Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

emc402606

10 Posts

2200

October 10th, 2013 04:00

Admins privileges such as Root

Hi,

Here is a lot of customer requests that make me and for which I know "officially" there really is no answer , but perhaps only the beginning of a track , I could rise in some , envy to find a reliable and functional solution and thus satisfy a large part of customer Isilon

I created a role that is called "IGRadmin" to which I added the group "Adminstrator" which included "Domain Admins".

The following privileges are granted:

--------------------------------------------------------------------------------

Name: IGRAdmin

Description: -

Members: Administrators

Privileges:

ID : ISI_PRIV_LOGIN_CONSOLE

    Read Only : True

ID : ISI_PRIV_LOGIN_PAPI

    Read Only : True

ID : ISI_PRIV_LOGIN_SSH

    Read Only : True

ID : ISI_PRIV_AUTH

    Read Only : False

ID : ISI_PRIV_ROLE

    Read Only : False

ID : ISI_PRIV_EVENT

    Read Only : False

ID : ISI_PRIV_NFS

    Read Only : False

ID : ISI_PRIV_QUOTA

    Read Only : False

ID : ISI_PRIV_SMB

    Read Only : False

ID : ISI_PRIV_SNAPSHOT

    Read Only : False

ID : ISI_PRIV_SYNCIQ

    Read Only : False

ID : ISI_PRIV_NS_TRAVERSE

    Read Only : True

ID : ISI_PRIV_NS_IFS_ACCESS

    Read Only : True

when I connect to the web interface, I go to onefs but with reduced rights, such as SSH.

Below the menu and sub-menu which no privileges are granted:

DASHBOARD

  • all submenu

CLUSTER MGMT

  • General Settings
  • Network Configuration
  • Hardware Configuration
  • Operations

FILE SYS MGMT

  • SmartPools
  • iSCSI
  • File System Explorer
  • File System Settings

DATA PROTECTION PROTOCOLS

  • SyncIQ
  • Backup
  • Antivirus

PROTOCOLS

  • FTP Settings
  • HTTP Settings
  • ACLs

HELP

  • Diagnostics
  • About this cluster

I'm surprised about SyncIQ because the privilege is supposed to be granted.

Are there other privilege was granted to allow the activation of SyncIQ? Why can not we have visibility on the Dashboard, which is a page of information?

The goal is to get as close as possible to the root account in terms of the privileges, also to avoid the root account is the default and need to change the password at each departure of an employee or a service .

Thank you in advance for your help.

Additional information:

-Isilon OneFS v7.0.1.5 B_7_0_1_165(RELEASE) installed on all nodes

-Model:

    -Isilon NL400-4U-Dual-12GB-2x1GE-2x10GE SFP+-36TB

    -Isilon X200-2U-Single-12GB-2x1GE-2x10GE SFP+-24TB

jimgossett

26 Posts

October 10th, 2013 15:00

Jerome:

The RBAC feature in OneFS isn't fully featured yet; among the privileges you have highlighted above, SyncIQ, SmartPools, and the Job Engine (Operations) are added natively to RBAC and the PlatformAPI in OneFS 7.1

Additionally, it is possible in OneFS 7.0.2.4 and later (including OneFS 7.1) to use an expanded RBAC to grant permissions to most of the above options; in some cases this is done via an automatically generated sudoers file, but it should look and feel similar to "native" RBAC. OneFS 7.0.2.4 was released yesterday, so you should be able to grab it now!

Jim

emc402606

10 Posts

October 18th, 2013 02:00

Hi Jim,

Thank you. The new release of OneFS inclued a lot of new privilege.

It s a good new

Jérôme (From France)

ScottPhelps

31 Posts

November 19th, 2013 10:00

It appears that File System Explorer is only available to root now in 7.0.2.3 and above.  Is that right or am I missing something.

jimgossett

26 Posts

November 19th, 2013 10:00

Scott:

You're right -- this change was not well communicated, but it is true that only root has access to the File System Explorer in 7.0.2.2 and above (including all 7.1.x versions as well.) This change was made on purpose, to address security concerns, but we did not adequately warn about it in documentation or release notes.

We are working to update release notes for these versions to include this.

Jim

View More

View All

No Events found!

Top