Prerequisites for privilege elevation using DLPX_DB_EXEC script
Updating DLPX_DB_EXEC script using Delphix Engine web APIs
In order to elevate privileges from a non-privileged OS account (like delphix_os) to a privileged OS account (like postgres), you must push a privilege elevation script (dlpx_db_exec) up into the Delphix Engine to become part of the Delphix common plugin.
DLPX_DB_EXEC script
The privilege elevation profile script dlpx_db_exec allows you to execute commands that require superuser privileges on the source and target machines. The privilege elevation script dlpx_db_exec can be created or pushed to Delphix Engine using Web API calls, CURL or dxtoolkit. For steps on creating a Privilege Elevation Profile, see CLI Cookbook: How to create or edit a privilege elevation profiles and profile scripts
Content of DLPX_DB_EXEC privilege elevation profile
#!/bin/sh
#
# Copyright (c) 2018 by Delphix. All rights reserved.
#
#
# This script allows customization of command execution with an alternate user
# account.
if [[ $1 != -u* ]]; then
echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"
exit 1
fi
user_id=`echo $1 | sed -e "s/^-u//"`
shift 1
if [[ $user_id != "delphix_os" ]]; then
command=$(printf "%s" "$@")
cd /tmp
sudo -E su $user_id -p -c "$command"
else
$@
fiBelow is an example of how you can push privilege elevation script “dlpx_db_exec” onto Delphix Engine.
Create a session to Delphix Engine as Delphix OS User.
CODEcurl -i -c cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/session -d '{ "version":{ "minor":11, "major":1, "micro": 5, "type":"APIVersion" }, "type":"APISession" }'The API Version needs to be identified as per the Delphix Engine installed at the customer site.
Login to the Delphix Engine as Delphix OS User.
CODEcurl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" http://<DELPHIX_ENGINE>/resources/json/delphix/login -d '{ "password":"<PASSWORD>", "type":"LoginRequest", "target":"DOMAIN", "username":"<USERNAME>" }'Push DLPX_DB_EXEC contents to Delphix Engine.
CODEcurl -i -b cookies.txt -X POST -H "Content-Type:application/json" http://<DELPHIX_ENGINE>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{ "type": "HostPrivilegeElevationProfileScript", "contents": "#\n# Copyright (c) 2018 by Delphix. All rights reserved.\n#\n#\n# This script allows customization of command execution with an alternate user\n# account.\nif [[ $1 != -u* ]]; then\n echo \"Incorrect command line parameters, -u<optional user account> is required as the first parameter\"\n exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\nshift 1\nif [[ $user_id != \"delphix_os\" ]]; then\n command=$(printf \"%s\" \"$@\")\n cd /tmp\n sudo -E su $user_id -p -c \"$command\"\nelse\n $@\nfi\n" }'
Make sure that you edit the <USERNAME>, <PASSWORD> & <DELPHIX_ENGINE> parameter values.
If the dlpx_db_exec script is updated after the Environment(s) is added/created, then you must perform the Refresh operation to propagate the changes.
Staging/Target host requirements
To accomplish necessary tasks and run all Plugin operations hosts, the Delphix OS user account (henceforth referred to as "delphix_os") requires privilege elevation specifications. Here is an example specification for the "sudo" privilege elevation utility, using the "visudo" to edit the "sudoers" configuration file. This specification makes the following assumptions:
OS = Linux
The Privileged OS account is named postgres.
The following sudoers entry is only for template purposes. Modify the path in the below sudoers entry with the appropriate binary paths of your environment.
Entry required for both Linking and Provisioning via low-privileged user (delphix_os):
Prerequisite for discovery operation
The Discovery operation cannot be run by the high-privileged user, it will be executed by the low-privileged user.
The environment variable
DELPHIX_PG_PATHshould be accessible to the low privilege user.
The variableDELPHIX_PG_PATHmust be available to the environment (low-privileged) user in a non-interactive way. You can test this variable for non-interactive logins usingssh <low_privileged_user>@<target_host> "env | grep DELPHIX_PG_PATH".The paths mentioned inside the `DELPHIX_PG_PATH` should have read and execute permissions for a low-privileged user. Ex: DELPHIX_PG_PATH="/usr/pgsql-9.6/bin:/var/lib/pgsql/9.6/data;"
For the low-privileged user, If the
DELPHIX_PG_PATHenvironment variable is not present, then the plugin traverses through the/var&/optdirectories. And, if the installations are present in these parent folders, then you should have read and execute permissions for the whole set of directories that has the installation.The
<postgres bin>path [each directory in the path] should have read and execute permissions for the low privilege user.The low-privilege user should be able to execute the
<postgres bin>/postgres --versioncommand. So, the plugin needs read and execute permissions for [just]<postgres bin>/postgresscript. Other binaries/scripts will be run using the high-privileged user.