The Break Glass Mechanism feature on the Mavis platform is designed to enhance system reliability and availability. This functionality automatically backs up the connection information of devices on Mavis to the S3 or Blob storage space. In the event of a Mavis platform failure, these backup data become critical information for accessing emergency servers, enabling you to quickly obtain server login information for emergency access and restoration of normal operations.
The primary objectives of Mavis's Break Glass mechanism are to enable you to:
-
-
Access Confidential Cloud Provider Account Information:
-
Obtain sensitive data from your hosted systems/resources, including crucial login details such as SSH, RDP, and VNC credentials. This ensures swift access to vital account information during emergency scenarios.
-
-
Retrieve Essential Remote Access Details:
-
Acquire the necessary connection information and login credentials for remote access. This includes details like the host's IP address and service names, facilitating secure access to your system remotely. This capability is crucial for addressing emergencies and ensuring quick and efficient access.
-
-
To ensure the Break Glass mechanism's security, we've considered key design factors. Please also be mindful of the following:
-
-
Break Glass Account Management:
-
Preconfigure a dedicated "Break Glass Account" with limited permissions for listing and reading sensitive archives, intended solely for emergency use.
-
-
Secure Communication:
-
Employ HTTPS communication between Mavis and the "Sensitive Archive," guaranteeing end-to-end encryption during data transmission. Additionally, use certificates for server authentication.
-
-
Permission Control:
-
Restrict Mavis system permissions to file creation within the "Sensitive Archive," excluding deletion or reading operations.
-
-
Access Record Management:
-
Delegate access record logging for the "Sensitive Archive" to the "Archive Space" system, ensuring proper tracking of access activities.
-
-
Operator Responsibility for Access Records:
-
Human operators are responsible for manually managing access records for the managed system, assuring the integrity and traceability of recorded information.
-
-
Important Reminder:
- Authorize access to Break Glass files only for designated personnel. These files contain vital account and connection details, requiring careful handling. Strictly manage permissions for individuals accessing these files to safeguard sensitive information.
Frequently Asked Questions:
- What is the Mavis Break Glass Mechanism?
-
The Mavis platform's Break Glass Mechanism is an emergency access feature designed to provide login information in the event of system failure, allowing users to quickly restore system operation.
-
- How can I access the login information provided by the Break Glass Mechanism?
- Users can access server login information quickly through pre-configured accounts. This information includes SSH, RDP, VNC account credentials, and more.
- When might I need to use the Break Glass Mechanism?
- The Break Glass Mechanism may be needed when the Mavis platform experiences a failure or requires maintenance.
- The Break Glass Mechanism may be needed when the Mavis platform experiences a failure or requires maintenance.
Mavis Break Glass Configuration:
-
Option 1: Administrators can set up Break Glass information using commands, and this data will be written into a Config file.
-
Config File Format:
-
The Config file is written as a K3S secret file.
-
Accessed via mount within the container.
-
Read during execution in a key: value format.
-
-
Configuration Information should include:
-
S3 bucket:
-
Targeted setting should be an S3 bucket.
-
-
Access key ID:
-
Generated or provided key ID by the system.
-
-
Access secret key:
-
Generated or provided key by the system.
-
-
Bucket name:
-
S3 space name used for backup storage.
-
-
URL:
-
Path to access the backups.
-
-
-
-
Option 2: You can configure Break Glass information in System Management > Break Glass Backup.
If your "Remote storage provider" is "S3", please refer to the following column
項目 | 描述 |
---|---|
*Execute time | The system performs backups daily at a specific time, format: HH:mm |
|
Fill in with the key ID generated or provided by the system |
|
When Access key ID is empty, this field will be empty; if there is a value, it will display a fixed value |
|
Fill in the S3 space name used for storing backups |
*Protocol | HTTP, HTTPS |
*URL |
Fill in the path for accessing backups |
Region |
Optional field, you can specify the storage area's regional information |
If your "Remote storage provider" is "Blob", please refer to the following column (Azure blob as example)
With in the Azure console, you cna set and get the connection string as followed:
DefaultEndpointsProtocol=https; AccountName=azuredemoaccount; AccountKey=b+I9M3OMegXlFeutCyT4ABnBomOSvDz0d/YPyh1NohN6dLJcFytMPVL9WKXMcfX7ffyuuiZkpaRR+ASt32keUz==; EndpointSuffix=core.windows.net
You would need to fill in the following column, from the info presented in the connection string.
項目 |
描述與範例 |
---|---|
*Storage account name |
儲存體名稱 範例 : azuredemoaccount |
*Key |
範例:b+I9M3OMegXlFeutCyT4ABnBomOSvDz0d/YPyh1NohN6dLJcFytMPVL9WKXMcfX7ffyuuiZkpaRR+ASt32keUz== |
Container name | Azure container 名稱 |
*傳輸協定 |
HTTP , HTTTPS |
*Endpoint suffix |
https://core.windows.net/ |
Mavis Break Glass Execution Process:
-
Once the Break Glass configuration is set up, the system will automatically export the server connection information file to the designated S3 Bucket or Blob container at the scheduled execution time. Only the latest file will be retained. Upon initial setup, ensure proper access to the configured S3 bucket.
-
Connection Information: The connection details are segmented based on the "Project name" and recorded in their respective Tabs.
-
Provider
Device name
(Default sort)
Protocol
Public IP address
Private IP address
URLPort
Access type
Account
password
PEM file name
Extra credentialTrouble shooting
You can test the current remote settings on the setting page. When you press the "Test" button, the system will use the information you currently fill in to upload the data and test the following items. The results of each stage will be written on the page.
Container or bucket exist success Authentication test Authentication success Connection test Connection success If access to the Bucket fails, please check the connection information, Key permissions, and other factors that may cause the access failure. Make sure to follow the specified folder structure when uploading files. Or make sure the key you authorized has the correct permissions.