Highlighted
alan_oleski
1 Copper

Role based access

Is there a way to limit a user to only being able to take snapshots via RESTapi/Powershell?

Or limit them to only a specific set of devices.

Tags (2)
6 Replies
huj1
1 Copper

Re: Role based access

Unfortunately there is no RBAC at XtremIO XMS at this moment so we cannot control a user to limited permission.

0 Kudos
ChrisPy2
1 Copper

Re: Role based access

To give a more descriptive answer. We do have role based users but they are very limited. There is Tech, Admin, Configuration, and Read-Only. The Read-only is just as it sounds and Tech is for support. Admin and Configuration have few differences between the two. Basically Configuration allows you to provision storage where as Admin allows you to connect hosts and other advanced options. With what you are describing above this doesn't have the limitations you are looking for. Let me know if you would like to have an enhancement request submitted for this. I see value in having this ability. Let me know if there are any other specific roles that you would like to give/restrict access to.

- Chris P

Avi3
3 Zinc

Re: Role based access

Thanks Chris. Just to reiterate what you said - we would be very interested in understanding what customers would want to be able to do with role based access control.

0 Kudos
SW5
1 Copper

Re: Role based access

We have a similar requirement:

for an application on XIO volumes we want to create application consistent snapshots. For this we will need to run a small workflow:

- start hotbackup mode for the application

- run xms command to create a snapshot for the consistency group

- end hotbackup mode

Simplest would be to run the "create snapshot" command from the host also running the application.

Now this will require to have account/password (or key) stored on this host. As this account must have administrative privileges not restricted to this CG only anybody able to read this script can connect to XMS and perform any command. 😞

0 Kudos
mabela
2 Bronze

Re: Role based access

Hi,


Can you create a new user in the XMS (either plaintext password or public key see: https://support.emc.com/kb/336153) and then encrypt the password and have your script call it? I have seen others do this for the same reason you mention above.

0 Kudos
SW5
1 Copper

Re: Role based access

Hi,

not sure how this should help. The Password/key must still be on the host running the application. Encrypting it may makes it a little bit harder to get the Password in clear text, but you can still do so by reading the script and running the command for uncrypt.

0 Kudos