Access Controls to Sys Objects

8/12/2019 Access Controls to Sys Objects

1/38

EMCVNXSeries

Release 8.1

Controlling Access to VNXSystem Objects

P/N 300-015-106 Rev 01

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-9103

1-508-435-1000

www.EMC.com


2/38

Copyright 1998 - 2013 EMC Corporation. All rights reserved.

Published August 2013

EMC believes the information in this publication is accurate as of its publication date. Theinformation is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATIONMAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TOTHE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires anapplicable software license.

For the most up-to-date regulatory document for your product line, go to the TechnicalDocumentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks onEMC.com.

All other trademarks used herein are the property of their respective owners.

Corporate Headquarters: Hopkinton, MA 01748-9103

2 Controlling Access to VNX System Objects


3/38

Contents

Preface.....................................................................................................5

Chapter 1: Introduction...........................................................................7

System requirements...............................................................................................8

User interface...........................................................................................................8

Related information................................................................................................8

Chapter 2: Concepts.............................................................................11

How access control to VNX system objects works...........................................13

Administrative user and group access control.................................................13

System object access control................................................................................14

Access control example........................................................................................18

Chapter 3: Configuring.........................................................................19

Create entries in an access control level table...................................................20

Establish access control levels for objects..........................................................21

Create an access control level for a Data Mover...............................................22

Create an access control level for a volume.......................................................23

Create an access control level for a file system.................................................23

Create an access control level for a storage system..........................................24

Chapter 4: Managing............................................................................27List the access control level information............................................................28

Modify an access control level entry..................................................................28

View the entries in the access control level table..............................................29

Delete an access control level entry....................................................................29

Controlling Access to VNX System Objects 3


4/38

Chapter 5: Troubleshooting..................................................................31

EMC E-Lab Interoperability Navigator..............................................................32

VNX user customized documentation...............................................................32Error messages.......................................................................................................32

EMC Training and Professional Services...........................................................33

Glossary..................................................................................................35

Index.......................................................................................................37


Contents


5/38

Preface

As part of an effort to improve and enhance the performance and capabilities of its product lines,EMC periodically releases revisions of its hardware and software. Therefore, some functions described

in this document may not be supported by all versions of the software or hardware currently in use.For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, pleasecontact your EMC representative.



6/38

Special notice conventions

EMC uses the following conventions for special notices:

Note:Emphasizes content that is of exceptional importance or interestbut does not relate to personal

injury or business/data loss.

Identifies content that warns of potential business or data loss.

Indicates a hazardous situation which, if not avoided, could result in minor or

moderate injury.

Indicates a hazardous situation which, if not avoided, could result in death or

serious injury.

Indicates a hazardoussituation which,if notavoided, will resultin deathor serious

injury.

Where to get help

EMC support, product, and licensing information can be obtained as follows:

Product informationFor documentation, release notes, software updates, or forinformation about EMC products, licensing, and service, go to EMC Online Support(registration required) athttp://Support.EMC.com.

TroubleshootingGo to EMC Online Support athttp://Support.EMC.com. Afterlogging in, locate the applicable Support by Product page.

Technical supportFor technical support and service requests, go to EMC CustomerService on EMC Online Support athttp://Support.EMC.com. After logging in, locatethe applicable Support by Product page, and choose eitherLive Chat or Create a servicerequest. To open a service request through EMC Online Support, you must have avalid support agreement. Contact your EMC sales representative for details aboutobtaining a valid support agreement or with questions about your account.

Note: Do not request a specific support representative unless one has already been assigned to

your particular system problem.

Your commentsYour suggestions will help us continue to improve the accuracy, organization, and overallquality of the user publications.

Please send your opinion of this document to:

[email protected]


Preface
http://support.emc.com/http://support.emc.com/http://support.emc.com/http://support.emc.com/http://support.emc.com/http://support.emc.com/


7/38

1

Introduction

This technical module describes how to use access control to defineadministrative user access to EMC VNX system objects. This technical

module is part of the VNX information set and is intended for use by theVNX administrator responsible for administrative user access.

Note: The access control functionality described in this technical module is onlyrelevant for administrative user access control of Data Mover, volume, file system,and storage system objects. This type of access control is separate from WindowsACLs. Configuring and Managing CIFS on VNX describes how to manage WindowsACL;Configuring NFS on VNXdescribes how to manage ACLs in an NFSv4environment.

Topics included are:

System requirements on page 8 User interface on page 8 Related information on page 8



8/38

System requirements

Table 1 on page 8describes the EMC

VNX

software, hardware, network, and storageconfigurations required for using access control levels as described in this document.

Table 1. System requirements for access control levels

VNX version 8.1Software

No specific hardware requirementsHardware

No specific network requirementsNetwork

No specific storage requirementsStorage

User interface

This document describes how to configure access control levels by using the command lineinterface (CLI). You cannot use other VNX management applications to configure accesscontrol levels.

You can use Unisphere software to configure role-based administrativeaccess. This featureallows you to assign appropriate roles to different administrative users based on theirresponsibilities. A role defines the privileges (or rights to perform specific operations)assigned to an administrative user. These privileges work with the access control levelsdescribed in this document. Therefore, when using Unisphere software, an administrative

user must have both the privilege to perform an operation and sufficient access rights to theobject for an operation to be allowed.

Note: Unisphere software only displays the system objects accessible by the current user. If you use

the CLI to changea users or objects accesscontrol settings,that change is notreflected in the Unisphere

softwares display until you refresh the view.

Related information

Specific information related to the features and functionality described in this document is

included in:

EMC VNX Command Line Interface Reference for File

Security Configuration Guide for File

VNX for File man pages


Introduction


9/38

VNX Glossary

EMC VNX documentation on EMC Online Support

The complete set of EMC VNX series customer publications is available on EMC OnlineSupport. To search for technical documentation, go tohttp://Support.EMC.com. Afterlogging in to the website, click Support by Productand type VNX seriesin the Find aProduct text box. Then search for the specific feature required.

VNX wizards

Unisphere software provides wizards for performing setup and configuration tasks. TheUnisphere online help provides more details on the wizards.

Related information 9

Introduction
http://support.emc.com/http://support.emc.com/


10/38


Introduction


11/38

2

Concepts

VNX access control functionality is designed to balance resource accessand system security needs. The access control of VNX system objects is

defined in two ways: An access level is assigned to the administrative users and groups

accessing VNX system objects.

A specific access level is required by a system object in order for anadministrative user to perform certain operations (read, write or modify,and delete) on that object.

You assign an access level to an administrative user or group by creatingan access control level entry in the Control Stations access control leveltable.

Note: An access control level entry is automatically added to the access controllevel table when you create a new administrative user by using the Unispheresoftware Administrators feature.

After an administrative users or groups access level is defined, you assignaccess level requirements to the objects to which you want to control access.These objects include Data Movers, volumes, file systems, and storagesystems.

When an administrative user tries to access a particular object, and thatadministrative user is not defined as the objects owner, the VNX softwareverifies the access level assigned to that administrative user against theaccess level requirement for that operation as defined on the object. Theadministrative user must be assigned at least the indicated access level to

execute the operation.

Topics included are:

How access control to VNX system objects works on page 13 Administrative user and group access control on page 13 System object access control on page 14



12/38

Access control example on page 18


Concepts


13/38

How access control to VNX system objects works

You manage access control by using:

An access control level table containing the access rights of administrative users andgroups to system objects

Access control level entries (single-digit numbers) representing available access controlpermissions

Access control level values assigned to specific objects

Administrative user and group access control

Administrative user and group access control is defined in the access control level table.

The access control level table resides on the Control Station. Each entry in the access controllevel table defines the access level allowed for specified administrative users and groups.The followingTable 2 on page 13is an example:

Table 2.Access control level table

namenum_idleveltypeindex

nasadmin201adminuser1

adminuser1211operatoruser2

adminuser2212adminuser3

adminuser3213observeruser4




Note: An administrative user or group account must exist before it can be assigned an entry in thetable.

Table 3 on page 13describes the columns in the access control level table.

Table 3. Access control level table columns

IndicatesValue

A number associated with an entry inthe table.

index

Whether the permissions are for an ad-

ministrative user or group.

type

How access control to VNX system objects works 13

Concepts


14/38

Table 3. Access control level table columns(continued)

IndicatesValue

The permission level associated with

the administrative user or group.

level

The applicable UID or GID of the admin-

istrative user or group.

num_id

The name associated with the entry.name

Level values

The level column in the access control level table defines the access level assigned to anadministrative user or group, as shown inTable 4 on page 14. The admin, operator, andobserver levels correspond to the numbers 2, 3, and 4.

Note:These level values are used to define the type of administrative user who can perform read,write, and delete operations.

Table 4. Access control level values

DescriptionAssociated valueLevel

Includes the privileges of the operator

and observer levels.

2admin

Includes the privileges of the observer

level and any other customer-defined

levels.

3operator

Includes the privileges for its own level

and any other customer-defined levels.

4observer

These levels may be created by root

(by using the nas_aclcommand),5 9customer-defined

and used as input when establishing

access to objects.

Note: root always has access to an object regardless of the access control level entry assigned.

System object access control

System object access control is defined on each object. These objects include Data Movers,volumes, file systems, and storage systems.


Concepts


15/38

Access control format

The access control value associated with a system object consists of up to four fields(owner, read, write, and delete), as shown inTable 5 on page 15. This value is definedwhen assigning an access control level to a system object. The value must include allfour fields: owner, read, write, and delete.

Table 5. System object access control level format

DeleteWriteReadOwner

Access control level entry

value


value


value

Index number

The following rules apply to the use of the read, write, and delete fields:

There must be an entry (a single digit) in the read, write, and delete fields. The digit in the delete field determines the access level required to issue delete

commands to the specified objects.

The digit in the write field determines the access level required to issue writecommands to the specified objects.

The digit in the read field determines the access level required to issueread commandsto the specified objects.

The following rules apply to the use of the owner field:

A system object must be assigned an owner.

The number used in the owner field must correspond to the index number assignedto an administrative user or group in the access control level table. For example, inTable 6 on page 15, index number 2 corresponds to the administrative useradminuser1:

Table 6. Access control table









System object access control 15

Concepts


16/38

The owner has read, write, and delete access regardless of its access control level.

nasadmin (always index number 1) is treated like any other administrative user.

Access control level scenarios

Table 7 on page 16presents some scenarios for access control level usage.

Table 7.Access control level examples

Impact on the objectDeleteWriteReadOwner

The owner is nasad-

min and access is al-

lowed only for nasad-

min.

0001

The owner is nasad-min and access is al-

lowed only for nasad-

min.

1111

The owner is nasad-

min. Users with an

access level of at

least admin (level 2)

have read access on-

ly.

1121

Index entry with spec-

ified number (refer to

the access control

level table) is the

owner. Owner access

only.

000Any owner index

number



the access control

level table) is the

owner. Owner access

only.

111Any owner index

number


Concepts


17/38

Table 7. Access control level examples (continued)

Impact on the objectDeleteWriteReadOwner

Index entry with spec-ified number (refer to

the access control

level table) is the

owner. Users with an

access level of at


have read access on-

ly.

112Any owner indexnumber



the access control

level table) is theowner. Users with an

access level of at

least observer (level

4) have read access

only. Users with an

access level of at

least operator (level

3) have read/write ac-

cess. Users with an

access level of at


have read/write/delete

access.

234Any owner index

number



the access control

level table) is the

owner. All users with

an access level of at

least observer (level

4), operator (level 3),

and admin (level 2) all

have read/write/delete

access.

444Any owner index

number

Note: root always has universal access.

System object access control 17

Concepts


18/38

Access control example

Table 8 on page 18is an example to show how access control is implemented on a systemobject file system ufs2.

Table 8. Access control list









File system ufs2 has been created with an access control level value of 2444. Consequently,referTable 9 on page 18for what thenas_fs -list command displays.

Table 9. Output of nas_fs -list

servernamevolumeacltypeinuseid

ufs224924441n19

The value in theaclfield (2444) should be interpreted as follows:

The owner (indicated by the number 2) is adminuser1.

As the specified owner, adminuser1 has full read, write, and delete access.

The number 4 in the read, write, and delete fields indicate that administrative users withan access level of at least observer have read, write, and delete access. Consequently,nasadmin and adminuser2 through adminuser6 have read, write, and delete access tofile system ufs2.


Concepts


19/38

3

Configuring

The tasks to configure controlling access to VNX system objects are:

Create entries in an access control level table on page 20 Establish access control levels for objects on page 21 Create an access control level for a Data Mover on page 22 Create an access control level for a volume on page 23 Create an access control level for a file system on page 23 Create an access control level for a storage system on page 24



20/38

Create entries in an access control level table

VNX software installation automatically creates an administrative user account callednasadmin that is the owner of all the servers Data Movers and their resources. You canconfigure additional administrative user accounts to allow ownership of certain systemobjects or groups of system objects to specific administrators. When you create a newadministrative user account, VNX automatically creates an entry for that account in theaccess control level table. By default, the permission level assigned to a new administrativeuser account is observer. Once a new administrative user account is created and an entryadded in the access control level table, you can modify the privileges allowed to the specifieduser or group.

Note: You create administrative user accounts by using the Administrators feature in Unispheresoftware. The Unisphere software online help describes this procedure. The Security ConfigurationGuidefor File provides an overview of administrative user accounts and role-based access.

Action

To display the administrative users and groups identified by entries in the access control level table, type:

$ nas_acl -list

Output









Action

To modify the privilege level assigned to an administrative user identified by an access control level entry, use this command

syntax:

$nas_acl -modify -user level=

where:

= user ID(UID)

= a single-digit input representing available access control levels


Configuring


21/38

Action

Note: You must be root to modify entries in the access control level table.

Example:

To change the privilege level assigned to adminuser6 (ID = 216) from the default level of observer (level 4) to admin (level

2), type:

$ nas_acl -modify -user 216 level=2

Output

done

Notes

Use the nas_acl -list command to view this change in the access control level table. After the modification, the access

control level table entry for adminuser6 appears as follows:

7 user admin 216 adminuser6

Establish access control levels for objects

By setting an access control level for an object, you define the privileges for eachadministrative user who accesses the object. When an administrative user or group tries toaccess a particular object, the access control level table, viewed using the nas_acl command,is verified against the access control level established by the relevant command for the object.

ReferTable 10 on page 21.

Table 10. Establishing access control levels for objects

ProcedureTask

Create an access control level for a

Data Mover on page 22


Data Mover


volume on page 23


volume

Create an access control level for a file

system on page 23

Create an access control level for a file

system


storage system on page 24


storage system

Establish access control levels for objects 21

Configuring


22/38

Create an access control level for a Data Mover

ActionTo create an access control level for a Data Mover, use this command syntax:

$

nas_server

-acl

where:

= access control level value that defines the owner of the Data Mover, or the level of access allowed forusers and groups

= name of the Data Mover

Example:

To create an access control level for a Data Mover where the owner is nasadmin, read access is granted to observerusers, read and write access is granted to operator users, and read/write/delete access is granted to admin users, type:

$ nas_server -acl 1432 server_2

Note: The default value for the Data Movers access control level is 1000 which indicates that nasadmin is the owner andthe only user who is allowed access.

Output

i d = 1

name = server_2

acl = 1432, owner=nasadmin, ID=201

type = nas

slot = 2

member_of =

standby =

status :

defined = enabled

actual = online, active


Configuring


23/38

Create an access control level for a volume

ActionTo create an access control level for a volume, use this command syntax:

$ nas_volume -acl

where:

= access control level value that defines the owner of the volume, or the level of access allowed for users and groups

= name of the volume

Example:

To create an access control level for a volume where the owner is adminuser2 (indicated by index level 3 in the accesscontrol table), read access is granted to operator and admin users, and write and delete access is not allowed (except to

root and the owner), type:

$ nas_volume -acl 3311 mtv

Note: No default access control levels are set for volumes.

Output

id = 247

name = mtv

acl = 3311, owner=adminuser2, ID=212

in_use = false

type = meta

volume_set = stv1

disks = d3, d4, d5, d6

Create an access control level for a file system

Action

To create an access control level for a file system, use this command syntax:

$nas_fs -acl

where:

Create an access control level for a volume 23

Configuring


24/38

Action

= access control level value that defines the owner of the file system, or the level of access allowed for

users and groups

= name of the file system

Example:

To create an access control level for a file system where the owner is the user indicated by index 5 in the access control

table, and only the owner has access, type:

$ nas_fs -acl 5111 ufs2

or

$ nas_fs -acl 5000 ufs2

Note: No default access control levels are set for file systems.

Output

i d = 1 9

name = ufs2

acl = 5111, owner=adminuser4, ID=214

in_use = False

type = uxfs

volume = mtv2

profile =

rw_servers=

ro_servers=

symm_devs = 002806000209-00B,002806000209-00C

disks = d8,d9

Create an access control level for a storage system

Action

To create an access control level for a storage system, use this command syntax:

$ nas_storage -acl

where:


Configuring


25/38

Action

= access control level value that defines the owner of a storage system, or the level of access allowed for

users and groups

= name of the file system

Example:

To create an access control level for a storage system where only nasadmin has read/write/delete

access, type:

$ nas_storage -acl 1000 cx700_1

Note: No default access control levels are set for storage systems.

Output

i d = 1

serial_number = APM00042000818

name = cx700_1

acl = 1000, owner=nasadmin, ID=201

Create an access control level for a storage system 25

Configuring


26/38


Configuring


27/38

4

Managing

The tasks to manage controlling access to VNX system objects are:

List the access control level information on page 28 Modify an access control level entry on page 28 View the entries in the access control level table on page 29 Delete an access control level entry on page 29



28/38

List the access control level information

ActionTo display information for a specific access control level entry, use this command syntax:

$ nas_acl -info -user

where:

= user ID (UID)

Example:

To see the access control level information for adminuser1 (ID = 211), type:

$ nas_acl -info -user 211

Output

i d = 2

name = adminuser1

level = operator

user_id = 211

Modify an access control level entry

Action

To modify the privilege level assigned to an administrative user identified by an access control level entry, use this commandsyntax:

$ nas_acl -modify -user level =

where:

= user ID (UID)

= a single-digit input representing the access controllevel granted to the user.

Note: You must be root to modify entries in the access control level table.

Example:

To change the privilege level assigned to adminuser6 (ID = 216) from the default level of observer (level 4) to admin (level

2), type:

$ nas_acl -modify -user 216 level=2


Managing


29/38

Output

done

Notes

Use the nas_acl -listcommand to view this change in the access control level table. After the modification, theaccess control level table entry for adminuser6 appears as follows:

7 user admin 216 adminuser6

View the entries in the access control level table

Action

To display the administrative users and groups identified by entries in the access control level table, type:

$ nas_acl -list

Output









Delete an access control level entry

Action

To delete an access control level entry, use this command syntax:

#nas_acl -delete -user

where:

= user ID(UID)

Note: You must be root to delete entries in the access control level table.

View the entries in the access control level table 29

Managing


30/38

Action

Example:

To delete the access control level entry for adminuser1 (ID = 211), type:

# nas_acl -delete -user 211

Output

done


Managing


31/38

5

Troubleshooting

As part of an effort to continuously improve and enhance the performanceand capabilities of its product lines, EMC periodically releases newversions

of its hardware and software. Therefore, some functions described in thisdocument may not be supported by all versions of the software orhardware currently in use. For the most up-to-date information on productfeatures, refer to your product release notes.

If a product does not function properly or does not function as describedin this document, contact your EMC Customer Support Representative.

Problem Resolution Roadmap for VNX contains additional information aboutusing EMC Online Support and resolving problems.

Topics included in this chapter are:

EMC E-Lab Interoperability Navigator on page 32 VNX user customized documentation on page 32 Error messages on page 32 EMC Training and Professional Services on page 33



32/38

EMC E-Lab Interoperability Navigator

The EMC E-Lab

Interoperability Navigator is a searchable, web-based application thatprovides access to EMC interoperability support matrices. It is available on EMC OnlineSupport athttp://Support.EMC.com. After logging in, in the right pane under Product andSupport Tools, click E-Lab Navigator.

VNX user customized documentation

EMC provides the ability to create step-by-step planning, installation, and maintenanceinstructions tailored to your environment. To create VNX user customized documentation,go to:https://mydocs.emc.com/VNX.

Error messages

All event, alert, and status messages provide detailed information and recommended actionsto help you troubleshoot the situation.

To view message details, use any of these methods:

Unisphere software:

Right-click an event, alert, or status message and select to view Event Details, AlertDetails, or Status Details.

CLI:

Type nas_message -info , where is the messageidentification number.

Celerra Error Messages Guide:

Use this guide to locate information about messages that are in the earlier-releasemessage format.

EMC Online Support:

Use the text from the error message's brief description or the message's ID to searchthe Knowledgebase on EMC Online Support. After logging in to EMCOnline Support,

locate the applicable Support by Productpage, and search for the error message.


Troubleshooting
http://support.emc.com/https://mydocs.emc.com/VNXhttp://support.emc.com/http://support.emc.com/https://mydocs.emc.com/VNXhttp://support.emc.com/


33/38

EMC Training and Professional Services

EMC Customer Education courses help you learn how EMC storage products work togetherwithin your environment to maximize your entire infrastructure investment.EMC CustomerEducation features online and hands-on training in state-of-the-art labs conveniently locatedthroughout the world. EMC customer training courses are developed and delivered by EMCexperts. Go to EMC Online Support athttp://Support.EMC.comfor course and registrationinformation.

EMC Professional Services can help you implement your system efficiently. Consultantsevaluate your business, IT processes, and technology, and recommend ways that you canleverage your information for the most benefit. From business plan to implementation, youget the experience and expertise that you need without straining your IT staff or hiring andtraining new personnel. Contact your EMC Customer Support Representative for moreinformation.

EMC Training and Professional Services 33

Troubleshooting
http://support.emc.com/http://support.emc.com/


34/38


Troubleshooting


35/38

Glossary

A

access control levelsEntries in an access control level table created and recognized only in the Control Stationdatabase that define the access level allowed for specified administrative users. These entriesare used in conjunction with an access control value associated with certain system objects todefine administrative user access to VNX for file.

C

CLISee command line interface.

command line interface (CLI)Interface for typing commands through the Control Station to perform tasks that include themanagement and configuration of the database and Data Movers and the monitoring of statistics

for VNX for file cabinet components.

Control StationHardware and software component of VNX for file that manages the system and provides theuser interface to all VNX for file components.

D

Data MoverIn VNX for file, a cabinet component that is running its own operating system that retrievesdata from a storage device and makes it available to a network client. This is also referred to asa blade.

F

file systemMethod of cataloging and managing the files and directories on a system.



36/38

U

UFSSee UNIX file system.

V

volumeOn VNX for File, a virtual disk into which a file system, database management system, or otherapplication places data. A volume can be a single disk partition or multiple partitions on oneor more physical drives.

See alsodisk volume,metavolume,slice volume, andstripe volume.


Glossary


37/38

Index

A

access control level tableexample 13pre-requisites 13

access control levelsdefinition 14how they work 14rules 14

C

Control Stationuser accounts 13

creating an ACLfor a Data Mover 20

for a file system 20for a storage system 20for a volume 20

D

Data Mover, creating an ACL 22deleting ACL entries 29

E

EMC E-Lab Navigator 32

error messages 32

Ffile system, creating an ACL 23

L

listing ACL entries 20

M

messages, error 32

N

nas_acldeleting entries 20listing entries 20

nasadmin 16

S

storage systems, creating an ACL 24

T

troubleshooting 31

U

user accounts



38/38

user accounts(continued)defining access 13

V

volume, creating an ACL 23

W

working with ACLs 13

Index

Documents

Access Controls to Sys Objects