To Apply RBAC Security

Steps

1. Log in as root on the control plane server.

2. Back up the /etc/security attribute files.

   Create a subdirectory and copy the attribute files to the subdirectory. Use the cp command option -p to preserve file permissions and ownership.

   Example:

   cd /etc/security ls -l *attr -rw-r--r-- 1 root sys 42871 Nov 8 2002 audit_record_attr -rw-r--r-- 1 root sys 5907 Nov 8 2002 auth_attr -rw-r--r-- 1 root sys 12672 Nov 8 2002 exec_attr -rw-r--r-- 1 root sys 4715 Nov 8 2002 prof_attr mkdir attr-backup cp -p *attr attr-backupls -l attr-backup total 136 drwxr-xr-x 2 root other 512 Jan 7 18:00 . drwxr-xr-x 7 root sys 512 Jan 7 18:00 .. -rw-r--r-- 1 root sys 42871 Nov 8 2002 audit_record_attr -rw-r--r-- 1 root sys 5907 Nov 8 2002 auth_attr -rw-r--r-- 1 root sys 12672 Nov 8 2002 exec_attr -rw-r--r-- 1 root sys 4715 Nov 8 2002 prof_attr

3. Type the following commands to append the predefined N1 Provisioning Server security attributes to the /etc/security files.

   cd /opt/terraspring/lib/rbac/

   cat n1_auth_attr >> /etc/security/auth_attr

   cat n1_exec_attr >> /etc/security/exec_attr

   cat n1_prof_attr >> /etc/security/prof_attr

4. Create the /n1admin directory by typing:

   mkdir n1admin

5. Add the n1admin role account.

   roleadd -d /n1admin -P"N1ADMIN" n1admin

   For further information about the roleadd command, see the roleadd man page roleadd(1M).

6. Change the n1admin account password.

   passwd n1admin

   You are prompted for the new password. Type the password and press Enter.

   You are prompted to reenter the new password.

   Retype the new password and press Enter.

7. Assign user accounts to the n1admin security role.

   Type the command /opt/terraspring/lib/rbac]# usermod -R "n1admin" user01 where user01is a valid UNIX user account.

   ---

   Note –

   The user account must exist. For further information about RBAC commands, see the http://docs.eng.sun.com/db/doc/817-0365/6mg5vpmbd?q=Role-Based+Access+Control.

   ---

8. Log on to the Control Plane server using the user account.

9. Type roles to list the security roles.

   Example:

   roles n1admin

10. Verify that the user account cannot run N1 Provisioning Server commands.

    Type /opt/terraspring/sbin/image —l. The response should be image: cannot execute. If a listing of available N1 Provisioning Server images appears, then /opt/terraspring/sbin file permissions have not been set correctly. Set and validate the file permissions as directed by step 2.

11. Type su n1admin to log in as the n1adminsuperuser.

12. Verify that the user account can run N1 Provisioning Server administration commands using the n1admin role.

    ---

    Note –

    To run any administration command, you must either specify the full path for the command or be in the directory that contains the command and prefix the command with ./.

    ---

    You can do this using either of the following two methods:

    • Log in as superuser n1admin, and type /opt/terraspring/sbin/image —l to list the available N1 Provisioning Server images. For example:

      su - n1admin /opt/terraspring/sbin/image —l

    • Log in as superuser n1admin and use the su command -c option to run the image —l command. For example:

      su - n1admin -c "/opt/terraspring/sbin/image -l"

    A list of N1 images is displayed. For example:

    $ image -l IMAGE_ID IMAGE_NAME CUSTOMER SIZE OS TYPE STATE 1 solaris9u5-sun4ublade-flash __grid__ 3004789248 solaris flash READY LOCATION: nfs://3001//images/master-images/solaris9u5-sun4ublade-flash 2 solaris9u5-sun4ublade-disk-image __grid__ 30000000000 solaris disk_image READY LOCATION:nfs://3001//images/master-images/solaris9u5-sun4ublade-disk-image

13. Verify the user ID (uid) and group ID (gid).

    Type id to display the uid and gid. The uid should be 50004(n1admin), and the gid should be 1(other). For example:

    id uid=50004(n1admin) gid=1(other)