Isilon Cluster User Minimum Privileges for Eyeglass

Isilon Cluster User Minimum Privileges for Superna Eyeglass Tech Note





This Tech Note applies to:

  • superna eyeglass Isilon Edition R1.1 and R1.2 and R1.3 and R1.4 and R1.5 and R1.6 and R1.7 and R1.8 and R1.9


This Tech Note covers the following topic:

  • Minimum Isilon cluster node user privileges required for Eyeglass/Isilon connectivity

  • Updates to Isilon cluster sudoer file for eyeglass service account


Overview

Eyeglass communicates with Isilon clusters to perform discovery and add/update/delete of share, export and quota configuration information. The minimum Isilon cluster node user privileges required for Eyeglass/Isilon connectivity to successfully perform configuration replication and support other Eyeglass features are:



Privilege Name    

Access

Platform API

Read-Only

Auth

Read/Write

Privilege

Read/Write

NFS

Read/Write

SMB

Read/Write

Network

Read/Write

Quota

Read/Write

SSH

Read-Only

Audit    

Read/Write

SyncIQ    

Read/Write

Namespace Access

Read-Only

Event

Read-Only

HDFS

Read-Only

Remote Support

Read-Only

Snapshot

 Read/Write

SmartPools

Read-Only

WORM

Read-Only

Statistics

Read-Only

Job Engine

Read/Write



For OneFS 8.0, the following additional privileges are required:


Privilege Name    

Access

CloudPool

Read-Only

Devices

Read-Only

File Filtering

Read-Only

Hardening

Read-Only

NDMP

Read-Only

Monitoring

Read-Only

Anitvirus

Read-Only

FTP

Read-Only

HTTP

Read-Only

NTP

Read-Only

Sys Upgrade

Read-Only



In addition to creation of the eyeglass service account on the Isilon cluster, the sudoer file on the cluster must be updated to allow the eyeglass service account to execute OneFS CLI commands that require Elevated Permissions to run as root.



Creating the local Isilon Eyeglass User

Creating the local Isilon Eyeglass User - Isilon OneFS GUI


On each of the Isilon Cluster provisioned in Eyeglass, the Isilon Eyeglass user should be added from OneFS by following these steps:


  1. Create a Local system user called eyeglass.

  2. Make the eyeglass user a member of the Local System Isilon Users group and Enable the account.

  3. Create a new Role called EyeglassAdmin.

  4. Make the eyeglass user a member of the EyeglassAdmin Role.

  5. Add the following privileges to the EyeglassAdmin Role:

Platform API Read-Only

Auth Read/Write

Privilege Read/Write

NFS Read/Write

SMB Read/Write

SyncIQ Read/Write

Network                   Read/Write

Quota Read/Write

SSH Read-Only

Audit Read/Write

Namespace Access Read-Only

Event Read-Only

HDFS Read-Only

Remote Support Read-Only

Snapshot Read/Write

          SmartPools Read-Only

WORM Read-Only

Statistics Read-Only

          Job Engine Read/Write

For One FS 8.0, these additional permissions required:

          CloudPool                    Read-Only

          Devices                        Read-Only

          File Filtering                 Read-Only

          Hardening                    Read-Only

          NDMP                          Read-Only

          Monitoring                    Read-Only

          Anitvirus                       Read-Only

          FTP Read-Only

HTTP Read-Only

NTP Read-Only

Sys Upgrade Read-Only


To verify permissions added for the EyeglassAdmin role, ssh to the Isilon cluster and then use the command below..


isi auth roles privileges list EyeglassAdmin -v



Creating the local Isilon Eyeglass User - Isilon Command Line

To provision user and role from the Isilon Cluster command line:

these commands below  are executable by ssh as root on Isilon and then right click :


Note: Service account set to password never expires.


isi auth roles create --name EyeglassAdmin --description "EyeglassAdmin role"

isi auth users create eyeglass --enabled yes --password 3y3gl4ss

isi auth users modify eyeglass --password-expires no

isi auth roles modify EyeglassAdmin --add-user eyeglass

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_LOGIN_PAPI

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUTH

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_ROLE

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NFS

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SMB

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NETWORK

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_QUOTA

isi auth roles modify EyeglassAdmin --add-priv-ro  ISI_PRIV_LOGIN_SSH

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUDIT

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SYNCIQ

isi auth roles modify EyeglassAdmin --add-priv-ro  ISI_PRIV_NS_IFS_ACCESS

isi auth roles modify EyeglassAdmin --add-priv-ro  ISI_PRIV_EVENT

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HDFS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_REMOTE_SUPPORT

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SNAPSHOT

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SMARTPOOLS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_WORM

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_STATISTICS

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_JOB_ENGINE

isi auth roles privileges list EyeglassAdmin -v




For OneFS 8.0 the following additional commands are required:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_CLOUDPOOLS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_DEVICES

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FILE_FILTER

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HARDENING

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NDMP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_MONITORING

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_ANTIVIRUS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FTP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HTTP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NTP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SYS_UPGRADE



Update Isilon sudoer file for Eyeglass service User (Root Level Commands Needed for Failover)


In order to execute the some commands from the CLI that are not available in the PAPI for OneFS and require root-level (sudo) privileges for execution, this allows the Eyeglass service account user to run the command without having root access.  


Eyeglass Access Zone Failover requires some CLI commands that must run with root level access.  To allow this user permissions across the cluster nodes the following commands must have sudo privileges.


OneFS CLI commands that require Elevated Permissions to run as root:

  1. SPN machine account maintenance before and after cluster failover - Eyeglass failover dependency

  2. Open Files validation pre-failover - Eyeglass failover dependency

  3. Cluster Hardware and Node information - Cluster Storage Usage dependency


To add sudo privileges to the Eyeglass cluster service account:

  1. ssh to the Isilon cluster as root user

  2. Edit the sudoer file using the Isilon isi_visudo command.

  3. Sudoers file opens in vi editor.

  4. Add a line for the user used in Eyeglass that was used to provision the Isilon clusters for each permission displayed below.


For OneFS 7.1, 7.2

For example - if the user is ‘eyeglass’ , add the line

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi auth ads*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi smb openfiles list

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi status*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi status*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array date*




For OneFS 8.0

For example - if the user is ‘eyeglass’ , add the line

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic auth ads*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi smb openfiles list

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic networks*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi status*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi status*

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array date*






  1. Save your changes.  ( : then type wq!)

  2. Repeat for each Cluster managed by Eyeglass for failover.




Once user has been created and sudoer file updated, now use the eyeglass user when adding Isilon clusters on the Eyeglass appliance.



Compliance Mode Clusters

For clusters using compliance mode sudoer and root access is not permitted.


This means that clusters must be added to Eyeglass using the user below


Compadmin