Unsolved
This post is more than 5 years old
10 Posts
0
3870
September 16th, 2015 05:00
ISILON: Delegation of isi_for_array command lines to 1st level support
Dear EMC community,
I'm working with ISILON since more than 1 year now and even if it helped us to consolidate our DFS, it also brought some complexity in the management.
And actually, one of the big pain point is the delegation to 1st level support.
As you may know, to see open files in the MMC console is a mess. You can only see one node and not all the nodes.
But with some command lines like isi_for_array "isi smb openfiles list" you can see all the open files on all the nodes.
So my goal is to put the 1st level support in a group/role that allow them to run this command and close an open file when needed.
I've tried to put them as SystemAdmin but it didn't work in SSH console. I've got an access denied.
It's like only the root account can run such "isi_for_array" command line.
I'm not a linux expert and I just know how to manage permissions for files and folders.
How could I delegate a command line to another group of users ?
Thank you very much in advance for your help.
Best Regards
Patrick
AdamFox
254 Posts
0
September 16th, 2015 11:00
One solution is to give those users sudo access to just the 'isi_for_array isi smb openfiles*' command. There is an isi_visudo command that will allow you to integrate your entries with the standard sudo. I did a quick try in the lab and created a local user called "smb_support" and created the following entry:
smb_support ALL=(ALL:ALL) NOPASSWD: /usr/bin/isi_for_array isi smb openfiles*
Then I logged into the cluster as smb_support and tried the following:
cluster-2% id
uid=2000(smb_support) gid=1001 groups=1001
cluster-2% isi smb openfiles list
Privilege check failed. The following read privilege is required: SMB (ISI_PRIV_SMB)
(Note: This is expected, I was simply trying to show that this is not a privileged user and is not allowed to run isi command in general)
cluster-2% isi_for_array isi smb openfiles list
zsh: permission denied: isi_for_array
(Again, expected, just showing that they can't run the command without sudo)
cluster-2% sudo isi_for_array isi smb openfiles list
cluster-2: ID Path
cluster-2: -------
cluster-2: -------
cluster-2: Total: 0
cluster-1: ID Path
cluster-1: -------
cluster-1: -------
cluster-1: Total: 0
cluster-3: ID Path
cluster-3: -------
cluster-3: -------
cluster-3: Total: 0
(This is a box in my lab so there were no connections at the time, but you can see the command worked)
You can, of course, tweak this to your needs, but I'm just showing that it's possible. Also, keep an eye out on upgrades to be sure it doesn't get wiped. I don't believe it should, but just keep the entry around just in case.
The * at the end also allows them to run close across all of the arrays. You could limit this to just list if you wanted to. Again, your needs may change. The NOPASSWD: is optional. If you don't use it, the user will be required to enter *their* password before the command will execute. Sometimes that's good, sometimes it's a pain. Again, up to you.
This is a bit UNIX-y, I realize, but the underlying OS is FreeBSD so that comes with the territory. Google can be your friend on syntax, etc.
Just an idea.
pfugier
10 Posts
0
September 16th, 2015 23:00
Hi Adam,
Thank you very much for your answer. I’ll try what you’ve proposed since it’s exactly what I need.
Regarding password, I’d like them to use their existing dedicated admin account which is an AD account.
I know it’s working since I could try with mine when I was in the Systemadmin group and could log in to the SSH console.
I’ll find a way to use this group instead of a local user. As you wrote, Google will certainly help me.
All the best
Patrick
chjatwork
2 Intern
•
356 Posts
0
April 11th, 2017 10:00
Does anyone know if this has change? I'd like to know if there is a way to allow a service account to run isi_for_array without having root level permissions?
EliasW1
3 Posts
0
April 20th, 2018 07:00
Patrick,
We have been struggling with delegating this to ServiceDesk as well.
Did you get this to work?
Elias