PowerScale: OneFS: How to add users in the sudoers file.
Summary: To run all the commands from Role-Based Access Control(RBAC) users, you must modify the sudoers file. Administrators may require that AD users be able to administer the cluster, but certain commands are only reserved for a user with 'root' permissions. One of the common needs is for a user to be able to use the 'isi_for_array' prefix. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
1) Administrators must SSH to any node in the cluster using the root account.
Confirm that the user has the required RBAC privileges by checking the mapping token.
EXAMPLE:
sinister-1# isi auth mapping token SKYLINE\\mike
User
Name: SKYLINE\mike
UID: 1000000
SID: S-1-5-21-2171369398-269580091-234124463-1107
On Disk: S-1-5-21-2171369398-269580091-234124463-1107
ZID: 1
Zone: System
Privileges: ISI_PRIV_LOGIN_CONSOLE
ISI_PRIV_LOGIN_PAPI
ISI_PRIV_LOGIN_SSH
ISI_PRIV_SYS_SHUTDOWN
ISI_PRIV_SYS_SUPPORT
ISI_PRIV_SYS_TIME
ISI_PRIV_SYS_UPGRADE
ISI_PRIV_AUTH
<snip>
ISI_PRIV_ROLE
ISI_PRIV_SNMP
ISI_PRIV_STATISTICS
ISI_PRIV_SWIFT
ISI_PRIV_SYNCIQ
ISI_PRIV_VCENTER
ISI_PRIV_WORM
ISI_PRIV_ESRS_DOWNLOAD
ISI_PRIV_NS_TRAVERSE
2) Run the Following command:
#isi_visudo
Default output should look like the below example:
## Sudoers override file.
##
## This file overrides the default configuration for sudo as provided by
## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not
## edit /etc/mcp/templates/sudoers.
##
## To add additional command permissions, enter the appropriate configuration
## lines below. To remove a command provided by default, enter a negation line
## below.
##
## Example:
##
## To prevent admin from running SyncIQ, uncomment the line below:
## admin ALL=(ALL) !/usr/bin/isi sync*
##
3) Locate the content as shown below:
Test ALL=(ALL) NOPASSWD:ALL
This line of text means user 'Test' is added to run all the commands without prompting password. If you want a password to be prompted, do not use NOPASSWD.
4) Check the username that you want to add into the sudoers file. Note: Case sensitivity is respected.
5) Edit the file using the "i" key.
6) Enter the user that you want to give the privilege for example:
<username> ALL=(ALL) NOPASSWD:ALL
NOTE: This can be done for AD Domain users as well. You must use the following syntax for domain users.
<DOMAIN\\user> ALL=(ALL) NOPASSWD:ALL
EXAMPLE:
SKYLINE\\mike ALL=(ALL) NOPASSWD: ALL
The username defines the user that you want to give the privilege to, ALL specifies all the commands. NOPASSWD defines that the password is not asked for when you want to run the command. Adding ALL gives the privilege of running all the commands.
7) To add any local groups or AD groups to the sudoers file please use the "%" prefix, then the group name. For example:
%admin ALL=(ALL) NOPASSWD:ALL
NOTE: This can be done for AD Domain groups as well. You must use the following syntax for domain users/and groups:
%<DOMAIN\\group> ALL:(ALL) NOPASSWD:ALL
8) Save the entry by using the keys "ESC" then ":wq" followed by "Enter."
9) Verify if the user account is working by doing ssh to the user. If the user is not working, please assign roles and privileges to the user.
10) Once the user is logged in, they can verify that the commands are working by adding the sudo prefix with every command.
# sudo isi devices
Additional Information
Users should have the privilege of ISI_PRIV_LOGIN_SSH to log in from SSH.
To add the privilege to the user, the users must be added to Roles.
Affected Products
PowerScale OneFSProducts
Isilon, PowerScale OneFSArticle Properties
Article Number: 000008866
Article Type: How To
Last Modified: 27 رجب 1447
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.