Skip to main content
Skip table of contents

Prerequisites for privilege elevation using DLPX_DB_EXEC script

Updating DLPX_DB_EXEC script using Delphix Engine web APIs

In order to elevate privileges from a non-privileged OS account (like delphix_os) to a privileged OS account (like postgres), you must push a privilege elevation script (dlpx_db_exec) up into the Delphix Engine to become part of the Delphix common plugin.

DLPX_DB_EXEC script

The privilege elevation profile script dlpx_db_exec allows you to execute commands that require superuser privileges on the source and target machines. The privilege elevation script dlpx_db_exec can be created or pushed to Delphix Engine using Web API calls, CURL or dxtoolkit. For steps on creating a Privilege Elevation Profile, see CLI Cookbook: How to create or edit a privilege elevation profiles and profile scripts

Content of DLPX_DB_EXEC privilege elevation profile

CODE
#!/bin/sh
#
# Copyright (c) 2018 by Delphix. All rights reserved.
#

#
# This script allows customization of command execution with an alternate user
# account.
if [[ $1 != -u* ]]; then
    echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"
    exit 1
fi
user_id=`echo $1 | sed -e "s/^-u//"`

shift 1
if [[ $user_id != "delphix_os" ]]; then
    command=$(printf "%s" "$@")
    cd /tmp
    sudo -E su $user_id -p -c "$command"
else
    $@
fi

Below is an example of how you can push privilege elevation script “dlpx_db_exec” onto Delphix Engine.

  1. Create a session to Delphix Engine as Delphix OS User.

    CODE
    curl -i -c cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/session -d '{
        "version":{
            "minor":11,
            "major":1, 
            "micro": 5, 
            "type":"APIVersion"
        },
        "type":"APISession"
    }'

    The API Version needs to be identified as per the Delphix Engine installed at the customer site.

  2. Login to the Delphix Engine as Delphix OS User.

    CODE
    curl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" http://<DELPHIX_ENGINE>/resources/json/delphix/login -d '{
        "password":"<PASSWORD>",
        "type":"LoginRequest",
        "target":"DOMAIN",
        "username":"<USERNAME>"
    }'
  3. Push DLPX_DB_EXEC contents to Delphix Engine.

    CODE
    curl -i -b cookies.txt -X POST -H "Content-Type:application/json" http://<DELPHIX_ENGINE>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{
        "type": "HostPrivilegeElevationProfileScript",
        "contents": "#\n# Copyright (c) 2018 by Delphix. All rights reserved.\n#\n#\n# This script allows customization of command execution with an alternate user\n# account.\nif [[ $1 != -u* ]]; then\n    echo \"Incorrect command line parameters, -u<optional user account> is required as the first parameter\"\n    exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\nshift 1\nif [[ $user_id != \"delphix_os\" ]]; then\n    command=$(printf \"%s\" \"$@\")\n    cd /tmp\n    sudo -E su $user_id -p -c \"$command\"\nelse\n    $@\nfi\n"
    }'

Make sure that you edit the <USERNAME>, <PASSWORD> & <DELPHIX_ENGINE> parameter values.

If the dlpx_db_exec script is updated after the Environment(s) is added/created, then you must perform the Refresh operation to propagate the changes.

Staging/Target host requirements

To accomplish necessary tasks and run all Plugin operations hosts, the Delphix OS user account (henceforth referred to as "delphix_os") requires privilege elevation specifications. Here is an example specification for the "sudo" privilege elevation utility, using the "visudo" to edit the "sudoers" configuration file. This specification makes the following assumptions:

  • OS = Linux

  • The Privileged OS account is named postgres.

The following sudoers entry is only for template purposes. Modify the path in the below sudoers entry with the appropriate binary paths of your environment.

Entry required for both Linking and Provisioning via low-privileged user (delphix_os):

For PLUGIN_VERSION >=3.1.0



Defaults:delphix_os !requiretty

delphix_os ALL=NOPASSWD:SETENV: /bin/mount,\

/bin/umount,\

/bin/mkdir,\

/bin/rmdir,\

/bin/ps,\

/bin/su postgres -p -c '*'/createdb -p * '*',\

/bin/su postgres -p -c '*'/dropdb -p * '*',\

/bin/su postgres -p -c '*'/pg_dump -Fd '*' -p * -j * -h '*' -f '*/*_backup' -U * --verbose,\

/bin/su postgres -p -c '*'/pg_dumpall --globals-only --no-role-password --clean -p * -h '*' -f '*/*dumpall_file.sql' -U *,\

/bin/su postgres -p -c '*'/pg_restore -p * -d '*' -j * '*/*_backup' --verbose,\

/bin/su postgres -p -c */pg_basebackup -D */data -F t -v -w * -p * -U * --checkpoint\=fast,\

/bin/su postgres -p -c */pg_controldata */data,\

/bin/su postgres -p -c */pg_ctl --version,\

/bin/su postgres -p -c */pg_ctl initdb -D */data,\

/bin/su postgres -p -c */pg_ctl initdb -D */postgres_init,\

/bin/su postgres -p -c */pg_ctl start -D */data -t * &> */.delphix/postgres_db_log,\

/bin/su postgres -p -c */pg_ctl status -D */data,\

/bin/su postgres -p -c */pg_ctl stop -D */data &> */.delphix/postgres_db_log,\

/bin/su postgres -p -c */pg_isready -h * -p *,\

/bin/su postgres -p -c */psql -t -U * -p * -d * -h * -c 'select 1;',\

/bin/su postgres -p -c */psql -p * -d postgres -f '*/dumpall_file.sql',\

/bin/su postgres -p -c */psql -t -U * -p * -d * -h * -c 'select name\, setting from pg_settings;' -o */.delphix/source_postgresql_config_file.conf,\

/bin/su postgres -p -c */psql -t -U * -p * -d * -h * -c 'show server_version;',\

/bin/su postgres -p -c */psql -t -U * -p * -c "select SUM(pg_database_size(pg_database.datname)) from pg_database;",\

/bin/su postgres -p -c */psql -t -U * -p * -d * -c "select pg_database_size(pg_database.datname) from pg_database where pg_database.datname\= '*';",\

/bin/su postgres -p -c base64 -d $DLPX_PG_PLUGIN_ECHO_PATH/'database_oid' > */.delphix/database_oid,\

/bin/su postgres -p -c base64 -d $DLPX_PG_PLUGIN_ECHO_PATH/'ingestion_method' > */.delphix/ingestion_method,\

/bin/su postgres -p -c base64 -d $DLPX_PG_PLUGIN_ECHO_PATH/'postgresql_tmp.conf' > */data/postgresql_tmp.conf,\

/bin/su postgres -p -c base64 -d $DLPX_PG_PLUGIN_ECHO_PATH/'recovery.conf' >> */data/recovery.conf,\

/bin/su postgres -p -c base64 -d $DLPX_PG_PLUGIN_ECHO_PATH/'tablespace_file' > */.delphix/tablespace_file,\

/bin/su postgres -p -c base64 -d $DLPX_PG_PLUGIN_ECHO_PATH/'walControl.sh' > */data/scripts/walControl.sh,\

/bin/su postgres -p -c cat '*/.delphix/postgres_db_log',\

/bin/su postgres -p -c cat '*/data/PG_VERSION',\

/bin/su postgres -p -c cat '*/data/current_logfiles',\

/bin/su postgres -p -c cat '*/data/postgresql.conf',\

/bin/su postgres -p -c cat '*/dumpall_file.sql',\

/bin/su postgres -p -c cat '*/scratch_file.sql',\

/bin/su postgres -p -c chmod 0700 '*/data',\

/bin/su postgres -p -c chmod 0700 '*/data/recovery.conf.delphix',\

/bin/su postgres -p -c chmod 0755 '*/data/scripts/walControl.sh',\

/bin/su postgres -p -c chmod 0666 '*/scratch_file.sql',\

/bin/su postgres -p -c cp '*' '*/data/postgresql.conf',\

/bin/su postgres -p -c cp '*/data/postgresql.conf' '*/data/postgresql.conf_backup',\

/bin/su postgres -p -c cp '*/dumpall_file.sql' '*/scratch_file.sql',\

/bin/su postgres -p -c echo '' > '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c echo '' > '*/data/recovery.conf',\

/bin/su postgres -p -c echo '' > '*/data/standby.signal',\

/bin/su postgres -p -c echo '' > '*/data/recovery.signal',\

/bin/su postgres -p -c echo '' > '*/.delphix/staging_push',\

/bin/su postgres -p -c find * -type f -name PostgreSQL_T\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\].zip,\

/bin/su postgres -p -c find * -type d -name PostgreSQL_T\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\],\

/bin/su postgres -p -c find * -type f -name base.tar,\

/bin/su postgres -p -c find */data -type f -name \*.tar,\

/bin/su postgres -p -c find * -type f -name \[0-9\]\*tar,\

/bin/su postgres -p -c grep -w '^log_directory' '*/data/postgresql.conf',\

/bin/su postgres -p -c grep -w '^max_connections' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^max_connections' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^max_wal_senders' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^max_wal_senders' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^port' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^port' '*/data/postgresql.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_segments' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_segments' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_size' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_size' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^timezone' '*/data/postgresql.conf',\

/bin/su postgres -p -c ln -s '../tablespace/*' '*/data/pg_tblspc',\

/bin/su postgres -p -c ls -lrt '*' | tail -n+2,\

/bin/su postgres -p -c mkdir -p '*',\

/bin/su postgres -p -c mv '*/data/postgresql.auto.conf' '*/data/postgresql.auto.conf.delphix',\

/bin/su postgres -p -c mv '*/data/postgresql.auto.conf' '*/data/postgresql.auto.source.conf',\

/bin/su postgres -p -c mv '*/data/postgresql.conf' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c mv '*/data/postgresql_tmp.conf' '*/data/postgresql.conf',\

/bin/su postgres -p -c mv '*/data/postmaster.opts' '*/data/postmaster.opts.delphix',\

/bin/su postgres -p -c mv '*/data/recovery.conf' '*/data/recovery.conf.delphix',\

/bin/su postgres -p -c mv '*/data/standby.signal' '*/data/standby.signal.delphix',\

/bin/su postgres -p -c mv '*/postgres_init/postgresql.auto.conf' '*/data',\

/bin/su postgres -p -c mv '*/postgres_init/postgresql.conf' '*/data',\

/bin/su postgres -p -c mv '*/postgres_init/pg_hba.conf' '*/data',\

/bin/su postgres -p -c mv '*/postgres_init/pg_ident.conf' '*/data',\

/bin/su postgres -p -c mv '*/scratch_file.sql' '*/dumpall_file.sql',\

/bin/su postgres -p -c printenv param_value >> */data/recovery.conf,\

/bin/su postgres -p -c rm -f '*/data/*.tar',\

/bin/su postgres -p -c rm -f '*/data/postmaster.pid',\

/bin/su postgres -p -c rm -f '*/data/tablespace_map',\

/bin/su postgres -p -c rm -r -f '*',\

/bin/su postgres -p -c tail -n 1 '*/data/scripts/WalBreakChainDetected',\

/bin/su postgres -p -c tail -n 1 '*/data/scripts/InvalidRecordFileFoundData',\

/bin/su postgres -p -c tail -n * '*/data/log/*',\

/bin/su postgres -p -c tail -n * '*/data/pg_log/*',\

/bin/su postgres -p -c tar -xf */base.tar -C */data,\

/bin/su postgres -p -c tar -xf */pg_wal.tar -C */data/pg_wal,\

/bin/su postgres -p -c tar -xf */*.tar -C */data/tablespace*,\

/bin/su postgres -p -c test -d '*',\

/bin/su postgres -p -c test -f '*',\

/bin/su postgres -p -c test -r '*' && test -w '*' && test -x '*',\

/bin/su postgres -p -c test -r '*' && test -x '*',\

/bin/su postgres -p -c test -r '*',\

/bin/su postgres -p -c test -w '*' && test -x '*',\

/bin/su postgres -p -c unzip '*/PostgreSQL_T[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].zip' -d '*/data',\

/bin/su postgres -p -c zipinfo* '*/PostgreSQL_T[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].zip'

For PLUGIN_VERSION <=3.0.0

Defaults:delphix_os !requiretty

delphix_os ALL=NOPASSWD:SETENV: /bin/mount,\

/bin/umount,\

/bin/mkdir,\

/bin/rmdir,\

/bin/ps,\

/bin/su postgres -p -c '*'/createdb -p * '*',\

/bin/su postgres -p -c '*'/dropdb -p * '*',\

/bin/su postgres -p -c '*'/pg_dump -Fd '*' -p * -j * -h '*' -f '*/*_backup' -U * --verbose,\

/bin/su postgres -p -c '*'/pg_restore -p * -O -d '*' -j * '*/*_backup' --verbose,\

/bin/su postgres -p -c */pg_basebackup -D */data -F t -v -w -P -h * -p * -U * --checkpoint=fast,\

/bin/su postgres -p -c */pg_controldata */data,\

/bin/su postgres -p -c */pg_ctl --version,\

/bin/su postgres -p -c */pg_ctl initdb -D */data,\

/bin/su postgres -p -c */pg_ctl initdb -D */postgres_init,\

/bin/su postgres -p -c */pg_ctl start -D */data -t * &> */.delphix/postgres_db_log,\

/bin/su postgres -p -c */pg_ctl status -D */data,\

/bin/su postgres -p -c */pg_ctl stop -D */data &> */.delphix/postgres_db_log,\

/bin/su postgres -p -c */pg_isready -h * -p *,\

/bin/su postgres -p -c */psql -t -U * -p * -d * -h * -c 'select 1;',\

/bin/su postgres -p -c */psql -t -U * -p * -d * -h * -c 'select name\, setting from pg_settings;' -o */.delphix/source_postgresql_config_file.conf,\

/bin/su postgres -p -c */psql -t -U * -p * -d * -h * -c 'show server_version;',\

/bin/su postgres -p -c cat '*/.delphix/postgres_db_log',\

/bin/su postgres -p -c cat '*/data/PG_VERSION',\

/bin/su postgres -p -c cat '*/data/current_logfiles',\

/bin/su postgres -p -c cat '*/data/postgresql.conf',\

/bin/su postgres -p -c chmod 0700 '*/data',\

/bin/su postgres -p -c chmod 0700 '*/data/recovery.conf.delphix',\

/bin/su postgres -p -c chmod 0755 '*/data/scripts/walControl.sh',\

/bin/su postgres -p -c cp '*' '*/data/postgresql.conf',\

/bin/su postgres -p -c cp '*/data/postgresql.conf' '*/data/postgresql.conf_backup',\

/bin/su postgres -p -c echo '*' > '*/data/postgresql_tmp.conf',\

/bin/su postgres -p -c echo '*' > '*/data/scripts/walControl.sh',\

/bin/su postgres -p -c echo '*' >> */data/recovery.conf,\

/bin/su postgres -p -c echo [ ]>> '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c echo [ ]>> '*/data/recovery.conf',\

/bin/su postgres -p -c echo [ ]>> '*/data/standby.signal',\

/bin/su postgres -p -c find * -type f -name PostgreSQL_T\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\]\[0-9\].zip,\

/bin/su postgres -p -c find */data -type f -name \*.tar,\

/bin/su postgres -p -c find */data -type f -name \[0-9\]\*tar,\

/bin/su postgres -p -c grep -w '^log_directory' '*/data/postgresql.conf',\

/bin/su postgres -p -c grep -w '^max_connections' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^max_connections' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^max_wal_senders' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^max_wal_senders' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^port' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^port' '*/data/postgresql.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_segments' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_segments' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_size' '*/data/postgresql.auto.conf',\

/bin/su postgres -p -c grep -w '^wal_keep_size' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c ln -s '../tablespace/*' '*/data/pg_tblspc',\

/bin/su postgres -p -c ls -lrt '*/data' | tail -n+2,\

/bin/su postgres -p -c ls -lrt '*/data/pg_log' | tail -n+2,\

/bin/su postgres -p -c ls -lrt '*/data/pg_tblspc' | tail -n+2,\

/bin/su postgres -p -c mkdir -p '*/.delphix',\

/bin/su postgres -p -c mkdir -p '*/data',\

/bin/su postgres -p -c mkdir -p '*/data/scripts',\

/bin/su postgres -p -c mkdir -p '*/data/tablespace*',\

/bin/su postgres -p -c mkdir -p '*/postgres_init',\

/bin/su postgres -p -c mv '*/data/postgresql.auto.conf' '*/data/postgresql.auto.conf.delphix',\

/bin/su postgres -p -c mv '*/data/postgresql.auto.conf' '*/data/postgresql.auto.source.conf',\

/bin/su postgres -p -c mv '*/data/postgresql.conf' '*/data/postgresql_source.conf',\

/bin/su postgres -p -c mv '*/data/postgresql_tmp.conf' '*/data/postgresql.conf',\

/bin/su postgres -p -c mv '*/data/postmaster.opts' '*/data/postmaster.opts.delphix',\

/bin/su postgres -p -c mv '*/data/recovery.conf' '*/data/recovery.conf.delphix',\

/bin/su postgres -p -c mv '*/data/standby.signal' '*/data/standby.signal.delphix',\

/bin/su postgres -p -c mv '*/postgres_init/postgresql.auto.conf' '*/data',\

/bin/su postgres -p -c mv '*/postgres_init/postgresql.conf' '*/data',\

/bin/su postgres -p -c printenv param_value >> */data/recovery.conf,\

/bin/su postgres -p -c rm -f '*/data/*.tar',\

/bin/su postgres -p -c rm -f '*/data/tablespace_map',\

/bin/su postgres -p -c rm -f '*/data/postmaster.pid',\

/bin/su postgres -p -c rm -r -f '*/*_backup',\

/bin/su postgres -p -c rm -r -f '*/.delphix',\

/bin/su postgres -p -c rm -r -f '*/data',\

/bin/su postgres -p -c rm -r -f '*/postgres_init',\

/bin/su postgres -p -c tail -n 1 '*/data/scripts/WalBreakChainDetected',\

/bin/su postgres -p -c tail -n 1 '*/data/scripts/InvalidRecordFileFoundData',\

/bin/su postgres -p -c tail -n * '*/data/log/*',\

/bin/su postgres -p -c tail -n * '*/data/pg_log/*',\

/bin/su postgres -p -c tar -xf */data/base.tar -C */data,\

/bin/su postgres -p -c tar -xf */data/pg_wal.tar -C */data/pg_wal,\

/bin/su postgres -p -c tar -xf */*.tar -C */data/tablespace*,\

/bin/su postgres -p -c test -d '*',\

/bin/su postgres -p -c test -f '*',\

/bin/su postgres -p -c test -r '*' && test -w '*' && test -x '*',\

/bin/su postgres -p -c test -r '*' && test -x '*',\

/bin/su postgres -p -c test -r '*',\

/bin/su postgres -p -c test -w '*' && test -x '*',\

/bin/su postgres -p -c unzip '*/PostgreSQL_T[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].zip' -d '*/data',\

/bin/su postgres -p -c zipinfo '*/PostgreSQL_T[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].zip'

Prerequisite for discovery operation

The Discovery operation cannot be run by the high-privileged user, it will be executed by the low-privileged user.

  1. The environment variable DELPHIX_PG_PATH should be accessible to the low privilege user.
    The variable DELPHIX_PG_PATH must be available to the environment (low-privileged) user in a non-interactive way. You can test this variable for non-interactive logins using ssh <low_privileged_user>@<target_host> "env | grep DELPHIX_PG_PATH".

  2. The paths mentioned inside the `DELPHIX_PG_PATH` should have read and execute permissions for a low-privileged user. Ex: DELPHIX_PG_PATH="/usr/pgsql-9.6/bin:/var/lib/pgsql/9.6/data;"

  3. For the low-privileged user, If the DELPHIX_PG_PATH environment variable is not present, then the plugin traverses through the /var & /opt directories. And, if the installations are present in these parent folders, then you should have read and execute permissions for the whole set of directories that has the installation.

  4. The <postgres bin> path [each directory in the path] should have read and execute permissions for the low privilege user.

  5. The low-privilege user should be able to execute the <postgres bin>/postgres --version command. So, the plugin needs read and execute permissions for [just] <postgres bin>/postgres script. Other binaries/scripts will be run using the high-privileged user.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.