Unsolved
1 Rookie
•
79 Posts
0
27
Read-Only Traverse Rights for Assessment Scan
Hello. Does there a user exists in Isilon or can we create such a user while having root user access to Isilon Cluster. I mean we have root access to Cluster. Now, this user need to have - read-only or view only or traverse rights to each and every share ever existing in the Isilon Cluster. Back in the day we used to have one for EMC NAS Celerras or NSxx Series. We need such a user for doing an assessment and this specific EMC Tool needs such a user. Please advise.
DELL-Sam L
Moderator
Moderator
•
6.9K Posts
1
February 28th, 2024 15:28
Hello Bhuppi1,
Here are a few kb’s that maybe of assistance.
https://www.dell.com/support/kbdoc/en-us/000020893
https://www.dell.com/support/kbdoc/en-us/000063507
https://www.dell.com/support/kbdoc/en-us/000019006
storageSysAdmin
1 Rookie
1 Rookie
•
47 Posts
1
February 29th, 2024 16:12
you can set read only permissions for cluster managment (isi command) roles via RBAC, but i have yet to find a way to set the user to have only read writes on the directories on the cluster. so you can have a role with read only RBAC permissions but it could still use rm -rf ...........it would be a great feature, I think something could be done with the restricted shell in 9.5 but i have yet to experiment with it
Bhuppi1
1 Rookie
1 Rookie
•
79 Posts
0
February 29th, 2024 19:36
@storageSysAdmin Thanks for this tip. Do you have that command handy please. We just need to run a scan by EMC tool on all the folders/shares etc. Thanx
storageSysAdmin
1 Rookie
1 Rookie
•
47 Posts
1
March 12th, 2024 11:16
Hi @Bhuppi1
the configuration is more for OneFS managment , membership and roles > System > Roles > Audit Admin. but it may give you what you want, but this is more for read access to oneFS configuration, have not experimented with the limited restricted shell in 9.5.
you could always setup an NFS export in the parent zone folder and mount a client as read only - but this would be NFS not SMB.
Bhuppi1
1 Rookie
1 Rookie
•
79 Posts
0
March 13th, 2024 18:00
@storageSysAdmin Thanks SysAdmin. Yes, that'll give us to read-only access to Cluster configuration level, however, we would like to have that read-only access entire SMB canvas wide, like read-only scan rights to each and every folder/share/zone ever existed there. Something like /ifs$ access, and then whatever is under it is traverseable Thanx.
storageSysAdmin
1 Rookie
1 Rookie
•
47 Posts
1
March 14th, 2024 17:51
/ifs/accesszoneroot$ would indeed give you access to everything in theory, you could set read only at the share level. but you could still run into issues. The only options are potentially utilising a higher privilege account (hate to say it.... but a domain admin/ local administrator) and setting that account as the sole user who has share level access.