Quorum Control
CTE supports the quorum feature of the CipherTrust Manager. A CipherTrust Manager administrator can configure a quorum policy to have multiple approvers for supported operations. After the quorum policy is configured for an operation, all the approvers need to approve the operation before it can be successfully executed.
Refer to Quorums for details on the quorum feature of the CipherTrust Manager.
Supported Operations
Operation | Authorized Group for Approval |
---|---|
DeleteClientCTE | CTE Admins |
DeleteClientGroupCTE | CTE Admins |
DeleteCSIStorageGroupCTE | CTE Admins |
DeleteGuardPointCTE | CTE Admins |
DeletePolicyCTE | CTE Admins |
DeletePolicyElementsCTE | CTE Admins |
DeleteProfileCTE | CTE Admins |
UpdateClientGroupCTE | CTE Admins |
UpdateCSIStorageGroupCTE | CTE Admins |
UpdateGuardPointCTE | CTE Admins |
UpdatePolicyCTE | CTE Admins |
UpdatePolicyElementsCTE | CTE Admins |
UpdateProfileCTE | CTE Admins |
Note
CTE for Kubernetes clients with healthy status cannot be deleted by the CipherTrust Administrator. Only the CTE Agent can trigger their deletion. So, quorum is not supported for CTE for Kubernetes clients.
Supported APIs and Resources
Operation | APIs | Applicable to | Remarks |
---|---|---|---|
Delete clients (DeleteClientCTE) | • Single client deletion • Bulk client deletion | • FS (CTE and RWP) clients • CTE-U (CTE UserSpace) clients | Bulk client deletion behavior: Quorums are created for all resources. The administrators (approvers) need to approve quorum for all resources. Do not modify/delete the requested clients after a quorum request is created for bulk deletion. To make any changes, ensure that the quorum request is deleted. |
Delete client groups (DeleteClientGroupCTE) | Delete client groups | • NON-CLUSTER groups • HDFS groups | - |
Update client groups (UpdateClientGroupCTE) | • Update client groups • Send LDT suspend/resume request to the CTE client groups | • NON- CLUSTER groups • HDFS groups | - |
Delete client GuardPoints (DeleteGuardPointCTE) | • Single GuardPoint deletion • Bulk GuardPoint deletion | • FS (CTE and RWP) GuardPoints • CTE-U (CTE UserSpace) GuardPoints | Bulk GuardPoint deletion behavior: Quorums are created for all resources. The administrators (approvers) need to approve quorum for all resources. Do not modify/delete the requested GuardPoints after a quorum request is created for bulk deletion. To make any changes, ensure that the quorum request is deleted. |
Delete client group GuardPoints (DeleteGuardPointCTE) | • Single GuardPoint deletion • Bulk GuardPoint deletion | • NON- CLUSTER groups • HDFS groups | Bulk client group GuardPoint deletion behavior: Quorums are created for all resources. The administrators (approvers) need to approve quorum for all resources. Do not modify/delete the requested GuardPoints after a quorum request is created for bulk deletion. To make any changes, ensure that the quorum request is deleted. |
Update client GuardPoints (UpdateGuardPointCTE) | Single GuardPoint update | • FS (CTE and RWP) GuardPoints • CTE-U (CTE UserSpace) GuardPoints | Bulk update is not supported. |
Update client group GuardPoints (UpdateGuardPointCTE) | Single GuardPoint update | • NON- CLUSTER groups • HDFS groups | Bulk update is not supported. |
Delete Kubernetes storage group GuardPolicies (DeleteGuardPointCTE) | Delete GuardPolicies from Kubernetes storage groups | Kubernetes clients | - |
Update Kubernetes storage group GuardPolicies (UpdateGuardPointCTE) | Single Kubernetes storage group GuardPolicy update | Kubernetes clients | - |
Delete Kubernetes storage groups (DeleteCSIStorageGroupCTE) | Single Kubernetes storage group deletion from Kubernetes clients | Kubernetes clients | - |
Update policy (UpdatePolicyCTE) | • Update a policy • Add, update, delete key rules • Add, update, delete security rules • Add, update, delete data transformation rules • Add, update, delete LDT rules • Update IDT rules • Add, update, and delete signature rules | • LDT policies • IDT policies • COS policies • CTE for Kubernetes policies • STANDARD policies | - |
Delete policy elements (DeletePolicyElementsCTE) | Delete policy elements • Delete a resource set • Delete a user set • Delete a process set • Delete a signature set | Delete an element | Bulk deletion is not supported. |
Update policy elements (UpdatePolicyElementsCTE) | Update policy elements • Update a resource set • Update a user set • Update a process set • Update a signature set • Add or remove a resource from a resource set • Add or remove a user from a user set • Add or remove a process from a process set • Add or remove a signature from a signature set | Single element update | Bulk update is not supported. |
Delete profiles (DeleteProfileCTE) | Delete a profile | - | Bulk deletion is not supported. |
Update profiles (UpdateProfileCTE) | Update a profile | - | Bulk update is not supported. |
Workflow
This section provides the basic flow of the quorum process for the DeleteClientCTE operation. The process is similar for all the supported operations. This section assumes that a quorum policy, which requires two approvals for the DeleteClientCTE operation, is activated on the CipherTrust Manager.
Attempt to delete a client:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the overflow icon () corresponding to the client you want to delete.
Click Delete. A dialog box appears prompting to confirm the action.
Click Delete.
A dialog box appears stating that a quorum request has been made, and you need to get approval for this action.
The Quorum ID is displayed on the dialog box.
View details of the quorum.
On the Requesting
dialog box, click the Go to Quorums Screen link. Alternatively, click OK on the Requesting
dialog box and navigate to the Quorums page of the CipherTrust Manager GUI. The Quorums page contains the Active Quorums and Inactive Quorums tabs. These tabs show quorum details such as the operation name, the requester who initiated the quorum, status and state of the quorum, and the quorum actions.
Under the Operation column, expand DeleteClientCTE: <client-name>.
Information about the client to be deleted and the quorum approvers is displayed on the Quorum Client Info and Quorum Approvers tabs respectively.
Click the Quorum Approvers tab to view details about the quorum approvers.
Approve the quorum. You, another CTE administrator, or a CipherTrust Manager Administrator can approve the quorum.
To approve the quorum:
Under Actions, click the Approve Quorum icon () next to the desired DeleteClientCTE: <client-name> operation. The Approve Quorum dialog box is displayed.
If you are the last approver, the dialog box displays the message, "This is the final approval. If you approve the quorum, the operation will be executed automatically."
(Optional) Specify a Reason for the approval.
Click Confirm to approve the quorum. A message stating that the quorum is successfully approved is displayed.
Similarly, all the approvers need to approve the quorum for successful execution of the operation. The number of approvers is configured under Approvals Needed on the Admin Settings > Quorum Policy page.
When the last approver approves the quorum, the operation is removed from the Active Quorums tab and the client is deleted from the Clients page. The executed operation is displayed on the Inactive Quorums tab of the Quorums page with the
executed
state.The logs of the operation are available on the Records > Server Records page.
Verify the client deletion.
Open the Transparent Encryption application.
Click Clients > Clients.
Notice that the client is no longer listed on the Clients page. This indicates successful deletion of the client.