established, securely delete all copies of the verification file.

Test a grid federation connection

Steps

  1. Sign in to the Grid Manager from the primary Admin Node.

  2. Select CONFIGURATION > System > Grid federation.

  3. Test the connection using the Actions menu on the Grid federation page or the details page for a specific connection.

    Actions menu

    1. Select the radio button for the connection.

    2. Select Actions > Test.

    Details page

    1. Select a connection name to display its details.

    2. Select Test connection.

  4. Review the connection status:

    Connection status Description

    Connected

    Both grids are connected and communicating normally.

    Error

    The connection is in an error state. For example, a certificate has expired or a configuration value is no longer valid.

    Pending edit

    You have edited the connection on this grid, but the connection is still using the existing configuration. To complete the edit, upload the new verification file to the other grid.

    Waiting to connect

    You have configured the connection on this grid, but the connection hasn't been completed on the other grid. Download the verification file from this grid and upload it to the other grid.

    Unknown

    The connection is in an unknown state, possibly because of a networking issue or an offline node.

  5. If the Connection status is Error, resolve any issues. Then, select Test connection again to confirm the issue has been fixed.

Rotate connection certificates

Each grid federation connection uses four automatically-generated SSL certificates to secure the connection. When the two certificates for each grid near their expiration date, the Expiration of grid federation certificate alert reminds you to rotate the certificates.

Caution If the certificates on either end of the connection expire, the connection will stop working and replications will be pending until the certificates are updated.
Steps

  1. Sign in to the Grid Manager from the primary Admin Node on either grid.

  2. Select CONFIGURATION > System > Grid federation.

  3. From either tab on the Grid federation page, select the connection name to display its details.

  4. Select the Certificates tab.

  5. Select Rotate certificates.

  6. Specify how many days the new certificates should be valid.

  7. Enter the provisioning passphrase for the grid you are signed in to.

  8. Select Rotate certificates.

  9. As required, repeat these steps on the other grid in the connection.

    In general, use the same number of days for the certificates on both sides of the connection.

Remove a grid federation connection

You can remove a grid federation connection from either grid in the connection. As shown in the figure, you must perform prerequisite steps on both grids to confirm that the connection is not being used by any tenant on either grid.

steps to remove grid federation connection

Before removing a connection, note the following:

  • Removing a connection does not delete any items that have already been copied between grids. For example, tenant users, groups, and objects that exist on both grids aren't deleted from either grid when the tenant’s permission is removed. If you want to delete these items, you must manually delete them from both grids.

  • When you remove a connection, any objects that are pending replication (ingested but not yet replicated to the other grid) will have their replication permanently failed.

Disable replication for all tenant buckets

Steps

  1. Starting from either grid, sign in to the Grid Manager from the primary Admin Node.

  2. Select CONFIGURATION > System > Grid federation.

  3. Select the connection name to display its details.

  4. On the Permitted tenants tab, determine if the connection is being used by any tenants.

  5. If any tenants are listed, instruct all tenants to disable cross-grid replication for all of their buckets on both grids in the connection.

    Tip You can't remove the Use grid federation connection permission if any tenant buckets have cross-grid replication enabled. Each tenant account must disable cross-grid replication for their buckets on both grids.

Remove permission for each tenant

After cross-grid replication has been disabled for all tenant buckets, remove the Use grid federation permission from all tenants on both grids.

Steps

  1. Select CONFIGURATION > System > Grid federation.

  2. Select the connection name to display its details.

  3. For each tenant on the Permitted tenants tab, remove the Use grid federation connection permission from each tenant. See Manage permitted tenants.

  4. Repeat these steps for the permitted tenants on the other grid.

Remove connection

Steps

  1. When no tenants on either grid are using the connection, select Remove.

  2. Review the confirmation message, and select Remove.

    • If the connection can be removed, a success message is shown. The grid federation connection is now removed from both grids.

    • If the connection can't be removed (for example, it is still in use or there is a connection error), an error message is displayed. You can do either of the following:

Remove a grid federation connection by force

If necessary, you can force the removal of a connection that does not have Connected status.

Force removal only deletes the connection from the local grid. To completely remove the connection, perform the same steps on both grids.

Steps

  1. From the confirmation dialog box, select Force remove.

    A success message appears. This grid federation connection can no longer be used. However, tenant buckets might still have cross-grid replication enabled and some object copies might have already been replicated between the grids in the connection.

  2. From the other grid in the connection, sign in to the Grid Manager from the primary Admin Node.

  3. Select CONFIGURATION > System > Grid federation.

  4. Select the connection name to display its details.

  5. Select Remove and Yes.

  6. Select Force remove to remove the connection from this grid.