Sudo file configuration examples for SAP ASE environments
This topic provides sample sudo file privilege configurations for using the Delphix Engine with various operating systems and SAP ASE.
Configuring sudo access on Solaris for SAP ASE source and target environments
Sudo access to pargs on the Solaris operating system is required to discover the arguments of the ASE processes both source and target environments.
Example: Solaris /etc/sudoers entries for a Delphix Source for SAP ASE
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/usr/bin/pargsOn a Solaris target, sudo access to mount and umount is also required.
Example: Solaris /etc/sudoers entries for a Delphix Target for SAP ASE
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
User_Alias DELPHIX_USER=delphix_os
Cmnd_Alias DELPHIX_CMDS= \
/usr/sbin/mount, \
/usr/sbin/umount, \
/usr/bin/pargs
DELPHIX_USER ALL=(ALL) NOPASSWD: DELPHIX_CMDSConfiguring sudo access on Linux for SAP ASE source and target environments
On a Linux target, sudo access to mount and umount is required.
Example: Linux /etc/sudoers file for a Delphix Target for SAP ASE
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/bin/mount, /bin/umountConfiguring sudo access on AIX for SAP ASE source and target environments
In addition to sudo access to the mount and umount commands on AIX target hosts, Delphix also requires sudo access to nfso. This is required on target hosts for the Delphix Engine to monitor the NFS read write sizes configured on the AIX system. Super-user access level is needed to run the nfso command.
Example: AIX /etc/sudoers File for a Delphix Target
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/bin/mount, \
/bin/umount, \
/usr/sbin/nfsoExamples of limiting sudo access for the Delphix OS user
In situations where security requirements prohibit giving the Delphix user root privileges to mount, unmount, make a directory, and remove directory on the global level, it is possible to configure the sudoers file to provide these privileges only on specific mount points or from specific Delphix Engines, as shown in these two examples.
The Delphix Engine tests its ability to run the mount command using sudo on the target environment by issuing the sudo mount command with no arguments. Many of the examples shown in this topic do not allow that. This causes a warning during environment discovery and monitoring but otherwise does not cause a problem. If your VDB operations succeed, it is safe to ignore this warning.
Similarly, the ps or pargs the command is used for target environment operations such as initial discovery and refresh.
Some organizations configure the security on the target environments to monitor sudo failures and lockout the offending account after some threshold. In those situations, the failure of the sudo commands might cause the delphix_os account to become locked. One workaround for this situation is to increase the threshold for locking out the user account. Another option is to modify /etc/sudoers to permit the delphix_os user to run ps (pargs), mkdir, rmdir, and mount command without parameters.
Note that the following examples are for illustrative purposes and the sudo file configuration options are subject to change.
Example 1
This example restricts the delphix_os user's use of sudo privileges to the directory /sybase.
Note that wildcards are allowed for the options on mount and umount because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also makes it possible to specify the file-system being mounted from the Delphix Engine.
However, wildcards are not acceptable on mkdir and rmdir because they can have any number of arguments after the options. For those commands, you must specify the exact options (-p, -p -m 755) used by the Delphix Engine.
Example /etc/sudoers File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS)
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount * /sybase/*, \
/bin/mount "", \
/bin/umount * /sybase/*, \
/bin/umount /sybase/*, \
/bin/mkdir -p /sybase/*, \
/bin/mkdir -p -m 755 /sybase/*, \
/bin/mkdir /sybase/*, \
/bin/rmdir /sybase/*, \
/bin/psExample /etc/sudoers File Configuration on the Source Environment to grant Super-User privileges when running PS
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: /bin/psExample 2
This example restricts the delphix_os user's use of sudo privileges to the directory /sybase, restricts the mount commands to a specific Delphix Engine hostname and IP, and restricts user-specified options for the umount command.
This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Engine.
Configuring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only, and Allows Mounting only from a Single Server (Linux OS)
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount <delphix-server-name>* /sybase/*, \
/bin/mount * <delphix-server-name>* /sybase/*, \
/bin/mount <delphix-server-ip>* /sybase/*, \
/bin/mount * <delphix-server-ip>* /sybase/*, \
/bin/mount "", \
/bin/umount /sybase/*, \
/bin/umount * /sybase/*, \
/bin/mkdir [*] /sybase/*, \
/bin/mkdir /sybase/*, \
/bin/mkdir -p /sybase/*, \
/bin/mkdir -p -m 755 /sybase/*, \
/bin/rmdir /sybase/*, \
/bin/ps