All Product Installation and Upgrade Guides

Eyeglass Service Account Minimum Privileges

Home

Overview

Eyeglass communicates with PowerScale clusters to perform discovery and add/update/delete of share, export and quota configuration information. The minimum PowerScale cluster node user privileges required for Eyeglass/PowerScale connectivity to successfully perform configuration replication and support other Eyeglass features are:

NOTE: Any change to Eyeglass Service Account privileges requires an Eyeglass sca service restart to recognize the change (procedure below).

NOTE: AD or LDAP user is not supported, this lowers the system availability and adds dependency on AD/LDAP servers for API calls, local users on PowerScale have no dependence on AD/LDAP, in addition this generates too many authentication requests for API calls. 

In addition to creation of the Eyeglass service account on the PowerScale cluster, the sudoer file on the cluster must be updated to allow the Eyeglass service account to execute OneFS CLI commands that require Elevated Permissions to run as root.

Step 1 - Creating the local PowerScale Eyeglass User - PowerScale Command Line For Eyeglass DR, Ransomware Defender, Easy Auditor and Storage Cluster Monitor

Use these permissions for all of the products above.

  1. Follow create steps below
  2. Then move to step 2 SUDO file configuration

To provision user and role from the PowerScale Cluster command line:

These commands below are executable by ssh as root on PowerScale and then right click : Note: Service account set to password never expires.

isi auth roles create --name EyeglassAdmin --description "EyeglassAdmin role"

isi auth users create eyeglass --enabled yes --password 3y3gl4ss

isi auth users modify eyeglass --password-expires no

isi auth roles modify EyeglassAdmin --add-user eyeglass

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_LOGIN_PAPI

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUTH

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_ROLE

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NFS

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SMB

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NETWORK

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_QUOTA

isi auth roles modify EyeglassAdmin --add-priv-ro  ISI_PRIV_LOGIN_SSH

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUDIT

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SYNCIQ

isi auth roles modify EyeglassAdmin --add-priv-ro  ISI_PRIV_NS_IFS_ACCESS

isi auth roles modify EyeglassAdmin --add-priv-ro  ISI_PRIV_EVENT

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HDFS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_REMOTE_SUPPORT

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SNAPSHOT

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SMARTPOOLS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_WORM

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_STATISTICS

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_JOB_ENGINE

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_CLOUDPOOLS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_DEVICES

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FILE_FILTER

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HARDENING

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NDMP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_MONITORING

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_ANTIVIRUS

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FTP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HTTP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NTP

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SYS_UPGRADE

Easy Auditor Additional Permissions Required:

If using Easy Auditor add this additional permission

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NS_TRAVERSE 


Step 1A - Search & Recover and Golden Copy Product Service Account Local  PowerScale User Account Creation:  

  1. Follow these instructions to create a dedicated Search & Recover/Golden Copy.  
  2. Then move on to Step 2 SUDO file configuration for Search & Recover/Golden Copy


isi auth roles create --name EyeglassAdminSR --description "Eyeglass Search & Recover role"

isi auth users create eyeglassSR --enabled yes --password 3y3gl4ss

isi auth users modify eyeglassSR --password-expires no

isi auth roles modify EyeglassAdminSR --add-user eyeglassSR

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_LOGIN_PAPI

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_AUTH

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_SMB

isi auth roles modify EyeglassAdminSR --add-priv ISI_PRIV_SNAPSHOT

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_DEVICES

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_NS_TRAVERSE

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_NS_IFS_ACCESS

isi auth roles modify EyeglassAdminSR --add-priv ISI_PRIV_JOB_ENGINE

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_NETWORK  (New As of May 2019)

******  Only required ACL security mode and file recovery portal feature *************

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_IFS_BACKUP

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_IFS_RESTORE


*********  new as of 1.1.5 File pool reporting ***********

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_CLOUDPOOLS

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_SMARTPOOLS



*****  only add below for Golden Copy Product *****

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_LOGIN_SSH

isi auth roles modify EyeglassAdminSR --add-priv ISI_PRIV_NETWORK (only required if using AirGap 1.0 solution)

**********  Golden Copy ACL permissions collection and apply on recall *******************

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_IFS_BACKUP

isi auth roles modify EyeglassAdminSR --add-priv-ro ISI_PRIV_IFS_RESTORE


Step 2 - SUDO Root Level Commands Needed for Eyeglass DR , Cluster Storage Monitor Unlock My Files and Golden Copy Service Account 

In order to execute the some commands from the CLI that are not available in the PAPI for OneFS and require root-level (sudo) privileges for execution, this allows service accounts to run the command without having root access.  

Apply the settings that apply to the applications you have purchased, apply to all clusters managed by Eyeglass products.

Steps to create sudo entries on PowerScale

  1. Edit the sudoer file using the PowerScale isi_visudo command.
  2. Sudo file opens in vi editor. 
  3. NOTE: Add lines for the applications you need to enable, each product has different sudo requirements, review each section that applies below.
  4. Save your changes. ( : then type wq!)
  5. Repeat step for each cluster managed by Eyeglass.

SUDO file Updates Required for DR Edition


Add the following lines DR product:


eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic auth ads*

# (new for 2.5.6 DR valildation)

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic domain info* 


yellow highlighted entries should be deleted for 2.5.6 or later releases

eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic networks* (only required if cluster is 7.x.x.x)
eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi status*   
eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi status*                       
eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array date +%s   

SUDO File Updates Required for Cluster Storage Monitor Unlock My Files Product

Add the following lines:
#(new Nov 12, 2019 for 2.5.5 latest release Cluster Storage Monitor UnLock My files
eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array -s isi_run -z ?* isi_classic smb file*
eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi_run -z ?* isi_classic smb file*




How to Restart Eyeglass services after making permissions changes:

  1. SSH to Eyeglass appliance
  2. Type: sudo su -  (to elevate to root user - enter the admin user password)
  3. Type: systemctl restart sca
  4. Type: systemctl status sca  (to verify sca service active and running after the restart)

How to use Eyeglass DR Edition with Compliance Mode Clusters 

For clusters using compliance mode sudoer and root access is not permitted.

This means that clusters must be added to Eyeglass using the user below:

Compadmin




© Superna LLC