Sudo privileges for the environment users
This topic describes the rationale behind specific sudo
privilege requirements for virtualizing IBM Db2 databases along with a few default commands. As required by the IBM Db2 connector, you must grant this OS account the following key privileges:
Disable requiretty: The Delphix Continuous Data Engine requires the `requiretty` setting to be disabled. This allows the OS user to run sudo commands without a logged-in terminal session (tty).
Add NOPASSWD: By including the NOPASSWD qualifier, you ensure that the "sudo" command does not prompt for a password when executing certain commands such as mount, umount, mkdir, and rmdir.
In the example configurations, the OS username delphix_os is used. Make sure to modify the username based on the OS user available in the environment for performing the linking and/or provisioning operations.
Procedure
Perform the following steps on both the staging and target environments.
The sudo configuration is located in the
/etc/sudoers
file. Run the following commands to open the `sudoers’ file:CODEvi /etc/sudoers
Third party tools like `visudo`, can be helpful in minimizing syntax errors.
Next, update the file with the following snippet to grant the required privileges to the `delphix_os` user:
CODEDefaults:delphix_os !requiretty delphix_os ALL=NOPASSWD: \ /bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir
Configuring sudo
access on AIX for IBM Db2 staging and target environments
In addition to sudo access to the mount
, umount
, and ps
commands on AIX target hosts, Delphix Continuous Data Engine also requires sudo
access to nfso
. This is required on the staging/target hosts for the Delphix Continuous Data Engine to monitor the NFS read-write sizes configured on the AIX system. A super-user access level is needed to run the nfso
command.
Example: AIX /etc/sudoers file for a Delphix Continuous Data Engine target
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/usr/sbin/mount, \
/usr/sbin/umount, \
/usr/sbin/nfso, \
/usr/bin/ps, \
/bin/mkdir, \
/bin/rmdir
Example 1
This example restricts the delphix_os user's use of sudo
privileges to the directory /db2
.
Note that the wildcards are allowed for the mount and umount
options because those commands expect a fixed number of arguments after the options. The option wildcard on the mount
command also makes it possible to specify the file system being mounted from the Delphix Continuous Data Engine.
However, wildcards are not acceptable on mkdir
and rmdir
commands because they can have any number of arguments after the options. For those commands, you must specify the exact options (-p
, -p -m 755
) used by the Delphix Continuous Data Engine.
Example: The /etc/sudoers
file configuration on the target environment for sudo Privileges on the VDB mount directory only (Linux OS).
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount * /db2/*, \
/bin/umount * /db2/*, \
/bin/umount /db2/*, \
/bin/mkdir -p /db2/*, \
/bin/mkdir -p -m 755 /db2/*, \
/bin/mkdir /db2/*, \
/bin/rmdir /db2/*
Example 2
This example restricts the delphix_os user's use of sudo
privileges to the directory /db2
, restricts the mount commands to a specific Delphix Continuous Data Engine hostname and IP, and does not allow user-specified options for the umount
command.
This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Continuous Data Engines.
Example: Configuring the /etc/sudoers
file on the target environment for privileges on the VDB mount directory only, and allows mounting only from a single server (Linux OS)
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount <delphix-server-name>* /db2/*, \
/bin/mount * <delphix-server-name>* /db2/*, \
/bin/mount <delphix-server-ip>* /db2/*, \
/bin/mount * <delphix-server-ip>* /db2/*, \
/bin/mount "", \
/bin/umount /db2/*, \
/bin/umount * /db2/*, \
/bin/mkdir [*] /db2/*, \
/bin/mkdir /db2/*, \
/bin/mkdir -p /db2/*, \
/bin/mkdir -p -m 755 /db2/*, \
/bin/rmdir /db2/*
Privilege elevation requirements
The optional privilege elevation feature allows a non-privileged OS user (e.g., delphix_os) to gain the permissions of a privileged OS user (e.g., dlpxqa) for operations on the staging or target environments. This configuration can be valuable to maximize an environment's security posture. Privilege elevation can be used to work with Kerberos environments.
Procedure
First, the Privilege Elevation script, dlpx_db_exec, must be created and uploaded onto the Delphix Continuous Data Engine. Then, the non-privileged OS user must be granted the appropriate permissions.
Upload the privilege elevation script.
Perform one of the following methods to upload the privilege elevation script:
a) CURL file upload method
Before running any of the following commands, update <CONTINUOUS-DATA-FQDN-or-IP>, <USERNAME>, and <PASSWORD> placeholder values.
Create a session with the Delphix Continuous Data Engine.
Also, update the version values for the `major`, `minor`, and `micro` fields.
The correct values for your Delphix Continuous Data Engine version can be found in the API version information.
CODEcurl -i -c cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/session -d '{ "version":{ "major":1, "minor":11, "micro": 5, "type":"APIVersion" }, "type":"APISession" }'
Login to Delphix Continuous Data Engine as the `admin` user.
CODEcurl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/login -d '{ "username":"<USERNAME>", "password":"<PASSWORD>", "type":"LoginRequest", "target":"DOMAIN" }'
Copy
DLPX_DB_EXEC
contents to the Delphix Continuous Data Engine.CODEcurl -i -b cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{"type": "HostPrivilegeElevationProfileScript","contents": "#\n# Copyright (c) 2017 by Delphix. All rights reserved.\n#\n\n#\n# This script allows customization of command execution with an alternate user\n# account.\n# Arg $1 contains \"-u<optional user account>\" for the desired user under\n# which database commands will be executed.\n# By default this argument is ignored and the script is executed as the default\n# account.\n#\n\nif [[ $1 != -u* ]]; then\n echo \"Incorrect command line paramaters, -u<optional user account> is required as the first parameter\"\n exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\necho \"$user_id\" >> \/tmp\/test.log\nshift 1\n#echo \"$user_id and $DB2_DB_NAME\" >> \/tmp\/test.log\nif [[ $user_id != \"delphix_os\" ]]; then\ncommand=$(printf \"%s \" \"$@\")\nsudo su - $user_id -c \"cd \/home\/delphix_os;export DB2DBDFT=$DB2DBDFT;$command\"\nelse\n\"$@\"\nfi"}'
If the dlpx_db_exec script is updated after the environment(s) is added, refresh the environment to propagate the changes.
b) CLI Method
For steps on creating a privilege elevation profile, refer to CLI Cookbook: How to create or edit privilege elevation profiles and profile scripts.
Configure sudo privileges to grant privilege elevation
With privilege elevation, all IBM Db2 connector commands are run via the dlpx_db_exec
script with the first parameter being the user to execute, and the remaining parameters being the command to execute and within this script, the commands are run using ‘sudo’(or some other custom elevation utility). This script may be customized by the end user, but it must always return the results of the executed command and exit with the return code from the executed command.
When a command is invoked with dlpx_db_exec
, instance IDs that were discovered during the discovery phase will be passed to the script. All Db2 changes are based on top of the Db2 DB level changes.
To execute the connector commands as the high-privileged OS user, sudoers entries are required.
To add additional sudoers entries you need to edit the /etc/sudoers
file. Run the following commands to open the `sudoers’ file:
vi /etc/sudoers
# or
visudo
Third party tools like `visudo`, can be helpful in minimizing syntax errors.
Entries required for both linking and provisioning via low-privileged user (delphix_os):
Defaults:delphix_os !requiretty
delphix_os ALL=(ALL) NOPASSWD: /bin/mkdir, /bin/rmdir, /bin/mount, /bin/umount
delphix_os ALL=(ALL) NOPASSWD: ALL
The dlpx_db_exec script
The formatted dlpx_db_exec
script is presented here for completeness.
# This script allows customization of command execution with an alternate user account.
# Arg $1 contains "-u<optional user account>" for the desired user under
# which database commands will be executed.
# By default this argument is ignored and the script is executed as the default
# account.
if [[ $1 != -u* ]]; then
echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"
exit 1
fi
user_id=`echo $1 | sed -e "s/^-u//"`
echo "$user_id" >> /tmp/test.log
shift 1
echo "$user_id and $DB2_DB_NAME" >> /tmp/test.log
if [[ $user_id != "delphix_os" ]]; then
command=$(printf "%s " "$@")
sudo su - $user_id -c "cd /home/delphix_os;export DB2DBDFT=$DB2DBDFT;$command"
else
$@
fi