4.3 Disabling SSH on Storage Servers

If required, you can lock the storage servers to block SSH access. By default, SSH is enabled on storage servers.

If SSH access is blocked, you can still perform operations on the storage server using ExaCLI, which runs on the database servers and communicates using HTTPS and REST APIs to a web service running on the storage server.

When you need to perform operations that require you to log in to the storage server, you can temporarily unlock the storage server. After the operation is complete, you can relock the storage server.

Two CELL attributes control storage server locking:

• accessLevelPerm: This attribute specifies the access level at which the cell runs by default. It is either remoteLoginEnabled or remoteLoginDisabled.

  • remoteLoginEnabled: SSH service is enabled. You can access the cell using SSH or ExaCLI. This is the default value for accessLevelPerm.

  • remoteLoginDisabled: SSH service is disabled. You can access the cell only through ExaCLI.

• accessLevelTemp: The access level can be changed temporarily for a specified duration. After the duration has expired, the access level reverts back to the accessLevelPerm value. You typically change the cell's access level when the cell needs a software update.

The access level persists across storage server reboots.

• Locking a Cell
  You lock a cell by setting its accessLevelPerm attribute to remoteLoginDisabled.
• Unlocking a Cell Temporarily
  You can unlock a locked storage server, or cell, for a short period of time to perform operations such as maintenance or upgrades that require SSH log in to the storage server.
• Unlocking a Cell Permanently
  You can unlock a cell by setting its accessLevelPerm attribute to remoteLoginEnabled.
• Checking the Current Access Level for a Cell
  View the accessLevelPerm and accessLevelTemp attributes for a cell to determine the current access level.
• Access Level Alerts from the Management Server
  A stateless alert is generated when the accessLevelPerm attribute is modified.

4.3.1 Locking a Cell

You lock a cell by setting its accessLevelPerm attribute to remoteLoginDisabled.

You must use a user that has the privilege to alter the accessLevelPerm attribute.

1. Grant the necessary privileges to a user.

   On the storage server, run these commands:

   cellcli> create role administrator
   cellcli> grant privilege all actions on all objects all attributes with all options to role administrator
   cellcli> create user celladministrator password=*
   cellcli> grant role administrator to user celladministrator
   

2. Run ExaCLI as the celladministrator user and run the ALTER CELL command:

   $ exacli -l celladministrator -c exam08cel01
   Password=********
   
   exacli> alter cell accessLevelPerm = remoteLoginDisabled
   

4.3.2 Unlocking a Cell Temporarily

You can unlock a locked storage server, or cell, for a short period of time to perform operations such as maintenance or upgrades that require SSH log in to the storage server.

You can specify the start time of a temporary access window and how long it should last by using the ALTER CELL command to modify the cell's accessLevelTemp attribute.

Note the following:

• Only one temporary access window is allowed at any time. You will get an error message if you try to create a new temporary access window when one is already in effect. If the temporary access window is not yet active and is in the future, the newly created temporary access window will replace the one that is in the future.
• To modify a temporary access window that is in the future and not yet active, simply run the ALTER CELL command again with the new values.
• To modify a temporary access window that is already in progress (for example, to extend the duration or to change the reason), run the ALTER CELL command again with the updated duration or reason. The command must provide the exact start time of the existing temporary access window to modify. The (start time + duration) must be in the future.

The accessLevelTemp attribute has the following properties:

• accessLevel: (Mandatory) Specifies whether SSH is enabled (remoteLoginEnabled) or disabled (remoteLoginDisabled). You must provide a value for this attribute; there is no default value.

• startTime: Specifies when the specified access level starts. The time is specified in the ISO 8601 format: "yyyy-MM-ddTHH:mm:ssZ". You can also specify the keyword now to indicate that the specified access level should start immediately. The default value for this attribute is now.

• duration: Specifies how long the access level should last. The default value is 2h (2 hours). The duration is specified in the following format:

  • [any number of digits, followed by d (for days)]. To specify 1 day, use 1d.
  • [any number of digits followed by h (for hours)]. To specify 1 hour, use 1h.
  • [any number of digits followed by m (for minutes)]. To specify 90 minutes, use 90m.

  You can use combinations of duration values. For example, to specify 1 day and 12 hours, use 1d12h.

• reason: Specifies a reason for changing the access level, for example: performing an upgrade. The default value is none.

Example 4-1 Creating a Temporary Access Window

The following example creates a two-hour temporary access window that starts immediately. The command uses the default values for start time and duration.

exacli> ALTER CELL accessLevelTemp=((accessLevel="remoteLoginEnabled", -
        reason="Quarterly maintenance"))

Example 4-2 Creating a Temporary Access Window in the Future

The following example creates a 30 minute temporary access window that will begin on June 20, 2023, at 1:01 AM.

exacli> ALTER CELL accessLevelTemp=((accessLevel="remoteLoginEnabled", -
        startTime="2023-06-20T01:01:00-07:00",                         -
        duration="30m",                                                -
        reason="Quarterly maintenance"))

Example 4-3 Extending a Temporary Access Window

The following example extends the temporary access window created in the previous example to 5 hours. Note that the start time has to match the window that is being adjusted.

exacli> ALTER CELL accessLevelTemp=((accessLevel="remoteLoginEnabled", -
        startTime="2023-06-20T01:01:00-07:00",                         -
        duration="5h",                                                 -
        reason="Quarterly maintenance window extended to 5 hrs - Joe"))

Example 4-4 Deleting a Temporary Access Window

The following example deletes the temporary access window. If the temporary access window is currently active, it is closed immediately and the access level will be set back to the permanent access level. If the temporary access window is in the future and not yet active, it is canceled.

exacli> ALTER CELL accessLevelTemp=''

4.3.3 Unlocking a Cell Permanently

You can unlock a cell by setting its accessLevelPerm attribute to remoteLoginEnabled.

You must use a user that has the privilege to alter the accessLevelPerm attribute.

1. Start ExaCLI as a user that has the privilege to alter the accessLevelPerm attribute.

   For example:

   $ exacli -l celladministrator -c exam08cel01
   Password=********
   
   exacli>

2. Run the ALTER CELL command to set the accessLevelPerm attribute to remoteLoginEnabled.

   For example:

   exacli> alter cell accessLevelPerm=remoteLoginEnabled
   Cell exam08cel01 successfully altered

4.3.4 Checking the Current Access Level for a Cell

View the accessLevelPerm and accessLevelTemp attributes for a cell to determine the current access level.

• To see what the current access level is, use the LIST CELL command.

  exacli> LIST CELL ATTRIBUTES name,accessLevelPerm,accessLevelTemp

4.3.5 Access Level Alerts from the Management Server

A stateless alert is generated when the accessLevelPerm attribute is modified.

A stateful alert is generated when the accessLevelTemp window is created. An alert email is sent out when the accessLevelTemp window is activated. The alert is cleared when the window expires.