This post is more than 5 years old
306 Posts
0
5836
How do I grant permission to a local user to run certain commands?
Have a production cluster (7.1.0.3) that needs to be monitored by Microsoft Systems Center Operations Manager (aka SCOM)
Via the GUI I created a user in SYSTEM (which is joined to our domain), LOCAL provider.
isi-scnode-1# isi auth users view scom
Name: scom
DN: CN=scom,CN=Users,DC=ISI-SCNODE
DNS Domain: -
Domain: ISI-SCNODE
Provider: lsa-local-provider:System
Sam Account Name: scom
UID: 2002
SID: S-1-5-OICU812-1002
Enabled: Yes
Expired: No
Expiry: -
Locked: No
Email: -
GECOS: -
Generated GID: No
Generated UID: No
Generated UPN: Yes
Primary Group
ID : GID:1544
Name : Administrators
Home Directory: /ifs/home/scom
Max Password Age: 4W
Password Expired: No
Password Expiry: 2014-11-20T14:53:09
Password Last Set: 2014-11-06T10:20:37
Password Expires: No
Shell: /bin/zsh
UPN: scom@ISI-SCNODE
User Can Change Password: Yes
Via CLI I did ran these commands so that account can Log in vis SSH
isi auth roles create scomssh
isi auth roles modify scomssh --add-priv ISI_PRIV_LOGIN_SSH
isi auth roles modify scomssh --add-group Administrators
isi auth roles members list --role=scomssh
isi-scnode-1# isi auth roles members list --role=scomssh
Type Name
--------------------
group Administrators
--------------------
Total: 1
isi-scnode-1# isi auth roles privileges list scomssh
ID
-------------------
ISI_PRIV_LOGIN_SSH
-------------------
Total: 1
isi-scnode-1# isi auth roles list
Name
-------------
SecurityAdmin
SystemAdmin
AuditAdmin
VMwareAdmin
scomssh
-------------
Total: 5
isi-scnode-1#
Now that user account can log in via SSH I'm now being asked to ensure they can run these commands.
- isi_hw_status
- isi_drivenum
- isi devices
- isi statistics system
- isi status
- isi statistics drive
- isi events list
- isi job events list
I am NOT a CLI guru, so I'm struggling a bit.
Thanks in advance.
AdamFox
254 Posts
0
November 20th, 2014 12:00
I think I have most of the needed privileges.
ISI_PRIV_DEVICES
ISI_PRIV_SYS_SUPPORT
ISI_PRIV_STATISTICS
ISI_PRIV_EVENT
That should get you everything except possibly isi job events list. I’m not sure there is one for that. You may need to file a feature request with support for that.
— Adam Fox
Advisory SE, Emerging Technology Division
adam.fox@emc.com // 919-606-0911
mhiers
10 Posts
0
November 20th, 2014 12:00
Couldn't you add the user to the AuditAdmin role? I think it covers most, if not all of these commands.
mhiers
10 Posts
0
November 20th, 2014 12:00
ISI_PRIV_JOB_ENGINE ?
mhiers
10 Posts
1
November 20th, 2014 12:00
add the privilege with read-only rights, [--add-priv-ro ] should fix that, I think.
See the CLI Administration guide for details.
https://support.emc.com/docu54199_OneFS_7.1.1_CLI_Administration_Guide.pdf?language=en_US
AdamFox
254 Posts
1
November 20th, 2014 12:00
The user needs to run sudo to run the commands, even with privileges.
As for ISI_PRIV_JOB_ENGINE, that may do it. You may just want to give them ro access only.
— Adam Fox
Advisory SE, Emerging Technology Division
adam.fox@emc.com // 919-606-0911
DHoffman2
306 Posts
0
November 20th, 2014 12:00
isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_DEVICES
isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_SYS_SUPPORT
isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_STATISTICS
isi-scnode-1# isi auth roles modify scomssh --add-priv ISI_PRIV_EVENT
isi-scnode-1# isi auth roles privileges list scomssh
ID
--------------------
ISI_PRIV_LOGIN_SSH
ISI_PRIV_SYS_SUPPORT
ISI_PRIV_DEVICES
ISI_PRIV_EVENT
ISI_PRIV_STATISTICS
--------------------
Total: 5
isi-scnode-1#
When I log on as scom and execute any of the commands I get this.
isi-scnode-1% isi devices
Commands not enabled for role-based administration require root user access.
isi-scnode-1% isi events list
Commands not enabled for role-based administration require root user access.
I'm trying my hardest to NOT allow any kind of ROOT access, but if it has to be, so be it.
mhiers
10 Posts
0
November 20th, 2014 13:00
that's unfortunate. Well unfortunate because adding sudo to the command was still a fail for me, even though I am a member of the Audit Admin role:
The711-1$ isi status
Commands not enabled for role-based administration require root user access.
The711-1$ sudo isi status
Password:
mhiers is not in the sudoers file. This incident will be reported.
THE CLI reference says:
Some OneFS commands require root access; however, if you do not have root access,
most of the commands associated with a privilege can be performed through the sudo
program. The system automatically generates a sudoers file of users based on existing
roles.
Maybe I did something wrong
AdamFox
254 Posts
0
November 20th, 2014 13:00
The sudo command via RBAC typically does not need a password so you can just prepend it onto whatever command you want to run.
Prathi1234
3 Posts
0
April 19th, 2016 08:00
Hello,
I am wondering how did it go for you with the error " Commands not enabled for role-based administration..... " I have the same error - I am trying to create an account for scripting purpose and I created a Role AdminScirpts and added myself to the group and gave all privilages to run a few commands and login to ssh etc
It would be helpful to know if you have fixed your issue and if so how. Thanks
Prathi