Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

DHoffman2

306 Posts

5836

November 20th, 2014 12:00

How do I grant permission to a local user to run certain commands?

Have a production cluster (7.1.0.3) that needs to be monitored by Microsoft Systems Center Operations Manager (aka SCOM)

Via the GUI I created a user in SYSTEM (which is joined to our domain), LOCAL provider.

isi-scnode-1# isi auth users view scom

                    Name: scom

                      DN: CN=scom,CN=Users,DC=ISI-SCNODE

              DNS Domain: -

                  Domain: ISI-SCNODE

                Provider: lsa-local-provider:System

        Sam Account Name: scom

                     UID: 2002

                     SID: S-1-5-OICU812-1002

                 Enabled: Yes

                 Expired: No

                  Expiry: -

                  Locked: No

                   Email: -

                   GECOS: -

           Generated GID: No

           Generated UID: No

           Generated UPN: Yes

           Primary Group

                          ID : GID:1544

                        Name : Administrators

          Home Directory: /ifs/home/scom

        Max Password Age: 4W

        Password Expired: No

         Password Expiry: 2014-11-20T14:53:09

       Password Last Set: 2014-11-06T10:20:37

        Password Expires: No

                   Shell: /bin/zsh

                     UPN: scom@ISI-SCNODE

User Can Change Password: Yes

Via CLI I did ran these commands so that account can Log in vis SSH

isi auth roles create scomssh

isi auth roles modify scomssh --add-priv ISI_PRIV_LOGIN_SSH

isi auth roles modify scomssh --add-group Administrators

isi auth roles members list --role=scomssh

isi-scnode-1# isi auth roles members list --role=scomssh

Type  Name

--------------------

group Administrators

--------------------

Total: 1

isi-scnode-1# isi auth roles privileges list scomssh

ID

-------------------

ISI_PRIV_LOGIN_SSH

-------------------

Total: 1

isi-scnode-1# isi auth roles list

Name

-------------

SecurityAdmin

SystemAdmin

AuditAdmin

VMwareAdmin

scomssh

-------------

Total: 5

isi-scnode-1#

Now that user account can log in via SSH I'm now being asked to ensure they can run these commands.

  • isi_hw_status
  • isi_drivenum
  • isi devices
  • isi statistics system
  • isi status
  • isi statistics drive
  • isi events list
  • isi job events list


I am NOT a CLI guru, so I'm struggling a bit.


Thanks in advance.

AdamFox

254 Posts

November 20th, 2014 12:00

I think I have most of the needed privileges.

ISI_PRIV_DEVICES

ISI_PRIV_SYS_SUPPORT

ISI_PRIV_STATISTICS

ISI_PRIV_EVENT

That should get you everything except possibly isi job events list. I’m not sure there is one for that. You may need to file a feature request with support for that.

— Adam Fox

Advisory SE, Emerging Technology Division

adam.fox@emc.com // 919-606-0911

mhiers

10 Posts

November 20th, 2014 12:00

Couldn't you add the user to the AuditAdmin role? I think it covers most, if not all of these commands.

mhiers

10 Posts

November 20th, 2014 12:00

ISI_PRIV_JOB_ENGINE  ?

mhiers

10 Posts

November 20th, 2014 12:00

add the privilege with read-only rights, [--add-priv-ro ] should fix that, I think.

See the CLI Administration guide for details.

https://support.emc.com/docu54199_OneFS_7.1.1_CLI_Administration_Guide.pdf?language=en_US

AdamFox

254 Posts

November 20th, 2014 12:00

The user needs to run sudo to run the commands, even with privileges.

As for ISI_PRIV_JOB_ENGINE, that may do it. You may just want to give them ro access only.

— Adam Fox

Advisory SE, Emerging Technology Division

adam.fox@emc.com // 919-606-0911

DHoffman2

306 Posts

November 20th, 2014 12:00

isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_DEVICES

isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_SYS_SUPPORT

isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_STATISTICS

isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_EVENT

isi-scnode-1# isi auth roles privileges list scomssh

ID

--------------------

ISI_PRIV_LOGIN_SSH

ISI_PRIV_SYS_SUPPORT

ISI_PRIV_DEVICES

ISI_PRIV_EVENT

ISI_PRIV_STATISTICS

--------------------

Total: 5

isi-scnode-1#

When I log on as scom and execute any of the commands I get this.

isi-scnode-1% isi devices

Commands not enabled for role-based administration require root user access.

isi-scnode-1% isi events list

Commands not enabled for role-based administration require root user access.

I'm trying my hardest to NOT allow any kind of ROOT access, but if it has to be, so be it.

mhiers

10 Posts

November 20th, 2014 13:00

that's unfortunate. Well unfortunate because adding sudo to the command was still a fail for me, even though I am a member of the Audit Admin role:

The711-1$ isi status

Commands not enabled for role-based administration require root user access.

The711-1$ sudo isi status

Password:

mhiers is not in the sudoers file.  This incident will be reported.

THE CLI reference says:

Some OneFS commands require root access; however, if you do not have root access,

most of the commands associated with a privilege can be performed through the sudo

program. The system automatically generates a sudoers file of users based on existing

roles.

Maybe I did something wrong

AdamFox

254 Posts

November 20th, 2014 13:00

The sudo command via RBAC typically does not need a password so you can just prepend it onto whatever command you want to run.

Prathi1234

3 Posts

April 19th, 2016 08:00

Hello,

I am wondering how did it go for you with the error " Commands not enabled for role-based administration..... " I have the same error - I am trying to create an account for scripting purpose and I created a Role AdminScirpts and added myself to the group and gave all privilages to run a few commands and login to ssh etc

It would be helpful to know if you have fixed your issue and if so how. Thanks

Prathi

View More

View All

No Events found!

Top