Environment users
Overview
Not to be confused with Delphix Continuous Data Engine administrator (admin) users and system administrator (sysadmin) users, environment users must be created for each environment to perform actions on each environment. These users are configured for each data platform to interface with the database instance on the host.
Login to the Delphix Management application using Admin credentials.
Click Manage.
Select Environments.
Click on the existing environment name you want to modify and open the environment information screen.
In the Details tab, click the Plus icon located next to Environment users.
There are four ways that can be used for the Delphix Continuous Data Engine to login into the environment.
Enter the Username and Password for the OS user in that environment and click Validate.
If you want to use a public key for logging into your environment:
Select ‘Username and Public Key’ for the Login Type.
Copy the public key that is displayed, and append it to the end of
~/.ssh/authorized_keysfile of the new user being added. If this directory or file does not exist, you will need to create it.Run
chmod 600 authorized_keysto enable only the file owner with read and write privileges.Run
chmod 755 ~to make your home directory writable only by your user and no other user may write to it.The public key needs to be added only once per user and per environment.
Specify a Custom Key Pair
Specify a Password Vault. Consult the Password Vault Support documentation for more information.
Click the Add icon to save the new user.
To change the primary user for this environment, select the environment. Then click the ‘star’ icon next to Environment Users. Only the primary user will be used for environment discovery.
To delete a user, click the Trash icon next to their username.
Privilege elevation profiles
Privilege elevation profiles exist to provide the Delphix Continuous Data Engine with a mechanism for running privileged commands in a secure way to achieve the following:
Mount and unmount Network File System (NFS) file systems
Create and remove directories in paths not owned by the Delphix Continuous Data Engine OS user
Examine the running process list
Run commands as root
How privilege elevation profiles work
Privilege Elevation Profiles need to be tailor-made to work with non-standard environments that may use third-party or proprietary privilege elevation mechanisms other than sudo. You are strongly encouraged to work with Delphix Professional Services to formulate reliable profile scripts.
Privilege Elevation Profiles exist within a two-tier cascading hierarchy. This means there is one default profile for the entire Delphix Continuous Data Engine that should contain scripts for all the operations that require privilege elevation. Additional profiles may contain a subset of the scripts. When a non-default profile is used, the Delphix Continuous Data Engine uses that profile's scripts where they exist and reverts to the scripts in the default profile if no script for the operation exists. By default, the Delphix Continuous Data Engine ships with simple scripts that pass commands to the standard UNIX sudo command.
All environments added to the Delphix Continuous Data Engine get added with the default Privilege Elevation Profile. The profile can be assigned on a per-environment basis. Below description shows how an environment which is using a non-standard profile, will use scripts in the cascading model.
In order to create a privilege elevation profile, you must create both a profile and a profileScript. Scripts exist for particular operations, which include:
dlpx_mount
dlpx_umount
dlpx_rmdir
dlpx_mkdir
dlpx_ps
dlpx_pfexec
dlpx_pfexec_as_user
There are three parameters to consider while creating a new profile:
name:
contents:
Profile:
Support for privilege elevation profiles
Writing and troubleshooting scripts, such as those required for Privilege Elevation Profiles, is out of scope and not covered by Delphix Support.