What privledge does a custom RBAC role need to run isi_for_array?

Question

In the example below I am logged in as a user that is a member of a group named SSH Access.  SSH Access is a member of custom role SSHAccess.  Sorry for the close naming convention.  I tried running with and without sudo and I am denied. Isilon OneFS v7.1.0.0Demo7-1-1% isi_for_array -s isi deviceszsh: permission denied: isi_for_arrayDemo7-1-1% sudo isi_for_array -s sudo isi devices We trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things:     #1) Respect the privacy of others.    #2) Think before you type.    #3) With great power comes great responsibility. Password:Sorry, user stati-user is not allowed to execute '/usr/bin/isi_for_array -s sudo isi devices' as root on Demo7-1-1.Demo7-1-1% sudo isi_for_array sudo isi devicesPassword:Sorry, user stati-user is not allowed to execute '/usr/bin/isi_for_array sudo isi devices' as root on Demo7-1-1. Privileges assigned to SSHAccess role Demo7-1-1% isi auth roles view --role=SSHAccess       Name: SSHAccessDescription: -    Members: SSH access Privileges             ID : ISI_PRIV_LOGIN_SSH      Read Only : True              ID : ISI_PRIV_AUTH      Read Only : False              ID : ISI_PRIV_ROLE      Read Only : False              ID : ISI_PRIV_AUDIT      Read Only : False              ID : ISI_PRIV_DEVICES      Read Only : False              ID : ISI_PRIV_STATISTICS      Read Only : False

chughh · Accepted Answer

Please specify is you are using Domain User or a local user. For local user isi_for_array works with details below

jupiter-1# isi auth roles view --role=ssh

Name: ssh

Description: windowsuseraccess

Members: bb

SID:S-1-5-21-3151778889-3324430592-1679115712-1118

Privileges

ID : ISI_PRIV_AUTH

Read Only : False

ID : ISI_PRIV_ROLE

Read Only : False

ID : ISI_PRIV_EVENT

Read Only : False

ID : ISI_PRIV_LICENSE

Read Only : False

ID : ISI_PRIV_NFS

Read Only : False

ID : ISI_PRIV_QUOTA

Read Only : False

ID : ISI_PRIV_SMB

Read Only : False

ID : ISI_PRIV_SNAPSHOT

Read Only : False

ID : ISI_PRIV_STATISTICS

Read Only : False

jupiter-1$ whoami

bb

Isilon OneFS v7.1.0.0

jupiter-1$ isi status

Commands not enabled for role-based administration require root user access.

jupiter-1$ sudo isi status

Cluster Name: jupiter

Cluster Health: [ ATTN]

Cluster Storage: HDD SSD

Size: 6.6G (13G Raw) 0 (0 Raw)

VHS Size: 6.6G

Used: 498M (7%) 0 (n/a)

Avail: 6.1G (93%) 0 (n/a)

Health Throughput (bps) HDD Storage SSD Storage

-------------------+-----+-----+-----+-----+-----------------+-----------------

1|192.168.25.71 |-A-- | 197K| 1.1M| 1.3M| 498M/ 6.6G( 7%)| (No SSDs)

-------------------+-----+-----+-----+-----+-----------------+-----------------

Cluster Totals: | 197K| 1.1M| 1.3M| 498M/ 6.6G( 7%)| (No SSDs)

Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only

Critical Events:

10/22 16:43 1 One or more drives (bay(s) 5, 6, 7, 8, 9, 10, 11, 12, 13, 1...

12/19 19:02 1 External network link ext-1 (em1) down

Cluster Job Status:

No running jobs.

No paused or waiting jobs.

No failed jobs.

Recent job results:

Time Job Event

--------------- -------------------------- ------------------------------

12/19 09:42:45 FSAnalyze[147] Succeeded (LOW)

12/18 12:03:15 MultiScan[146] Succeeded (LOW)

12/18 10:31:32 FSAnalyze[144] Succeeded (LOW)

12/18 10:30:53 ShadowStoreDelete[145] Succeeded (LOW)

12/11 22:00:32 FSAnalyze[143] Succeeded (LOW)

12/11 11:36:02 MediaScan[141] Succeeded (LOW)

12/11 11:35:42 FSAnalyze[140] Succeeded (LOW)

12/11 11:35:18 ShadowStoreDelete[142] Succeeded (LOW)

jupiter-1$ sudo isi_for_array isi status

Password:

jupiter-1: Cluster Name: jupiter

jupiter-1: Cluster Health: [ ATTN]

jupiter-1: Cluster Storage: HDD SSD

jupiter-1: Size: 6.6G (13G Raw) 0 (0 Raw)

jupiter-1: VHS Size: 6.6G

jupiter-1: Used: 498M (7%) 0 (n/a)

jupiter-1: Avail: 6.1G (93%) 0 (n/a)

jupiter-1:

jupiter-1: Health Throughput (bps) HDD Storage SSD Sto rage

jupiter-1: -------------------+-----+-----+-----+-----+-----------------+------- ----------

jupiter-1: 1|192.168.25.71 |-A-- | 32| 918K| 918K| 498M/ 6.6G( 7%)| (No SSDs)

jupiter-1: -------------------+-----+-----+-----+-----+-----------------+------- ----------

jupiter-1: Cluster Totals: | 32| 918K| 918K| 498M/ 6.6G( 7%)| (No SSDs)

jupiter-1:

jupiter-1: Health Fields: D = Down, A = Attention, S = Smartfailed, R = Rea d-Only

jupiter-1:

jupiter-1: Critical Events:

jupiter-1:

jupiter-1: 10/22 16:43 1 One or more drives (bay(s) 5, 6, 7, 8, 9, 10, 11, 12 , 13, 1...

jupiter-1: 12/19 19:02 1 External network link ext-1 (em1) down

jupiter-1:

jupiter-1: Cluster Job Status:

jupiter-1:

jupiter-1: No running jobs.

jupiter-1:

jupiter-1: No paused or waiting jobs.

jupiter-1:

jupiter-1: No failed jobs.

jupiter-1:

jupiter-1: Recent job results:

jupiter-1: Time Job Event

jupiter-1: --------------- -------------------------- -------------------------- ----

jupiter-1: 12/19 09:42:45 FSAnalyze[147] Succeeded (LOW)

jupiter-1: 12/18 12:03:15 MultiScan[146] Succeeded (LOW)

jupiter-1: 12/18 10:31:32 FSAnalyze[144] Succeeded (LOW)

jupiter-1: 12/18 10:30:53 ShadowStoreDelete[145] Succeeded (LOW)

jupiter-1: 12/11 22:00:32 FSAnalyze[143] Succeeded (LOW)

jupiter-1: 12/11 11:36:02 MediaScan[141] Succeeded (LOW)

jupiter-1: 12/11 11:35:42 FSAnalyze[140] Succeeded (LOW)

jupiter-1: 12/11 11:35:18 ShadowStoreDelete[142] Succeeded (LOW)

jupiter-1:

jupiter-1$ sudo isi_for_array isi devices

jupiter-1: Node 1, [ATTN]

jupiter-1: Bay 1 Lnum 3 [HEALTHY] SN:N/A /dev/da1

jupiter-1: Bay 2 Lnum 2 [HEALTHY] SN:N/A /dev/da2

jupiter-1: Bay 3 Lnum 1 [HEALTHY] SN:N/A /dev/da3

jupiter-1: Bay 4 Lnum 0 [HEALTHY] SN:N/A /dev/da4

jupiter-1: Bay 5 Lnum N/A [EMPTY] SN:N/A N/A

jupiter-1: Bay 6 Lnum N/A [EMPTY] SN:N/A N/A

Narahari1 · Answer

Add it to 'SystemAdmin' default role or use 'ISI_PRIV_SUPPORT' privileges.

chughh · Answer

Dragon-1# isi_visudo

## Sudoers override file.

##

## This file overrides the default configuration for sudo as provided by

## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not

## edit /etc/mcp/templates/sudoers.

##

## To add additional command permissions, enter the appropriate configuration

## lines below. To remove a command provided by default, enter a negation line

## below.

##

## Example:

##

## To prevent admin from running SyncIQ, uncomment the line below:

## admin ALL=(ALL) !/usr/bin/isi sync*

##

bb ALL=(ALL) ALL

~

/etc/mcp/override/sudoers.tmp: unmodified: line 1

The entry which i created under isi_visudo file is above..

sfallon · Answer

Thanks.  This works.  Any caveats you can think of by doing this?  I have never played with the sudoers file before so I am not sure of any issues with doing this. Thanks again.

TanyaLB · Answer

How would this look for a domain user?

scott_owens · Answer

Following the example from above, here is a similar isi_visudo entry for a domain user entry for my domain "Example" and user "test"

## Sudoers override file.

##

## This file overrides the default configuration for sudo as provided by

## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not

## edit /etc/mcp/templates/sudoers.

##

## To add additional command permissions, enter the appropriate configuration

## lines below. To remove a command provided by default, enter a negation line

## below.

##

## Example:

##

## To prevent admin from running SyncIQ, uncomment the line below:

## admin ALL=(ALL) !/usr/bin/isi sync*

##

EXAMPLE\\test ALL=(ALL) ALL

Afterward, here is a sample of it working

tmelab-1% whoami

EXAMPLE\test

tmelab-1% sudo isi_for_array -n 2 isi status

tmelab-2: Cluster Name: tmelab

tmelab-2: Cluster Health: [ ATTN]

tmelab-2: Cluster Storage: HDD SSD Storage

tmelab-2: Size: 13G (26G Raw) 0 (0 Raw)

tmelab-2: VHS Size: 13G

tmelab-2: Used: 8.5G (64%) 0 (n/a)

tmelab-2: Avail: 4.7G (36%) 0 (n/a)

tmelab-2:

tmelab-2: Health Throughput (bps) HDD Storage SSD Storage

tmelab-2: -------------------+-----+-----+-----+-----+-----------------+-----------------

tmelab-2: 1|10.245.109.170 | OK | 0| 24| 24| 4.3G/ 6.6G( 64%)|(No Storage SSDs)

tmelab-2: 2|10.245.109.171 | OK | 118K| 84| 118K| 4.3G/ 6.6G( 64%)|(No Storage SSDs)

tmelab-2: -------------------+-----+-----+-----+-----+-----------------+-----------------

tmelab-2: Cluster Totals: | 118K| 108| 118K| 8.5G/ 13G( 64%)|(No Storage SSDs)

tmelab-2:

tmelab-2: Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only

tmelab-2:

tmelab-2: Critical Events:

tmelab-2:

tmelab-2: 11/26 11:00 C Error on machine account TMELAB$ with domain EXAMPLE.COM: T...

tmelab-2:

tmelab-2: Cluster Job Status:

tmelab-2:

tmelab-2: No running jobs.

tmelab-2:

tmelab-2: No paused or waiting jobs.

tmelab-2:

tmelab-2: Failed jobs:

tmelab-2: Job Errors Run Time End Time Retries Left

tmelab-2: -------------------------- ------ ---------- --------------- ------------

tmelab-2: ChangelistCreate[96] 1 0:00:00 07/01 08:51:04 0

tmelab-2:

tmelab-2: Recent job results:

tmelab-2: Time Job Event

tmelab-2: --------------- -------------------------- ------------------------------

tmelab-2: 12/18 04:00:20 ShadowStoreProtect[819] Succeeded (LOW)

tmelab-2: 12/18 02:00:09 WormQueue[818] Succeeded (LOW)

tmelab-2: 12/17 22:02:41 SmartPools[816] Succeeded (LOW)

tmelab-2: 12/17 22:01:33 FSAnalyze[817] Succeeded (LOW)

tmelab-2: 12/17 20:00:30 ShadowStoreProtect[815] Succeeded (LOW)

tmelab-2: 12/17 04:00:18 ShadowStoreProtect[814] Succeeded (LOW)

tmelab-2: 12/17 02:00:07 WormQueue[813] Succeeded (LOW)

tmelab-2: 12/16 22:02:40 SmartPools[811] Succeeded (LOW)

tmelab-2:

dsteinke · Answer

This can be accomplished by modifying the sudoers file to lock down the specific command that needs to be run using the isi_for_array command without opening up the entire capability of that command:

My customer had the need for a junior level admin to be able to search for open files and remove a lock without giving full root access to the jr admin. This is what we did:

At the CLI, perform the following:

SSH into the cluster with the root account

isi auth users create —name=INSERT_USERNAME_HERE --enabled=yes —password=INSERT_PASSWORD_HERE

isi auth roles create jradmin --description junior_admin_group

isi auth roles modify jradmin --add-priv ISI_PRIV_LOGIN_SSH

isi auth roles modify jradmin --add-priv ISI_PRIV_SMB

isi auth roles modify jradmin --add-user=INSERT_USERNAME_HERE

isi_visudo

Add the following line to the bottom of the sudoers file, make sure to save on exit:

INSERT_USERNAME_HERE ALL=(root) NOPASSWD: /usr/bin/isi_for_array isi smb*

The results:

demo-1% sudo isi_for_array isi smb openfile list

demo-1: ID Path

demo-1: -------

demo-1: Total: 0

demo-2: ID Path

demo-2: -------

demo-2: Total: 0

demo-3: ID Path

demo-3: -------

demo-3: Total: 0

The check to make sure other commands do not work:

demo-1% sudo isi_for_array isi status

Password:

Sorry, user myuser is not allowed to execute '/usr/bin/isi_for_array isi status' as root on demo-1.

bellonia · Answer

this is working as expected but for a domain user there is no tab completion of command, i suppose that a domain user does not have a home folder and profile variable set, is that the problem?

bellonia · Answer

i don't think this is given by a different shell, is this in some way solvable?

sluetze · Answer

depends on your settings. another reason for nonworking tab completion could be another Shell. (/bin/bash instead of /bin/zsh)

bellonia · Answer

this is working as expected but for a domain user there is no tab completion of command i suppose that a domain user does not have a home folder and profile variable set is that the problem?

how can we solve it?

Isilon

Was this post helpful?