JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Sun ZFS Storage 7000 System Administration Guide
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Status

3.  Configuration

Configuration

Introduction

Initial

Initial Configuration

Prerequisites

Summary

BUI

Configuring Management Port

CLI

Performing Initial Configuration with the CLI

Network

Network Configuration

Devices

Datalinks

Interfaces

IP MultiPathing (IPMP)

Performance and Availability

Routing

Routing Entries

Routing Properties

BUI

Configuration

Addresses

Routing

CLI

Tasks

BUI

CLI

Infiniband Upgrade Procedures for Q3.2010

Storage

Introduction

Configure

Verification and Allocation

Profile Configuration

Import

Add

Unconfig

Scrub

Tasks

BUI

SAN

SAN

Terminology

Targets and Initiators

Target and Initiator Groups

BUI

CLI

Terms

SAN Terminology

FC

Fibre Channel

Target Configuration

Clustering Considerations

Initiator Configuration

Switch Considerations

Clustering Considerations

Performance Considerations

Troubleshooting

Queue Overruns

Link-level Issues

BUI

Changing modes of FC ports

Viewing discovered FC ports

Creating FC Initiator Groups

Associating a LUN with an FC initiator group

CLI

Changing modes of FC ports

Viewing discovered FC ports

Creating FC Initiator Groups

Associating a LUN with an FC initiator group

Scripting Aliases for Initiators and Initiator Groups

FCMPxIO

Configuring FC Client Multipathing

Configuring Solaris Initiators

Configuring Windows Initiators

Windows Tunables - Microsoft DSM Details

Configuring Linux Initiators

Configuring VMware ESX Initiators

Troubleshooting

See Also

iSCSI

Introduction

Target Configuration

Clustering Considerations

Initiator Configuration

Planning Client Configuration

Solaris iSCSI/iSER and MPxIO Considerations

Troubleshooting

Observing Performance

BUI

Creating an Analytics Worksheet

CLI

Adding an iSCSI target with an auto-generated IQN

Adding an iSCSI target with a specific IQN and RADIUS authentication

Adding an iSCSI initiator which uses CHAP authentication

Adding an iSCSI target group

Adding an iSCSI initiator group

SRP

Introduction

Target configuration

Clustering Considerations

Initiator configuration

Observing Performance

Multipathing Considerations

Linux with OFED SRP Initiator

OFED 1.5 Issues

VMWare 4.0

Path Selection Plugin (psp)

Storage Array Type Plugin (satp)

VMWare ESX 4.0 Issues

BUI

iSER Target Configuration

SRP Target Configuration

CLI

Users

Introduction

Roles

Authorizations

Properties

Users

Roles

BUI

CLI

Tasks

BUI

CLI

Generic

Preferences

Introduction

BUI

CLI

SSH Public Keys

Alerts

Introduction

Actions

Send Email

Send SNMP trap

Send Syslog Message

Resume/Suspend Dataset

Resume/Suspend Worksheet

Threshold Alerts

BUI

CLI

Tasks

BUI

Workflows

Introduction

Workflow execution context

Workflow parameters

Constrained parameters

Optional parameters

Error Handling

Input validation

Execution auditing

Execution reporting

Versioning

Appliance versioning

Workflow versioning

Workflows as alert actions

Alert action execution context

Auditing alert actions

Example: device type selection

BUI

CLI

Downloading workflows

Viewing workflows

Executing workflows

Cluster

Clustering

Features and Benefits

Drawbacks

Terminology

Subsystem Design

Cluster Interconnect I/O

Resource Management Concepts

Takeover and Failback

Configuration Changes in a Clustered Environment

Clustering Considerations for Storage

Clustering Considerations for Networking

Clustering Considerations for Infiniband

Redundant Path Scenarios

Preventing "Split-Brain" Conditions

Estimating and Reducing Takeover Impact

Setup Procedure

Node Cabling

JBOD Cabling

BUI

Unconfiguring Clustering

4.  Services

5.  Shares

6.  Analytics

7.  Application Integration

Glossary

Index

Users

Introduction

This section describes users who may administer the appliance, roles to manage authorizations granted to users, and how to add them to the system using the BUI or CLI.

Users can either be:

Users are granted privileges by assigning them custom roles.

Roles

A role is a collection of privileges that can be assigned to users. It may be desirable to create administrator and operator roles, with different authorization levels. Staff members may be assigned any role that is suitable for their needs, without assigning unnecessary privileges.

The use of roles is considered to be much more secure than the use of shared administrator passwords, for example, giving everyone the root password. Roles restrict users to necessary authorizations only, and also attribute their actions to their individual username in the Audit log.

By default, a role called "Basic administration" exists, which contains very basic authorizations.

Authorizations

Authorizations allow users to perform specific tasks, such as creating shares, rebooting the appliance, and updating the system software. Authorizations are grouped into Scopes, and each scope may have a set of optional filters to narrow the scope of the authorization. For example, rather than an authorization to restart all services, a filter can be used so that this authorization can restart the HTTP service only.

Available scopes are as follows, with a single example authorization and an example filter (if available) for each scope:

Scope
Example Authorization
Example Filter
Active Directory
Join an Active Directory domain
Domain name
Alerts
Configure alert filters and thresholds
.
Analytics
Read a statistic with this drilldown present
Drilldowns
Clustering
Failback resources to a cluster peer
.
Hardware
Online and offline disks
.
Networking
Configure networking devices, datalinks, and interfaces
.
Projects and shares
Change general properties of projects and shares
Pool, project, share
Roles
Configure authorizations for a role
Role name
Services
Restart a service
Service name
Shares property schema
Modify property schema
.
System
Reboot the appliance
Appliance name
Update
Update system software
.
Users
Change a password
Username
Worksheet
Modify worksheet
Worksheet name

Browse the scopes in the BUI to see what other authorizations exist. There are currently over fifty different authorizations available, and additional authorizations may be added in future appliance software updates.

Properties

The following properties may be set when managing users and roles.

Users

All of the following properties may be set when adding a user, and a subset of these when editing a user:

Property
Description
Type
Directory (access credentials from NIS or LDAP), or Local (save user on this appliance)
Username
Unique name for user
Full Name
User description
Password/Confirm
For Local users, type the initial password in both of these fields
Require session annotation
If enabled, when users login to the appliance they must provide a text description of the purpose of their login. This annotation may be used to track work performed for requests in a ticketing system, and the ticket ID can be used as the session annotation. The session annotation appears in the Audit log.
Kiosk user
If enabled, the user will only be able to view the screen in the "Kiosk screen" setting. This may be used for restrict a user to only see the dashboard, for example. A kiosk user will not be able to access the appliance via the CLI.
Kiosk screen
Screen that this kiosk user is restricted to, if "Kiosk user" is enabled
Roles
The roles possessed by this user
Exceptions
These authorizations are excluded from those normally available due to the selected roles
Roles

These properties may be set when managing roles:

Property
Description
Name
Name of the role as it will be shown in lists
Description
Verbose description of role if desired
Authorizations
Authorizations for this role

BUI

The BUI Users page lists both users and groups, along with buttons for administration. Mouse-over an entry to expose its clone, edit and destroy buttons. Double-click an entry to view its edit screen. The buttons are as follows:

icon
description
Add item
Add new user/role. This will display a new dialog where the required properties may be entered.
Search
Displays a search box. Enter a search string and hit enter to search the user/role lists for that text, and only display entries that match. Click this icon again or "Show All" to return to the full listings.
Clone
Clone user/role. Add a new user/role starting with fields based on the values from this entry
Edit
Edit user/role
Destroy
Remove user/role/authorization

Refer to the Tasks for required steps to add users, roles and authorizations.

CLI

The actions possible in the BUI are also available in the CLI. Type help as you navigate through user, role, and authorization administration to list the available commands.

To demonstrate the CLI user and roles interface, the following example adds the NIS user "brendan" to the system, and grants the authorization to restart the HTTP service. This includes creating a role for this authorization.

We will start by creating the role, which we will call "webadmin":

caji:> configuration roles
caji:configuration roles> role webadmin
caji:configuration roles webadmin (uncommitted)> set
   description="web server administrator" 
                   description = web server administrator (uncommitted)
caji:configuration roles webadmin (uncommitted)> commit
caji:configuration roles> show
Roles:

NAME             DESCRIPTION
basic            Basic administration
webadmin         web server administrator

Now that we have created the webadmin role, we will add the authorization to restart the HTTP service; This example also shows the output of tab-completion, which lists valid input and is useful when determining what are valid scopes and filter options:

caji:configuration roles> select webadmin
caji:configuration roles webadmin> authorizations
caji:configuration roles webadmin authorizations> create
caji:configuration roles webadmin auth (uncommitted)> set scope=tab 
ad           cluster      net          schema       update       
alert        hardware     replication  stat         user         
appliance    nas          role         svc          worksheet    
caji:configuration roles webadmin auth (uncommitted)> set scope=svc
                         scope = svc
caji:configuration roles webadmin auth (uncommitted)> show
Properties:
                         scope = svc
                       service = *
              allow_administer = false
               allow_configure = false
                 allow_restart = false

caji:configuration roles webadmin auth (uncommitted)> set service=tab 
*               ftp             ipmp            nis             ssh
ad              http            iscsi           ntp             tags
smb            identity        ldap            routing         vscan
datalink:nge0   idmap           ndmp            scrk            
dns             interface:nge0  nfs             snmp            
caji:configuration roles webadmin auth (uncommitted)> set service=http
                       service = http (uncommitted)
caji:configuration roles webadmin auth (uncommitted)> set allow_restart=true
                 allow_restart = true (uncommitted)
caji:configuration roles webadmin auth (uncommitted)> commit
caji:configuration roles webadmin authorizations> list
NAME       OBJECT                               PERMISSIONS
auth-000   svc.http                             restart

Now that the role has been created, we can enter the users section to create our user "brendan" and assign the role "webadmin":

caji:configuration roles webadmin authorizations> cd ../../..
caji:configuration> users
caji:configuration users> netuser brendan
caji:configuration users> show
Users:

NAME                     USERNAME                 UID        TYPE
Brendan Gregg            brendan                  130948     Dir
Super-User               root                     0          Loc

caji:configuration users> select brendan
caji:configuration users brendan> show
Properties:
                       logname = brendan
                      fullname = Brendan Gregg
              initial_password = *************
            require_annotation = false
                         roles = basic
                    kiosk_mode = false
                  kiosk_screen = status/dashboard

Children:
                       exceptions => Configure this user's exceptions
                      preferences => Configure user preferences
caji:configuration users brendan> set roles=basic,webadmin
                         roles = basic,webadmin (uncommitted)
caji:configuration users brendan> commit

The user brendan should now be able to login using their NIS password, and restart the HTTP service on the appliance.

Tasks

The following are example tasks for user and role administration. If you wish to use the CLI, it can help to practice these tasks in the BUI first - which is more intuitive and will help convey concepts.

BUI

Adding an administrator

  1. Check that an appropriate administrator role is listed in the Roles list. If not, add a role (see separate task).
  2. Click the Add item add icon next to Users.
  3. Set user properties.
  4. Click the checkbox for the administrator role.
  5. Click the Add button at the top of the dialog. The new user appears in the Users list.

Adding a role

  1. Click the Add item add icon next to Roles.
  2. Set the name of the role, and description.
  3. Add authorizations to the role (see separate task).
  4. Click the Add button at the top of the dialog. The new role appears in the Roles list.

Adding authorizations to a role

  1. Select "Scope". If filters are available for this scope, they will appear beneath the Scope selector.
  2. Select filters if appropriate.
  3. Click the checkbox for all authorizations you wish to add.
  4. Click the Add button in the Authorization section. The authorizations will be added to the bottom list of the dialog box.

Deleting authorizations from a role

  1. Mouse-over the role in the Roles list, and click the Edit edit icon.
  2. Mouse-over the authorization in the bottom list, and click the Destroy trash icon on the right.
  3. Click the Apply button at the top of the dialog.
CLI

Adding an administrator

  1. Go to configuration roles.
  2. Type show. Find a role with appropriate administration authorizations by running select on each role and then authorizations show. If an appropriate role does not exist, start by creating the role (see separate task).
  3. Go to configuration users.
  4. For Directory users (NIS, LDAP), type netuser followed by the existing username you wish to add. For Local users, type user followed by the username you wish to add; then type show to see the properties that need to be set and set them, then type commit.
  5. At this point you have a created user, but haven't customized all their properties yet. Type select followed by their username.
  6. Now type show to see the full list of preferences. Roles and authorization exceptions may now be added, as well as user preferences.

Adding a role

  1. Go to configuration roles.
  2. Type role followed by the role name you wish to create.
  3. Set the description, then commit the role.
  4. Add authorizations to the role (see separate task).

Adding authorizations to a role

  1. Go to configuration roles.
  2. Type select followed by the role name.
  3. Type authorizations.
  4. Type create to add an authorization
  5. Type set scope= followed by the scope name. Use tab-completion to see the list.
  6. Type show to see both available filters and authorizations.
  7. set the desired authorizations to true, and set the filters (if available). Tab-completion helps show which filter settings are valid.
  8. Type commit. The authorization has now been added.

Deleting authorizations from a role

  1. Go to configuration roles.
  2. Type select followed by the role name.
  3. Type authorizations.
  4. Type show to list authorizations.
  5. Type destroy followed by the authorization name (eg, "auth-001"). The authorization has now been destroyed.
Generic

Adding a user who can only view the dashboard

  1. Add either a Directory or Local user (see separate task).
  2. Set Kiosk mode to true, and check that the Kiosk screen is set to "status/dashboard".
  3. The user should now be able to login, but only view the dashboard.