This post is more than 5 years old
10 Posts
0
2200
Admins privileges such as Root
Hi,
Here is a lot of customer requests that make me and for which I know "officially" there really is no answer , but perhaps only the beginning of a track , I could rise in some , envy to find a reliable and functional solution and thus satisfy a large part of customer Isilon
I created a role that is called "IGRadmin" to which I added the group "Adminstrator" which included "Domain Admins".
The following privileges are granted:
--------------------------------------------------------------------------------
Name: IGRAdmin
Description: -
Members: Administrators
Privileges:
ID : ISI_PRIV_LOGIN_CONSOLE
Read Only : True
ID : ISI_PRIV_LOGIN_PAPI
Read Only : True
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_AUTH
Read Only : False
ID : ISI_PRIV_ROLE
Read Only : False
ID : ISI_PRIV_EVENT
Read Only : False
ID : ISI_PRIV_NFS
Read Only : False
ID : ISI_PRIV_QUOTA
Read Only : False
ID : ISI_PRIV_SMB
Read Only : False
ID : ISI_PRIV_SNAPSHOT
Read Only : False
ID : ISI_PRIV_SYNCIQ
Read Only : False
ID : ISI_PRIV_NS_TRAVERSE
Read Only : True
ID : ISI_PRIV_NS_IFS_ACCESS
Read Only : True
when I connect to the web interface, I go to onefs but with reduced rights, such as SSH.
Below the menu and sub-menu which no privileges are granted:
DASHBOARD
- all submenu
CLUSTER MGMT
- General Settings
- Network Configuration
- Hardware Configuration
- Operations
FILE SYS MGMT
- SmartPools
- iSCSI
- File System Explorer
- File System Settings
DATA PROTECTION PROTOCOLS
- SyncIQ
- Backup
- Antivirus
PROTOCOLS
- FTP Settings
- HTTP Settings
- ACLs
HELP
- Diagnostics
- About this cluster
I'm surprised about SyncIQ because the privilege is supposed to be granted.
Are there other privilege was granted to allow the activation of SyncIQ? Why can not we have visibility on the Dashboard, which is a page of information?
The goal is to get as close as possible to the root account in terms of the privileges, also to avoid the root account is the default and need to change the password at each departure of an employee or a service .
Thank you in advance for your help.
Additional information:
-Isilon OneFS v7.0.1.5 B_7_0_1_165(RELEASE) installed on all nodes
-Model:
-Isilon NL400-4U-Dual-12GB-2x1GE-2x10GE SFP+-36TB
-Isilon X200-2U-Single-12GB-2x1GE-2x10GE SFP+-24TB
jimgossett
26 Posts
2
October 10th, 2013 15:00
Jerome:
The RBAC feature in OneFS isn't fully featured yet; among the privileges you have highlighted above, SyncIQ, SmartPools, and the Job Engine (Operations) are added natively to RBAC and the PlatformAPI in OneFS 7.1
Additionally, it is possible in OneFS 7.0.2.4 and later (including OneFS 7.1) to use an expanded RBAC to grant permissions to most of the above options; in some cases this is done via an automatically generated sudoers file, but it should look and feel similar to "native" RBAC. OneFS 7.0.2.4 was released yesterday, so you should be able to grab it now!
Jim
emc402606
10 Posts
0
October 18th, 2013 02:00
Hi Jim,
Thank you. The new release of OneFS inclued a lot of new privilege.
It s a good new
Jérôme (From France)
ScottPhelps
31 Posts
0
November 19th, 2013 10:00
It appears that File System Explorer is only available to root now in 7.0.2.3 and above. Is that right or am I missing something.
jimgossett
26 Posts
0
November 19th, 2013 10:00
Scott:
You're right -- this change was not well communicated, but it is true that only root has access to the File System Explorer in 7.0.2.2 and above (including all 7.1.x versions as well.) This change was made on purpose, to address security concerns, but we did not adequately warn about it in documentation or release notes.
We are working to update release notes for these versions to include this.
Jim