Sudo on avamar

Hi community, I'm trying to use sudo to avoid granting admin and root password to operators team, they need to do some checks from SO side.
Sudo allows us flexibility like this.

avoperator@ave-04:~/#: sudo mccli client show
0,23000,CLI command completed successfully.

avoperator@ave-04:~/#: sudo mccli client delete
avoperator's password:
Sorry, user avoperator is not allowed to execute '/usr/local/avamar/bin/mccli client delete' as root on ave-04.

Now operator called "avoperator" has some new commands available after adding there lines in /etc/suders.
# Extend permissions to avoperator group
%avoperator ALL=(root) NOPASSWD: /usr/local/avamar/bin/mccli * show, /usr/local/avamar/bin/dpnctl status, /usr/local/avamar/bin/status.dpn

There are no official avamar doc related to this config. Do you know if it is a config "blessed" by support?

Responses(4)

ionthegeek

2K Posts

0

December 3rd, 2019 12:00

@calvop wrote:

seems that SUDO and privilege account management are unexplored lands in a Avamar’s landscape.

SUDO and privilege account management are forbidden lands in the Avamar landscape. Creation of additional OS-level user accounts on Avamar systems is not supported. Modification of the sudoers configuration on an Avamar system is not supported. You may be denied support if you make these sorts of changes to your system.

If your operators specifically need mccli access to the system, I recommend installing the mccli package on a virtual machine as @SteveK821 mentioned above. The mccli guide for the most recent release is available here:

https://support.emc.com/docu93977_Avamar_19_Management_Console_Command_Line_Interface_(MCCLI)_Programmer_Guide.pdf?language=en_US&source=Coveo

A better alternative would be the Avamar REST API. The REST API underpins the new AUI interface. It is powerful, flexible, and freely available for customer use. Any tasks that can be performed using the AUI interface can be performed by calling the REST API directly. There is a getting started guide here:

https://support.emc.com/docu94033_Avamar_19.1_REST_API_Getting_Started_Guide.pdf?language=en_US&source=Coveo

S

SteveK821

2 Intern

•

140 Posts

0

December 2nd, 2019 06:00

I'm honestly not sure if any of that is supported officially. Starting with creating new users on Linux OS in Avamar. AFAIK only the built-in OS accounts (root, admin, dpn) are allowed, as only they have the various keys, etc. I have no idea what would happen to those accounts after an Avamar Upgrade, or how the system would react.

Extra users are only allowed for MCGUI/AUI. MCCLI is available as a separate package for Linux, you could install that on a Linux server and use that to run various MCCLI scripts for Avamar (MCCLI package connects to Avamar using an MCGUI User).

For some reason I am having problems opening Knowledge Base articles, but try looking up KB 500235, which has information on the user accounts in Avamar.

Avamar: Avamar GSAN accounts are unrelated to Avamar Linux OS user accounts and cannot be used to manage the Avamar Server through Command Line Interface (CLI) or SSH

calvop

5 Posts

0

December 3rd, 2019 11:00

Thanks for your answer, seems that SUDO and privilege account management are unexplored lands in a Avamar’s landscape.

Your shared KB say “ if a user different from "admin" has administrator privileges to access to the system through CLI, the consequences of a mistake might be terrible as it can access to all the system information and this will put customer's data at risk …“ I can’t understand how can I put data on risk issuing a simple mccli show client command granted by my /etc/sudoers file

calvop

5 Posts

0

December 3rd, 2019 12:00

Thank you both

View All

No Events found!