This post is more than 5 years old
16 Posts
1
9109
What privledge does a custom RBAC role need to run isi_for_array?
In the example below I am logged in as a user that is a member of a group named SSH Access. SSH Access is a member of custom role SSHAccess. Sorry for the close naming convention. I tried running with and without sudo and I am denied.
Isilon OneFS v7.1.0.0
Demo7-1-1% isi_for_array -s isi devices
zsh: permission denied: isi_for_array
Demo7-1-1% sudo isi_for_array -s sudo isi devices
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
Sorry, user stati-user is not allowed to execute '/usr/bin/isi_for_array -s sudo isi devices' as root on Demo7-1-1.
Demo7-1-1% sudo isi_for_array sudo isi devices
Password:
Sorry, user stati-user is not allowed to execute '/usr/bin/isi_for_array sudo isi devices' as root on Demo7-1-1.
Privileges assigned to SSHAccess role
Demo7-1-1% isi auth roles view --role=SSHAccess
Name: SSHAccess
Description: -
Members: SSH access
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_AUTH
Read Only : False
ID : ISI_PRIV_ROLE
Read Only : False
ID : ISI_PRIV_AUDIT
Read Only : False
ID : ISI_PRIV_DEVICES
Read Only : False
ID : ISI_PRIV_STATISTICS
Read Only : False
chughh
122 Posts
1
December 21st, 2013 23:00
Please specify is you are using Domain User or a local user. For local user isi_for_array works with details below
jupiter-1# isi auth roles view --role=ssh
Name: ssh
Description: windowsuseraccess
Members: bb
SID:S-1-5-21-3151778889-3324430592-1679115712-1118
Privileges
ID : ISI_PRIV_AUTH
Read Only : False
ID : ISI_PRIV_ROLE
Read Only : False
ID : ISI_PRIV_EVENT
Read Only : False
ID : ISI_PRIV_LICENSE
Read Only : False
ID : ISI_PRIV_NFS
Read Only : False
ID : ISI_PRIV_QUOTA
Read Only : False
ID : ISI_PRIV_SMB
Read Only : False
ID : ISI_PRIV_SNAPSHOT
Read Only : False
ID : ISI_PRIV_STATISTICS
Read Only : False
jupiter-1$ whoami
bb
Isilon OneFS v7.1.0.0
jupiter-1$ isi status
Commands not enabled for role-based administration require root user access.
jupiter-1$ sudo isi status
Cluster Name: jupiter
Cluster Health: [ ATTN]
Cluster Storage: HDD SSD
Size: 6.6G (13G Raw) 0 (0 Raw)
VHS Size: 6.6G
Used: 498M (7%) 0 (n/a)
Avail: 6.1G (93%) 0 (n/a)
Health Throughput (bps) HDD Storage SSD Storage
ID |IP Address |DASR | In Out Total| Used / Size |Used / Size
-------------------+-----+-----+-----+-----+-----------------+-----------------
1|192.168.25.71 |-A-- | 197K| 1.1M| 1.3M| 498M/ 6.6G( 7%)| (No SSDs)
-------------------+-----+-----+-----+-----+-----------------+-----------------
Cluster Totals: | 197K| 1.1M| 1.3M| 498M/ 6.6G( 7%)| (No SSDs)
Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only
Critical Events:
10/22 16:43 1 One or more drives (bay(s) 5, 6, 7, 8, 9, 10, 11, 12, 13, 1...
12/19 19:02 1 External network link ext-1 (em1) down
Cluster Job Status:
No running jobs.
No paused or waiting jobs.
No failed jobs.
Recent job results:
Time Job Event
--------------- -------------------------- ------------------------------
12/19 09:42:45 FSAnalyze[147] Succeeded (LOW)
12/18 12:03:15 MultiScan[146] Succeeded (LOW)
12/18 10:31:32 FSAnalyze[144] Succeeded (LOW)
12/18 10:30:53 ShadowStoreDelete[145] Succeeded (LOW)
12/11 22:00:32 FSAnalyze[143] Succeeded (LOW)
12/11 11:36:02 MediaScan[141] Succeeded (LOW)
12/11 11:35:42 FSAnalyze[140] Succeeded (LOW)
12/11 11:35:18 ShadowStoreDelete[142] Succeeded (LOW)
jupiter-1$ sudo isi_for_array isi status
Password:
jupiter-1: Cluster Name: jupiter
jupiter-1: Cluster Health: [ ATTN]
jupiter-1: Cluster Storage: HDD SSD
jupiter-1: Size: 6.6G (13G Raw) 0 (0 Raw)
jupiter-1: VHS Size: 6.6G
jupiter-1: Used: 498M (7%) 0 (n/a)
jupiter-1: Avail: 6.1G (93%) 0 (n/a)
jupiter-1:
jupiter-1: Health Throughput (bps) HDD Storage SSD Sto rage
jupiter-1: ID |IP Address |DASR | In Out Total| Used / Size |Used / Size
jupiter-1: -------------------+-----+-----+-----+-----+-----------------+------- ----------
jupiter-1: 1|192.168.25.71 |-A-- | 32| 918K| 918K| 498M/ 6.6G( 7%)| (No SSDs)
jupiter-1: -------------------+-----+-----+-----+-----+-----------------+------- ----------
jupiter-1: Cluster Totals: | 32| 918K| 918K| 498M/ 6.6G( 7%)| (No SSDs)
jupiter-1:
jupiter-1: Health Fields: D = Down, A = Attention, S = Smartfailed, R = Rea d-Only
jupiter-1:
jupiter-1: Critical Events:
jupiter-1:
jupiter-1: 10/22 16:43 1 One or more drives (bay(s) 5, 6, 7, 8, 9, 10, 11, 12 , 13, 1...
jupiter-1: 12/19 19:02 1 External network link ext-1 (em1) down
jupiter-1:
jupiter-1: Cluster Job Status:
jupiter-1:
jupiter-1: No running jobs.
jupiter-1:
jupiter-1: No paused or waiting jobs.
jupiter-1:
jupiter-1: No failed jobs.
jupiter-1:
jupiter-1: Recent job results:
jupiter-1: Time Job Event
jupiter-1: --------------- -------------------------- -------------------------- ----
jupiter-1: 12/19 09:42:45 FSAnalyze[147] Succeeded (LOW)
jupiter-1: 12/18 12:03:15 MultiScan[146] Succeeded (LOW)
jupiter-1: 12/18 10:31:32 FSAnalyze[144] Succeeded (LOW)
jupiter-1: 12/18 10:30:53 ShadowStoreDelete[145] Succeeded (LOW)
jupiter-1: 12/11 22:00:32 FSAnalyze[143] Succeeded (LOW)
jupiter-1: 12/11 11:36:02 MediaScan[141] Succeeded (LOW)
jupiter-1: 12/11 11:35:42 FSAnalyze[140] Succeeded (LOW)
jupiter-1: 12/11 11:35:18 ShadowStoreDelete[142] Succeeded (LOW)
jupiter-1:
jupiter-1$ sudo isi_for_array isi devices
jupiter-1: Node 1, [ATTN]
jupiter-1: Bay 1 Lnum 3 [HEALTHY] SN:N/A /dev/da1
jupiter-1: Bay 2 Lnum 2 [HEALTHY] SN:N/A /dev/da2
jupiter-1: Bay 3 Lnum 1 [HEALTHY] SN:N/A /dev/da3
jupiter-1: Bay 4 Lnum 0 [HEALTHY] SN:N/A /dev/da4
jupiter-1: Bay 5 Lnum N/A [EMPTY] SN:N/A N/A
jupiter-1: Bay 6 Lnum N/A [EMPTY] SN:N/A N/A
Narahari1
127 Posts
0
December 19th, 2013 12:00
Add it to "SystemAdmin" default role or use "ISI_PRIV_SUPPORT" privileges.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
December 19th, 2013 14:00
though isi devices can only be run as root or sudo, the isi_for_array command is owned by root, though not shown in the 7.1 CLI Admin guide. You can see this by running this command:
ls -land /usr/bin/isi_for_array
chughh
122 Posts
1
December 26th, 2013 08:00
Dragon-1# isi_visudo
## Sudoers override file.
##
## This file overrides the default configuration for sudo as provided by
## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not
## edit /etc/mcp/templates/sudoers.
##
## To add additional command permissions, enter the appropriate configuration
## lines below. To remove a command provided by default, enter a negation line
## below.
##
## Example:
##
## To prevent admin from running SyncIQ, uncomment the line below:
## admin ALL=(ALL) !/usr/bin/isi sync*
##
bb ALL=(ALL) ALL
~
~
~
~
~
~
~
/etc/mcp/override/sudoers.tmp: unmodified: line 1
The entry which i created under isi_visudo file is above..
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
December 26th, 2013 08:00
chughh,
I tried that and even changed the sudo password and i keep getting the following message:
"Sorry, user bb is not allowed to execute '/usr/bin/isi_for_array isi status' as root on tank-4."
how are you changing the bits on the command to get sudo to accept it?
sfallon
16 Posts
0
December 26th, 2013 12:00
Thanks. This works. Any caveats you can think of by doing this? I have never played with the sudoers file before so I am not sure of any issues with doing this.
Thanks again.
TanyaLB
7 Posts
0
December 18th, 2014 11:00
How would this look for a domain user?
scott_owens
60 Posts
0
December 18th, 2014 14:00
Following the example from above, here is a similar isi_visudo entry for a domain user entry for my domain "Example" and user "test"
## Sudoers override file.
##
## This file overrides the default configuration for sudo as provided by
## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not
## edit /etc/mcp/templates/sudoers.
##
## To add additional command permissions, enter the appropriate configuration
## lines below. To remove a command provided by default, enter a negation line
## below.
##
## Example:
##
## To prevent admin from running SyncIQ, uncomment the line below:
## admin ALL=(ALL) !/usr/bin/isi sync*
##
EXAMPLE\\test ALL=(ALL) ALL
Afterward, here is a sample of it working
tmelab-1% whoami
EXAMPLE\test
tmelab-1% sudo isi_for_array -n 2 isi status
tmelab-2: Cluster Name: tmelab
tmelab-2: Cluster Health: [ ATTN]
tmelab-2: Cluster Storage: HDD SSD Storage
tmelab-2: Size: 13G (26G Raw) 0 (0 Raw)
tmelab-2: VHS Size: 13G
tmelab-2: Used: 8.5G (64%) 0 (n/a)
tmelab-2: Avail: 4.7G (36%) 0 (n/a)
tmelab-2:
tmelab-2: Health Throughput (bps) HDD Storage SSD Storage
tmelab-2: ID |IP Address |DASR | In Out Total| Used / Size |Used / Size
tmelab-2: -------------------+-----+-----+-----+-----+-----------------+-----------------
tmelab-2: 1|10.245.109.170 | OK | 0| 24| 24| 4.3G/ 6.6G( 64%)|(No Storage SSDs)
tmelab-2: 2|10.245.109.171 | OK | 118K| 84| 118K| 4.3G/ 6.6G( 64%)|(No Storage SSDs)
tmelab-2: -------------------+-----+-----+-----+-----+-----------------+-----------------
tmelab-2: Cluster Totals: | 118K| 108| 118K| 8.5G/ 13G( 64%)|(No Storage SSDs)
tmelab-2:
tmelab-2: Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only
tmelab-2:
tmelab-2: Critical Events:
tmelab-2:
tmelab-2: 11/26 11:00 C Error on machine account TMELAB$ with domain EXAMPLE.COM: T...
tmelab-2:
tmelab-2: Cluster Job Status:
tmelab-2:
tmelab-2: No running jobs.
tmelab-2:
tmelab-2: No paused or waiting jobs.
tmelab-2:
tmelab-2: Failed jobs:
tmelab-2: Job Errors Run Time End Time Retries Left
tmelab-2: -------------------------- ------ ---------- --------------- ------------
tmelab-2: ChangelistCreate[96] 1 0:00:00 07/01 08:51:04 0
tmelab-2:
tmelab-2: Recent job results:
tmelab-2: Time Job Event
tmelab-2: --------------- -------------------------- ------------------------------
tmelab-2: 12/18 04:00:20 ShadowStoreProtect[819] Succeeded (LOW)
tmelab-2: 12/18 02:00:09 WormQueue[818] Succeeded (LOW)
tmelab-2: 12/17 22:02:41 SmartPools[816] Succeeded (LOW)
tmelab-2: 12/17 22:01:33 FSAnalyze[817] Succeeded (LOW)
tmelab-2: 12/17 20:00:30 ShadowStoreProtect[815] Succeeded (LOW)
tmelab-2: 12/17 04:00:18 ShadowStoreProtect[814] Succeeded (LOW)
tmelab-2: 12/17 02:00:07 WormQueue[813] Succeeded (LOW)
tmelab-2: 12/16 22:02:40 SmartPools[811] Succeeded (LOW)
tmelab-2:
dsteinke
1 Message
0
May 29th, 2015 07:00
This can be accomplished by modifying the sudoers file to lock down the specific command that needs to be run using the isi_for_array command without opening up the entire capability of that command:
My customer had the need for a junior level admin to be able to search for open files and remove a lock without giving full root access to the jr admin. This is what we did:
At the CLI, perform the following:
SSH into the cluster with the root account
isi auth users create —name=INSERT_USERNAME_HERE --enabled=yes —password=INSERT_PASSWORD_HERE
isi auth roles create jradmin --description junior_admin_group
isi auth roles modify jradmin --add-priv ISI_PRIV_LOGIN_SSH
isi auth roles modify jradmin --add-priv ISI_PRIV_SMB
isi auth roles modify jradmin --add-user=INSERT_USERNAME_HERE
isi_visudo
Add the following line to the bottom of the sudoers file, make sure to save on exit:
INSERT_USERNAME_HERE ALL=(root) NOPASSWD: /usr/bin/isi_for_array isi smb*
The results:
demo-1% sudo isi_for_array isi smb openfile list
demo-1: ID Path
demo-1: -------
demo-1: -------
demo-1: Total: 0
demo-2: ID Path
demo-2: -------
demo-2: -------
demo-2: Total: 0
demo-3: ID Path
demo-3: -------
demo-3: -------
demo-3: Total: 0
The check to make sure other commands do not work:
demo-1% sudo isi_for_array isi status
Password:
Sorry, user myuser is not allowed to execute '/usr/bin/isi_for_array isi status' as root on demo-1.
bellonia
13 Posts
0
June 19th, 2017 00:00
this is working as expected but for a domain user there is no tab completion of command, i suppose that a domain user does not have a home folder and profile variable set, is that the problem?
bellonia
13 Posts
0
June 19th, 2017 05:00
i don't think this is given by a different shell, is this in some way solvable?
sluetze
300 Posts
0
June 19th, 2017 05:00
depends on your settings. another reason for nonworking tab completion could be another Shell. (/bin/bash instead of /bin/zsh)
bellonia
13 Posts
0
December 11th, 2017 06:00
this is working as expected but for a domain user there is no tab completion of command i suppose that a domain user does not have a home folder and profile variable set is that the problem?
how can we solve it?