Sudoers File on Cluster

Question

Community, I am trying to configure the cluster to allow our storage admin like myself to be able to use commands that require a sudo from the CLI.  I was able to configure my other clusters running both OneFS 7.0.1.4 and 7.0.2.1 by editing the sudoers file found under /usr/local/etc.  I just added the Administrators local group to the file like so: # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL %Administrators ALL=(ALL)       ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw  # Ask for the password of the target user # ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw' Well after installing 7.1.0.5 on this new cluster we just received: The sudoers file found under /usr/local/etc has a totally different layout. It appears that the cluster syncs or replace the sudoers file... the reason I say this is because yesterday I made changes to the sudoers file on node 8 and added the entree for %Administrators.  When I came in this morning to try and test against the node to make sure that I could preform a sudo using my network admin account I was denied.  So I cat the sudoers file and notice there was no longer a entree in the sudoers file for Administrators. Question: I am having a laps in memory... Does the sudoers file replicate between all nodes?  If so, where can I make changes to the sudoes file where the changes are permanent or where they will properly replicate?  I don't remember having this issue on 7.0.1.4 and 7.0.2.1. I notice that the sudoers file had a change date on it for this morning.  I don't remember making changes to the sudoers file which leads me to believe that this does somehow replicate between nodes.  Do I have this assumption right? -r--r----- 1 root  wheel  5887 Oct 29 06:07 sudoers

Yan_Faubert · Accepted Answer

You should first investigate if you can use RBAC to accomplish what you want. If you can't, you use isi_visudo. There's a background process that will detect that you've made custom changes (via isi_visudo) and will automatically re-merge your custom content with the auto-generated content based on your RBAC configuration.

Your custom content is stored in /etc/mcp/override/sudoers (but use isi_visudo, don't edit this file by hand). The system content is stored in /etc/mcp/templates/sudoers. These 2 files along with your RBAC configuration are merged to create the final config that's stored in /usr/local/etc/sudoers; this is the file used by sudo to evaluate if you have permissions to run a given command.

Yan_Faubert · Answer

Yes the sudoers configuration mechanism has changed as of 7.0.2.4 if I remember correctly.

Use the 'isi_visudo' command to populate your custom sudoers configuration and those changes will be synchronized across all nodes in the cluster (and won't be overwritten).

chjatwork · Answer

Ok, I have another question?

Which sudoers file is the cluster working from? I am confused as I have added the AD group to the existing roles and if you cat the sudoers file in this location (/usr/local/etc/) is shows the the default roles having limitations set within the sudoers file.

## begin auto-generated RBAC entries

User_Alias SECURITYADMIN = #10

User_Alias SYSTEMADMIN = #10, %#1000002

User_Alias VMWAREADMIN = %#1000002

SECURITYADMIN ALL=(ALL) NOPASSWD: ISI_PRIV_AUTH, ISI_PRIV_ROLE

SYSTEMADMIN ALL=(ALL) NOPASSWD: ISI_PRIV_ANTIVIRUS, ISI_PRIV_AUDIT, ISI_PRIV_CLUSTER, ISI_PRIV_DEVICES, ISI_PRIV_EVENT, ISI_PRIV_FTP, ISI_PRIV_HTTP, ISI_PRIV_ISCSI, ISI_PRIV_JOB_ENGINE, ISI_PRIV_LICENSE, ISI_PRIV_NDMP, ISI_PRIV_NETWORK, ISI_PRIV_NFS, ISI_PRIV_NTP, ISI_PRIV_QUOTA, ISI_PRIV_REMOTE_SUPPORT, ISI_PRIV_SMARTPOOLS, ISI_PRIV_SMB, ISI_PRIV_SNAPSHOT, ISI_PRIV_SNMP, ISI_PRIV_STATISTICS, ISI_PRIV_SYNCIQ, ISI_PRIV_VCENTER

VMWAREADMIN ALL=(ALL) NOPASSWD: ISI_PRIV_ISCSI, ISI_PRIV_NETWORK, ISI_PRIV_SMARTPOOLS, ISI_PRIV_SNAPSHOT, ISI_PRIV_SYNCIQ, ISI_PRIV_VCENTER

## end auto-generated RBAC entries

But when I run the isi_visudo there are no entries. So I am totally confused? What Sudoers file is the cluster running on?

Thank you,

vijayscsa1 · Answer

Hi..

I have an isilon cluster local user account want to execute set of commands.. I tried editing isi_visudo,

can any of us show what are the lines i have to add

example:

user1 ALL=(ALL) !/usr/bin/isi sync*

here user1 is the user name

need your suggestions

chjatwork · Answer

What version of OneFS?

Isilon

Was this post helpful?