.. raw:: html

  <ul class="breadcrumb">
      <li><a href="../../index.html">Home</a></li>
      <li><a href="../quickstart.html">QuickStarts</a></li>
      <li>Demo Scenario</li>
  </ul>

StorageFabric Demo Scenario
===========================

Welcome to the StorageFabric Demo scenario!

Use this guide if you have been given access to a demo StorageFabric instance
by the Virtalica team.
This guide will help you to get started quickly with StorageFabric.

Before using this guide, ensure that you have received the following
from us:

*   :ref:`glossary-configuration-manager` URL
*   :ref:`glossary-proxy` URL
*   Username and password for the :ref:`glossary-configuration-manager`.
    Username is typically **admin**.

*****

Thats it, lets get started!

In this demo scenario, we will walk through the following:

*   `View Pre-Configured Providers and Data Buckets`_
*   `Upload and Download Data Securely via the StorageFabric Gateway`_
*   `Manage Clients Access Control`_
*   `Use Key Management Integration`_

|

View Pre-Configured Providers and Data Buckets
----------------------------------------------

The StorageFabric Demo system is preconfigured with multiple cloud
storage providers, along with an AWS and a Google :ref:`glossary-data-bucket`
for your use.

To view the configuration, use the following steps.

:stepnumberonedigit:`1` :stepheading:`Login to the configuration manager web interface.`

To login to the Configuration Manager Web interface:

*   Open a browser, and visit the ``Configuration Manager URL`` provided to you, for example,
    *https://sf-demo.privatemachines.com:5600*
*   On the **Login Page**, enter the ``user name`` and ``password`` provided to you.
*   Click **Login**.

|

:stepnumberonedigit:`2` :stepheading:`View configured providers and data buckets.`

To see the providers configured in your demo system.

*   Expand **BACKENDS** and click the **Providers** link from the left-hand-side navigation menu.

To see the |data buckets| configured in your demo system.

*   Expand **STORAGE** and click the **Virtual Buckets** link from the left-hand-side navigation menu.

.. note::

    You can configure additional |data buckets| with storage providers
    of your choice as described in :doc:`../tutorials/setting-up-client-access`.

*****

Upload and Download Data Securely via the StorageFabric Gateway
---------------------------------------------------------------

In this section, we will use a standard off-the-shelf S3 client
and upload/download data securely to both Amazon and Google
:ref:`glossary-data-bucket`.

:stepnumberonedigit:`1` :stepheading:`Create a Client Access Key.`

To create a :ref:`Client Access Key <glossary-client-access-keys>`:

*   Login to the Configuration Manager Web interface.
*   From the left navigation menu, expand **IDENTITY** and click **Client Access Keys**.
*   Select the tab **Create Client Access Key**.
*   Click on the button **Create Client Access Key**.

A new client access and secret key will be displayed at the top.
Note down the **ClientAccessKeyID** and **ClientSecretAccessKey**
displayed. We use use these later in **Step 3**.

|

:stepnumberonedigit:`2` :stepheading:`Download an install a S3 client.`

In this demo, we will use the **S3 Browser** tool. Any other S3-compatible
client tools can be used with StorageFabric.
For more advanced users, CLIs, python and Java SDKs are also supported
as described in :doc:`../tutorials/using-client-tools-and-sdks`.
Other off-the-shelf tools, such as `CloudBerry Explorer <https://www.cloudberrylab.com/explorer/amazon-s3.aspx>`_ can also be used.

For this demo:

*   Download, install, and run the **S3 Browser** tool from the
    `S3 Browser download page <http://s3browser.com/>`_

|

:stepnumberonedigit:`3` :stepheading:`Configure S3 client.`

Next, configure the S3 Browser client for StorageFabric

*   From the top menu, select **Accounts->Add new account**.

In the **Add New Account** dialog:

*   Enter **StorageFabric Demo** for the account name.
*   Select **S3 Compatible Storage** for the **Account Type**.
*   Enter the ``StorageFabric Gateway URL`` provided to you
    for the **REST Endpoint**. For example, *sf-demo.privatemachines.com:8000*.
    **Note:** Do not enter the **https://** prefix.
*   For **Access Key ID**, enter the **ClientAccessKeyID**
    generated in **Step 1** above.
*   For **Secret Access Key**, enter the **ClientSecretAccessKey**
    generated in **Step 1** above.
*   Check the box **Use secure transfer (SSL/TLS)**.
*   Click the button **Add new account**.
*   Then, click on **Save Changes**.

Once the new account is added, you should see **virtual-bucket-1**
and **virtual-bucket-2** in the client.

|

:stepnumberonedigit:`4` :stepheading:`Upload/Download files securely.`

To upload files to any of the |data buckets|, simply drag and
drop files into the desired bucket.

To download a file, right click on the file name and select **Download**.

You are now simultaneously accessing both Amazon and Google
over a single interface.
The :ref:`glossary-proxy` is transparently taking care of
all the data encryption and decryption, cloud-compatibility, etc.

*****

Manage Clients Access Control
-----------------------------

To briefly showcase access control, we will limit
our client from the previous section with **read-only** access to
the :ref:`Data Buckets <glossary-data-bucket>`.

:stepnumberonedigit:`1` :stepheading:`Assign readonly role to client access key.`

*   Login to the Configuration Manager Web interface.
*   From the left navigation menu, expand **ACCESS CONTROL** and click **Client Access Key Roles**.
*   Select the tab **Add Role to Client Access Key**.
*   For **Access Key ID**, enter the **ClientAccessKeyID** generated
    in the previous section.
*   For **Role Name**, enter **readonly**.
*   For **Context**, enter **{ "providers" : "^.*$", "buckets" : "^.*$", "paths" : "^.*$" }**
*   Click **Add Role**.

|

:stepnumberonedigit:`2` :stepheading:`Remove admin role from client access key.`

*   From the left navigation menu, expand **ACCESS CONTROL** and click **Client Access Key Roles**.
*   Locate the row with your **ClientAccessKeyID** and the **admin** role.
*   Click on the **Trash** icon in the same row. You will be taken to the
    **Remove a role from a Client Access Key** tab.
*   Click **Remove Role**.

|

:stepnumberonedigit:`3` :stepheading:`Check client permissions.`

To check new client permissions:

*   Move to your **S3 Browser** client window.
*   Try to upload a file into one of your buckets.

You will see an **Access Denied** error.
Note that it may take a minute for permissions to propagate.

|

:stepnumberonedigit:`4` :stepheading:`Restore read-write permissions.`

To restore read and write client permissions:

*   From the left navigation menu, expand **ACCESS CONTROL** and click **Client Access Key Roles**.
*   Select the tab **Add Role to Client Access Key**.
*   For **Access Key ID**, enter the **ClientAccessKeyID** generated
    in the previous section.
*   For **Role Name**, enter **admin**.
*   For **Context**, enter **{ "providers" : "^.*$", "buckets" : "^.*$", "paths" : "^.*$" }**
*   Click **Add Role**.

You can upload files again via your S3 browser client app.
Note that it may take a minute for permissions to propagate.

.. note::

    In StorageFabric deployments, clients' access control can also be fully managed
    via your Active Directory and ADFS setup as described in
    :doc:`../tutorials/identity/setting-up-single-signon`.

*****

Use Key Management Integration
------------------------------

StorageFabric uses a multi-level key hierarchy to protect data.
For details, see :ref:`about-key-management`.
Although StorageFabric has built-in key management, integration
with on-prem, custom key management solutions is easy.
In this section, we will see how to use your custom keys
for data encryption.

In this guide, we will use the :doc:`Configuration Management REST API <../../reference/api/configuration-manager-and-setup-rest-api>` to add a custom :ref:`glossary-bucket-encryption-key`.
You can also add encryption keys via the WEB interface.

:stepnumberonedigit:`1` :stepheading:`Generate an Encryption Key.`

Use the following command to generate a new :ref:`glossary-bucket-encryption-key`

.. parsed-literal::

    openssl enc -salt -aes-256-cbc -k $(openssl rand -base64 32) \\
        -P -md sha256 | grep key= | cut -d'=' -f 2

A new :ref:`glossary-bucket-encryption-key` will be generated and displayed,
similar to the following

.. parsed-literal::

    444E5DD41F7F168B4AB4675C5D73F903F9899276574D4C397BB83D57F22F55DC

Alternatively, follow instructions for your key management solution, to
generate a AES256 :ref:`glossary-bucket-encryption-key`.
Convert your key, if required, to a 64-characters long hex string
as shown in the example above.

|

:stepnumberonedigit:`2` :stepheading:`Create a Client Access Key for API access.`

To create a :ref:`Client Access Key <glossary-client-access-keys>`:

*   Login to the Configuration Manager Web interface as the **admin** user.
*   From the left navigation menu, expand **IDENTITY** and click **Client Access Keys**.
*   Select the tab **Create Client Access Key**.
*   Click on the button **Create Client Access Key**.

A new client access and secret key will be displayed at the top.
Note down the **ClientAccessKeyID** and **ClientSecretAccessKey**
displayed.

|

:stepnumberonedigit:`3` :stepheading:`Add Encryption Key to StorageFabric.`

Use the following CURL command to add the custom encryption key
for the :ref:`glossary-data-bucket` **virtual-bucket-1**.

.. parsed-literal::

    curl -X PATCH \\
        https://sf-demo.privatemachines.com:5600/api/buckets/virtual-bucket-1 \\
        -u CLIENTACCESSKEYID:CLIENTSECRETACCESSKEY \\
        --data add-encryption-key="444E5DD41F7F168B4AB4675C5D73F903F9899276574D4C397BB83D57F22F55DC"

In the above command replace:

*   **sf-demo.privatemachines.com:5600** with your :ref:`glossary-configuration-manager` URL.
*   **CLIENTACCESSKEYID** and **CLIENTSECRETACCESSKEY** with the *ClientAccessKeyID*
    and *ClientSecretAccessKey* from **Step 2**.
*   **virtual-bucket-1** with your desired :ref:`glossary-virtual-bucket-name`.
*   **12899...D55D6** with your custom encryption key in hex format.

Once your new encryption key is added, it will be used henceforth for data
encryption. Note that it may take a minute for key changes to propagate.

To view your newly added encryption key, use:

.. parsed-literal::

    curl -X GET https://storagefabric-configuration.com:5600/api/buckets/ \\
            -u CLIENTACCESSKEYID:CLIENTSECRETACCESSKEY

Again, replacing **CLIENTACCESSKEYID** and **CLIENTSECRETACCESSKEY** with the *ClientAccessKeyID*
and *ClientSecretAccessKey* from **Step 2**.

.. seealso::

    For using a custom :ref:`glossary-master-encryption-key` from your KMS,
    see :doc:`../tutorials/integrating-key-management-using-kmip`. For security, KMS integration for |master encryption key|
    is not exposed via APIs.

*****

Exploring Further
-----------------

This demo guide showcases a very small subset of StorageFabric features.
To explore further, you may be interested to learn :doc:`../../about/howitworks`
and utilize the online :doc:`../quickstart` and :doc:`../tutorials`.

Further links,

*   :doc:`../installation`
*   :doc:`../configuration`
*   :doc:`../access-control`