This post is more than 5 years old
2 Intern
•
356 Posts
0
7319
Sudoers File on Cluster
Community,
I am trying to configure the cluster to allow our storage admin like myself to be able to use commands that require a sudo from the CLI. I was able to configure my other clusters running both OneFS 7.0.1.4 and 7.0.2.1 by editing the sudoers file found under /usr/local/etc. I just added the Administrators local group to the file like so:
# Defaults!/sbin/reboot !log_output
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
%Administrators ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
Well after installing 7.1.0.5 on this new cluster we just received:
- The sudoers file found under /usr/local/etc has a totally different layout.
- It appears that the cluster syncs or replace the sudoers file... the reason I say this is because yesterday I made changes to the sudoers file on node 8 and added the entree for %Administrators. When I came in this morning to try and test against the node to make sure that I could preform a sudo using my network admin account I was denied. So I cat the sudoers file and notice there was no longer a entree in the sudoers file for Administrators.
Question:
- I am having a laps in memory... Does the sudoers file replicate between all nodes? If so, where can I make changes to the sudoes file where the changes are permanent or where they will properly replicate? I don't remember having this issue on 7.0.1.4 and 7.0.2.1.
- I notice that the sudoers file had a change date on it for this morning. I don't remember making changes to the sudoers file which leads me to believe that this does somehow replicate between nodes. Do I have this assumption right?
-r--r----- | 1 root wheel 5887 Oct 29 06:07 sudoers |
Yan_Faubert
117 Posts
0
October 29th, 2014 08:00
You should first investigate if you can use RBAC to accomplish what you want. If you can't, you use isi_visudo. There's a background process that will detect that you've made custom changes (via isi_visudo) and will automatically re-merge your custom content with the auto-generated content based on your RBAC configuration.
Your custom content is stored in /etc/mcp/override/sudoers (but use isi_visudo, don't edit this file by hand). The system content is stored in /etc/mcp/templates/sudoers. These 2 files along with your RBAC configuration are merged to create the final config that's stored in /usr/local/etc/sudoers; this is the file used by sudo to evaluate if you have permissions to run a given command.
Yan_Faubert
117 Posts
0
October 29th, 2014 06:00
Yes the sudoers configuration mechanism has changed as of 7.0.2.4 if I remember correctly.
Use the 'isi_visudo' command to populate your custom sudoers configuration and those changes will be synchronized across all nodes in the cluster (and won't be overwritten).
chjatwork
2 Intern
2 Intern
•
356 Posts
0
October 29th, 2014 08:00
Ok, I have another question?
Which sudoers file is the cluster working from? I am confused as I have added the AD group to the existing roles and if you cat the sudoers file in this location (/usr/local/etc/) is shows the the default roles having limitations set within the sudoers file.
## begin auto-generated RBAC entries
User_Alias SECURITYADMIN = #10
User_Alias SYSTEMADMIN = #10, %#1000002
User_Alias VMWAREADMIN = %#1000002
SECURITYADMIN ALL=(ALL) NOPASSWD: ISI_PRIV_AUTH, ISI_PRIV_ROLE
SYSTEMADMIN ALL=(ALL) NOPASSWD: ISI_PRIV_ANTIVIRUS, ISI_PRIV_AUDIT, ISI_PRIV_CLUSTER, ISI_PRIV_DEVICES, ISI_PRIV_EVENT, ISI_PRIV_FTP, ISI_PRIV_HTTP, ISI_PRIV_ISCSI, ISI_PRIV_JOB_ENGINE, ISI_PRIV_LICENSE, ISI_PRIV_NDMP, ISI_PRIV_NETWORK, ISI_PRIV_NFS, ISI_PRIV_NTP, ISI_PRIV_QUOTA, ISI_PRIV_REMOTE_SUPPORT, ISI_PRIV_SMARTPOOLS, ISI_PRIV_SMB, ISI_PRIV_SNAPSHOT, ISI_PRIV_SNMP, ISI_PRIV_STATISTICS, ISI_PRIV_SYNCIQ, ISI_PRIV_VCENTER
VMWAREADMIN ALL=(ALL) NOPASSWD: ISI_PRIV_ISCSI, ISI_PRIV_NETWORK, ISI_PRIV_SMARTPOOLS, ISI_PRIV_SNAPSHOT, ISI_PRIV_SYNCIQ, ISI_PRIV_VCENTER
## end auto-generated RBAC entries
But when I run the isi_visudo there are no entries. So I am totally confused? What Sudoers file is the cluster running on?
Thank you,
vijayscsa1
26 Posts
0
June 5th, 2015 03:00
Hi..
I have an isilon cluster local user account want to execute set of commands.. I tried editing isi_visudo,
can any of us show what are the lines i have to add
example:
user1 ALL=(ALL) !/usr/bin/isi sync*
here user1 is the user name
need your suggestions
chjatwork
2 Intern
2 Intern
•
356 Posts
0
June 5th, 2015 05:00
What version of OneFS?