This section describes users who may administer the appliance, roles to manage authorizations granted to users, and how to add them to the system using the BUI or CLI.
Users can either be:
Local users - all their account information is saved on the appliance.
Directory users - this uses existing NIS or LDAP accounts, and saves supplemental authorization settings on the appliance. This allows existing NIS or LDAP users to be granted privileges to login and administer the appliance.
Users are granted privileges by assigning them custom roles.
A role is a collection of privileges that can be assigned to users. It may be desirable to create administrator and operator roles, with different authorization levels. Staff members may be assigned any role that is suitable for their needs, without assigning unnecessary privileges.
The use of roles is considered to be much more secure than the use of shared administrator passwords, for example, giving everyone the root password. Roles restrict users to necessary authorizations only, and also attribute their actions to their individual username in the Audit log.
By default, a role called "Basic administration" exists, which contains very basic authorizations.
Authorizations allow users to perform specific tasks, such as creating shares, rebooting the appliance, and updating the system software. Authorizations are grouped into Scopes, and each scope may have a set of optional filters to narrow the scope of the authorization. For example, rather than an authorization to restart all services, a filter can be used so that this authorization can restart the HTTP service only.
Available scopes are as follows, with a single example authorization and an example filter (if available) for each scope:
Browse the scopes in the BUI to see what other authorizations exist. There are currently over fifty different authorizations available, and additional authorizations may be added in future appliance software updates.
The following properties may be set when managing users and roles.
All of the following properties may be set when adding a user, and a subset of these when editing a user:
These properties may be set when managing roles:
The BUI Users page lists both users and groups, along with buttons for administration. Mouse-over an entry to expose its clone, edit and destroy buttons. Double-click an entry to view its edit screen. The buttons are as follows:
Refer to the Tasks for required steps to add users, roles and authorizations.
The actions possible in the BUI are also available in the CLI. Type help as you navigate through user, role, and authorization administration to list the available commands.
To demonstrate the CLI user and roles interface, the following example adds the NIS user "brendan" to the system, and grants the authorization to restart the HTTP service. This includes creating a role for this authorization.
We will start by creating the role, which we will call "webadmin":
caji:> configuration roles caji:configuration roles> role webadmin caji:configuration roles webadmin (uncommitted)> set description="web server administrator" description = web server administrator (uncommitted) caji:configuration roles webadmin (uncommitted)> commit caji:configuration roles> show Roles: NAME DESCRIPTION basic Basic administration webadmin web server administrator
Now that we have created the webadmin role, we will add the authorization to restart the HTTP service; This example also shows the output of tab-completion, which lists valid input and is useful when determining what are valid scopes and filter options:
caji:configuration roles> select webadmin caji:configuration roles webadmin> authorizations caji:configuration roles webadmin authorizations> create caji:configuration roles webadmin auth (uncommitted)> set scope=tab ad cluster net schema update alert hardware replication stat user appliance nas role svc worksheet caji:configuration roles webadmin auth (uncommitted)> set scope=svc scope = svc caji:configuration roles webadmin auth (uncommitted)> show Properties: scope = svc service = * allow_administer = false allow_configure = false allow_restart = false caji:configuration roles webadmin auth (uncommitted)> set service=tab * ftp ipmp nis ssh ad http iscsi ntp tags smb identity ldap routing vscan datalink:igb0 idmap ndmp scrk dns interface:igb0 nfs snmp caji:configuration roles webadmin auth (uncommitted)> set service=http service = http (uncommitted) caji:configuration roles webadmin auth (uncommitted)> set allow_restart=true allow_restart = true (uncommitted) caji:configuration roles webadmin auth (uncommitted)> commit caji:configuration roles webadmin authorizations> list NAME OBJECT PERMISSIONS auth-000 svc.http restart
Now that the role has been created, we can enter the users section to create our user "brendan" and assign the role "webadmin":
caji:configuration roles webadmin authorizations> cd ../../.. caji:configuration> users caji:configuration users> netuser brendan caji:configuration users> show Users: NAME USERNAME UID TYPE Brendan Gregg brendan 130948 Dir Super-User root 0 Loc caji:configuration users> select brendan caji:configuration users brendan> show Properties: logname = brendan fullname = Brendan Gregg initial_password = ************* require_annotation = false roles = basic kiosk_mode = false kiosk_screen = status/dashboard Children: exceptions => Configure this user's exceptions preferences => Configure user preferences caji:configuration users brendan> set roles=basic,webadmin roles = basic,webadmin (uncommitted) caji:configuration users brendan> commit
The user brendan should now be able to login using their NIS password, and restart the HTTP service on the appliance.
The following are example tasks for user and role administration. If you wish to use the CLI, it can help to practice these tasks in the BUI first - which is more intuitive and will help convey concepts.