Eyeglass Service Account Minimum Privileges
- Overview
- Step 1 - Creating the local Isilon Eyeglass User - Isilon Command Line For Eyeglass DR, Ransomware Defender, Easy Auditor and Storage Cluster Monitor
- Easy Auditor Additional Permissions Required:
- Step 2 - SUDO Root Level Commands Needed for Eyeglass DR and Golden Copy Service Account
- Steps to create sudo entries
- SUDO file Updates Required for DR Edition
- SUDO File Updates Required for Golden Copy
- Step 1 - Search & Recover and Golden Copy Product Service Account Local Isilon User Account Creation:
- How to Restart Eyeglass services after making permissions changes:
- How to use Eyeglass DR Edition with Compliance Mode Clusters
Overview
Eyeglass communicates with Isilon clusters to perform discovery and add/update/delete of share, export and quota configuration information. The minimum Isilon cluster node user privileges required for Eyeglass/Isilon connectivity to successfully perform configuration replication and support other Eyeglass features are:
NOTE: Any change to Eyeglass Service Account privileges requires an Eyeglass sca service restart to recognize the change (procedure below).
NOTE: AD or LDAP user is not supported, this lowers the system availability and adds dependency on AD/LDAP servers for API calls, local users on Isilon have no dependence on AD/LDAP, in addition this generates too many authentication requests for API calls.
In addition to creation of the Eyeglass service account on the Isilon cluster, the sudoer file on the cluster must be updated to allow the Eyeglass service account to execute OneFS CLI commands that require Elevated Permissions to run as root.
Step 1 - Creating the local Isilon Eyeglass User - Isilon Command Line For Eyeglass DR, Ransomware Defender, Easy Auditor and Storage Cluster Monitor
Use these permissions for all of the products above.
To provision user and role from the Isilon Cluster command line:
These commands below are executable by ssh as root on Isilon and then right click : Note: Service account set to password never expires.
isi auth roles create --name EyeglassAdmin --description "EyeglassAdmin role"
isi auth users create eyeglass --enabled yes --password 3y3gl4ss
isi auth users modify eyeglass --password-expires no
isi auth roles modify EyeglassAdmin --add-user eyeglass
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_LOGIN_PAPI
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUTH
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_ROLE
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NFS
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SMB
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NETWORK
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_QUOTA
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_LOGIN_SSH
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUDIT
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SYNCIQ
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NS_IFS_ACCESS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_EVENT
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HDFS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_REMOTE_SUPPORT
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SNAPSHOT
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SMARTPOOLS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_WORM
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_STATISTICS
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_JOB_ENGINE
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_CLOUDPOOLS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_DEVICES
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FILE_FILTER
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HARDENING
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NDMP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_MONITORING
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_ANTIVIRUS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HTTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SYS_UPGRADE
Easy Auditor Additional Permissions Required:
If using Easy Auditor add this additional permission
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NS_TRAVERSE
Step 2 - SUDO Root Level Commands Needed for Eyeglass DR and Golden Copy Service Account
In order to execute the some commands from the CLI that are not available in the PAPI for OneFS and require root-level (sudo) privileges for execution, this allows service accounts to run the command without having root access.
Steps to create sudo entries
- Edit the sudoer file using the Isilon isi_visudo command.
- Sudo file opens in vi editor.
- Add a line for the user used in Eyeglass that was used to provision the Isilon clusters for each permission displayed below.
SUDO file Updates Required for DR Edition
Add the following lines:
- eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic auth ads*eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic networks* (only required if cluster is 7.x.x.x)eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi status*eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi status*eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array date +%seyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic domain info* (new for 2.5.6 DR valildation)#(new Nov 12, 2019 for 2.5.5 latest release Cluster Storage Monitor ) NOTE: 2 entries are needed and they are different beloweyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array -s isi_run -z ?* isi_classic smb file*eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi_run -z ?* isi_classic smb file*# new for 2.5.6 password CLI command to change eyeglass service account passwordeyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi auth users modify eyeglass --password
SUDO File Updates Required for Golden Copy
Save your changes. ( : then type wq!)
Repeat for each Cluster managed by Eyeglass for failover.
Once the user has been created and sudoer file updated, the eyeglass user an be used to add Isilon clusters to the Eyeglass appliance.
Step 1 - Search & Recover and Golden Copy Product Service Account Local Isilon User Account Creation:
Follow these instructions to create a dedicated Search & Recover service account, the same account is used for Golden Copy Product.
isi auth roles create --name EyeglassAdminSR --description "Eyeglass Search & Recover role"
isi auth users create eyeglassSR --enabled yes --password 3y3gl4ss
isi auth users modify eyeglassSR --password-expires no
isi auth roles modify EyeglassAdminSR --add-user eyeglassSR
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_LOGIN_PAPI
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_AUTH
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_SMB
isi auth roles modify EyeglassAdminSR --add-priv ISI_PRIV_SNAPSHOT
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_DEVICES
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_NS_TRAVERSE
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_NS_IFS_ACCESS
isi auth roles modify EyeglassAdminSR --add-priv ISI_PRIV_JOB_ENGINE
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_NETWORK (New As of May 2019)
**** only add below for Golden Copy Product *****
isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_LOGIN_SSH
How to Restart Eyeglass services after making permissions changes:
- SSH to Eyeglass appliance
- Type: sudo su - (to elevate to root user - enter the admin user password)
- Type: systemctl restart sca
- Type: systemctl status sca (to verify sca service active and running after the restart)
How to use Eyeglass DR Edition with Compliance Mode Clusters
For clusters using compliance mode sudoer and root access is not permitted.
This means that clusters must be added to Eyeglass using the user below:
Compadmin