Sudo requirements for the SAP HANA 2.0 plugin
The following sudo privileges are requirements for the HANA 2.0 Plugin.
Privilege | Source | Target | Rationale |
|---|---|---|---|
mkdir/rmdir | Not Required | Required | Delphix dynamically makes and removes directories under the provisioning directory during VDB operations. This privilege is optional, provided the provisioning directory permissions allow the delphix os user to make and remove directories. |
mount/umount | Not Required | Required | Delphix dynamically mounts and unmounts directories under the provisioning directory during VDB operations. This privilege is required because |
It is required to specify the NOPASSWD qualifier within the "sudo" configuration file. This ensures that the "sudo" command does not demand the entry of a password.
Example with user hdbadm
Defaults:hdbadm !requiretty
hdbadm ALL=NOPASSWD:/sbin/mount, /sbin/umount, /bin/mkdir, /bin/rmdirExample of limiting sudo access for the Delphix OS user
In situations where security requirements prohibit giving the Delphix user root privileges to mount, unmount, make directory, and remove directory on the global level, it is possible to configure the sudoers file to provide these privileges only on specific mount points or from specific Delphix Engines, as shown in the below example.
Defaults:hdbadm !requiretty
hdbadm ALL=(root) NOPASSWD: \
/bin/mount *<delphix-server-name>* /mnt/provision/*, \
/bin/umount /mnt/provision/*, \
/bin/mkdir * /mnt/*
that the following example is for illustrative purposes and the sudo file configuration options are subject to change.
Example 1
This example restricts the delphix_os user's use of sudo privileges to the directory /hana.
Note that wildcards are allowed for the options on mount and umount because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also makes it possible to specify the file-system being mounted from the Delphix Engine.
However, wildcards are not acceptable on mkdir and rmdir because they can have any number of arguments after the options. For those commands, you must specify the exact options (-p, -p -m 755) used by the Delphix Engine.
Example /etc/sudoers File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS)
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount * /hana/*, \
/bin/umount * /hana/*, \
/bin/umount /hana/*, \
/bin/mkdir -p /hana/*, \
/bin/mkdir -p -m 755 /hana/*, \
/bin/mkdir /hana/*, \
/bin/rmdir /hana/*Example 2
This example restricts the delphix_os user's use of sudo privileges to the directory /hana, restricts the mount commands to a specific Delphix Engine hostname and IP, and does not allow user-specified options for the umount command.
This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Engines.
A Second Example of Configuring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only, and Allows Mounting Only from a Single Server (Linux OS)
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount <delphix-server-name>* /hana/*, \
/bin/mount * <delphix-server-name>* /hana/*, \
/bin/mount <delphix-server-ip>* /hana/*, \
/bin/mount * <delphix-server-ip>* /hana/*, \
/bin/mount "", \
/bin/umount /hana/*, \
/bin/umount * /hana/*, \
/bin/mkdir [*] /hana/*, \
/bin/mkdir /hana/*, \
/bin/mkdir -p /hana/*, \
/bin/mkdir -p -m 755 /hana/*, \
/bin/rmdir /hana/*