Introduction
These release notes provide a comprehensive overview of the new features, enhanced functionalities, and resolved issues found in version 5.1 of NEMO. Additionally, it includes the details of the patch versions associated with release 5.1.
What's new in NEMO 5.1
Role-Based Access Control
RBAC is a security model that grants or restricts access to resources based on a user's role within an organization. Each role is assigned specific permissions, and users inherit those permissions based on their assigned roles, ensuring that individuals can only access the data and resources necessary for their job.
Previously, users were configured with both object access scope (e.g., the types of graphs they could access) and data scope (the subset of data they were permitted to access and interact with) within their user profile. Now, object access scope is defined at the role level, while data scope remains specified within the user profile.
This change simplifies user management by centralizing the management of object access scope at the role level, making it easier to assign and update permissions for groups of users based on their roles. Administrators no longer need to configure object access individually for each user, streamlining the process. Meanwhile, data scope remains tied to the user profile, ensuring that personalized data access remains specific to each user.
Multi-Factor Authentication
TOTP-based MFA is now supported for login. MFA requirements are managed at the role level, enabling administrators to define security policies for groups of users. Available options include allowing, enforcing, or disabling MFA, providing flexibility in access management.
Password Management
User password management has been enhanced, allowing users to change their own passwords. Additionally, administrators can now enforce a password change upon a user's next login for added security.
Calls Search Access Control
Previously, the calls search feature was reserved for administrators, as it did not consider the data scope assigned to users, allowing them to view calls from any group. Now, search results are filtered based on user access rights, ensuring that users only see calls they are permitted to access. With this improvement, the calls search feature can be safely opened to all users without the risk of data leakage.
Auto-enable Stats for Broadsoft Plugin
As with other device plugins, it is now possible to configure the auto-enabling of stats for enterprises/service providers by defining regular expressions in the system settings. These expressions determine which groups should have stats enabled, providing greater flexibility and automation.
Improved Watchdog Coordination
The watchdog process has been enhanced to coordinate the startup and shutdown of various engines when NEMO is deployed across multiple servers. This improvement prevents race conditions that could arise from parallel computations on the same data, ensuring smoother and more reliable operation.
Patch Versions Release Notes
Release 5.1.1
| Pull id | Fix |
|---|---|
| 856 | disabled MFA validation if already configured at user-level but disabled at role-level |
| 854 | fixed replica set information for page platformStatistics/status |
| 849 | fixed APIO REST API handling when callType parameter is provided; fixed APIO REST API parsing of days parameter |
| 846 | fixed list of groups linked to label missing some groups in labels list page |
| 843 | adapted capture plugin stats to ignore OPTIONS for computation of sources/destinations stats |
Upgrade from 5.0
INFO
If you are coming from a release prior to 5.0, refer to the release notes for that release to perform the intermediate steps
Both RHEL 7 and RHEL 8 versions of the RPMs are available. For instance:
- nemo-5.1.0-1.el7.x86_64.rpm
- nemo-5.1.0-1.el8.x86_64.rpm
As identity & access management has shifted from a user-based to a role-based access control model, a migration of user profiles is required after the software update.
Backup Users Database
To back up the users database and enable rollback or downgrading if needed, a backup must be created. To do so, navigate to a suitable directory and run the following command:
mongodump -d usersThis will create a backup of the users database and save it in the dump directory within the current working directory.
NEMO RPM Update
To launch the upgrade, on all servers do:
yum install /<path>/nemo-5.1.x-y.el7.x86_64.rpmAfter you need to restart NEMO with:
systemctl restart nemoMigrate Users
The migration tool will migrate users by performing the following tasks:
- Listing users and their data scope.
- Listing users and their object access scope.
- For each unique object access scope, creating a role named
role_xxand linking the corresponding users to that role.
WARNING
Over the years, repeated cloning of user profiles may lead to seemingly similar profiles resulting in different roles being created. This occurs due to subtle differences in object access scope accumulated over time. The new RBAC system simplifies user management by ensuring that users are linked to a limited set of roles.
TIP
After the migration, you may notice that the admin account is linked to a role with certain limitations. To restore full administrative rights to the admin user, simply edit the user from the GUI and reassign the admin role.
To run the migration tool, launch the following command:
/opt/nemo/bin/nemo-admin migrate to-5.1The tool will prompt you to review the changes and confirm the modifications before proceeding with the migration.
Downgrade from 5.1 to 5.0
In the case of a downgrade, restoring the users database is required to revert to the previous identity and access management system.
NEMO RPM Downgrade
Install the previous rpm on all servers with the command:
yum downgrade /<path>/nemo-5.0.x.-y.x86_64.rpmRestore the Users Database
Navigate to the directory where you previously ran the backup command and launch the following command:
mongorestore --drop dump/This will remove the existing users database and replace it with the contents of the database from before the upgrade.
Patch Upgrade Path from 5.1.x
To upgrade to a target patch release, the Admin needs to check the upgrade path to know which actions to take.
INFO
It is important to highlight that an action needed at a patch level 5.1.N is also needed for direct upgrade to 5.1.N+1, 5.1.N+2, ...
| Patch release | Needed actions |
|---|---|
| 5.1.1 | None |
In addition to the listed needed actions:
On all servers, do as root:
# yum update /<path>/nemo-5.1.x-y.el7.x86_64.rpm