Quorum Control
CTE supports the quorum feature of the CipherTrust Manager. A CipherTrust Manager administrator can configure a quorum policy to have multiple approvers for supported operations. After the quorum policy is configured for an operation, all the approvers need to approve the operation before it can be successfully executed.
Refer to Quorums for details on the quorum feature of the CipherTrust Manager.
Supported Operations
| Operation | Authorized Group for Approval |
|---|---|
| DeleteClientCTE | CTE Admins |
| DeleteClientGroupCTE | CTE Admins |
| UpdateClientGroupCTE | CTE Admins |
| DeleteGuardPointCTE | CTE Admins |
| UpdatePolicyCTE | CTE Admins |
Note
CTE for Kubernetes clients with healthy status cannot be deleted by the CipherTrust Administrator. Only the CTE Agent can trigger their deletion. So, quorum is not supported for CTE for Kubernetes clients.
Supported APIs and Resources
| Operation | APIs | Applicable to | Remarks |
|---|---|---|---|
| Delete clients (DeleteClientCTE) | • Single client deletion • Bulk client deletion | • FS (CTE) clients • CTE-U (CTE UserSpace) clients | Bulk client deletion behavior: Quorums are created for all resources. The administrators (approvers) need to approve quorum for all resources. |
| Delete client groups (DeleteClientGroupCTE) | Delete client groups | • NON-CLUSTER groups • HDFS groups | - |
| Update client groups (UpdateClientGroupCTE) | • Update client groups • Send LDT suspend/resume request to the CTE client groups | • NON- CLUSTER groups • HDFS groups | - |
| Delete client GuardPoints (DeleteGuardPointCTE) | • Single GuardPoint deletion • Bulk GuardPoint deletion | • FS (CTE) GuardPoints • CTE-U (CTE UserSpace) GuardPoints | Bulk GuardPoint deletion behavior: Quorums are created for all resources. The administrators (approvers) need to approve quorum for all resources. |
| Delete client group GuardPoints (DeleteGuardPointCTE) | • Single GuardPoint deletion • Bulk GuardPoint deletion | • NON- CLUSTER groups • HDFS groups | Bulk client group GuardPoint deletion behavior: Quorums are created for all resources. The administrators (approvers) need to approve quorum for all resources. |
| Delete Kubernetes storage group GuardPolicies (DeleteGuardPointCTE) | Delete GuardPolicies from Kubernetes storage groups | Kubernetes clients | - |
| Update policy (UpdatePolicyCTE) | • Update policy • Add, update, delete key rules • Add, update, delete security rules • Add, update, delete data transformation rules • Add, update, delete LDT rules • Update IDT rules | • LDT policies • IDT policies • COS policies • CTE for Kubernetes policies • STANDARD policies | - |
Workflow
This section provides the basic flow of the quorum process for the DeleteClientCTE operation. The process is similar for all the supported operations. This section assumes that a quorum policy, which requires two approvals for the DeleteClientCTE operation, is activated on the CipherTrust Manager.
Attempt to delete a client:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the overflow icon (
) corresponding to the client you want to delete.Click Delete. A dialog box appears prompting to confirm the action.
Click Delete.
A dialog box appears stating that a quorum is created, and needs to be activated.
Activate the quorum.
On the Quorum/Delete dialog box, click the Click here link to view the quorum.
Alternatively, click OK on the Quorum/Delete dialog box and navigate to the Quorums page of the CipherTrust Manager GUI.
The Active Quorums tab of the Quorums page is displayed.
Approve the quorum. You, another CTE administrator, or a CipherTrust Manager Administrator can approve the quorum.
To approve the quorum:
Under Actions, click the Approve Quorum icon (
) next to the desired DeleteClientCTE: <client-name> operation. The Approve Quorum dialog box is displayed.(Optional) Specify a Reason for the approval.
Click Confirm to approve the quorum. A message stating that the quorum is successfully approved is displayed.
Similarly, all the approvers need to approve the quorum for successful execution of the operation. The number of approvers is configured under Approvals Needed on the Quorum Policy page.
After all the approvers have appoved the quorum, the client can be deleted from either the Active Quorums tab or the Clients page. The last approver can delete the client from the Active Quorums tab, as described below.
Expand the DeleteClientCTE: <client-name> operation. Information about the client to be deleted and approvers is displayed. Now, the Delete Client button is enabled.
Note
In this release, buttons such as Delete Client are enabled for DeleteClientCTE and DeleteClientGroupCTE operations only. For UpdateClientGroupCTE, DeleteGuardPointCTE, and UpdatePolicyCTE operations, you need to return to the source pages, where you can perform the final action.
Click Delete Client in the operation details. A message stating that the quorum client is deleted successfully is displayed.
Verify the client deletion.
Open the Transparent Encryption application.
Click Clients > Clients.
The client is deleted successfully and its entry is removed from the Clients page after the quorum is deleted.
