9 Maintenance Workflows

A workflow is a CLI script that is uploaded to and managed by Oracle ZFS Storage Appliance by itself. Workflows can be parameterized and executed in a first-class fashion from either the browser interface or the command line interface. Workflows may also be optionally executed as alert or at a designated time. As such, workflows allow for the appliance to be extended in ways that capture specific policies and procedures, and can be used (for example) to formally encode best practices for a particular organization or application.

To use workflows, use the following sections:

• Understanding Workflows

• Understanding Workflow Parameters

• Constrained Workflow Parameters

• Optional Workflow Parameters

• Workflow Error Handling

• Workflow Input Validation

• Workflow Execution Auditing and Reporting

• Understanding Workflow Versioning

• Using Workflows for Alert Actions

• Creating and Posting Custom Alerts from Within a Workflow

• Using Scheduled Workflows

• Using a Scheduled Workflow

• Coding Workflow Schedules

• Creating a Worksheet Based on a Specified Drive Type

• Uploading and Executing Workflows using the BUI

• Downloading Workflows using the CLI

• Listing Workflows using the CLI

• Executing Workflows using the CLI

• Auditing Workflows using the CLI

Workflow Authorizations

Access to workflows is controlled on a per-workflow basis. By default, an administrator can see, execute, and manage only workflows that the administrator owns. To see or execute a workflow owned by another user, the administrator must have the appropriate workflow read authorization.

There is no separate authorization for viewing a workflow and executing a workflow. The same authorization that allows a workflow to be seen also allows it to be run.

The following workflow authorizations are used to control access to workflows:

workflow.<owner>.<uuid>.read	Required to see and run a workflow. An administrator can be granted the ability to see and run any workflow by being granted workflow.*.*.read. If the setid property is set, the workflow runs as the owner.
workflow.<owner>.<uuid>.modify	Required to make changes to a workflow, including changes to the setid property.
workflow.<owner>.<uuid>.changeOwner	Required to change the owner of a workflow. In this authorization, <owner> denotes the new owner of the workflow.

When changing the owner of a workflow, the user must satisfy one of the following conditions:

• The user is the current owner of the workflow and has workflow.<target_owner>.*.changeOwner.
• The user has both workflow.<current_owner>..modify and workflow.<target_owner>..changeOwner.

Changing the owner property does not clear the setid property. Because changing the setid property itself requires workflow.<owner>.<uuid>.modify, preserving setid avoids requiring additional authorizations when an administrator uploads or manages a workflow supplied by support.

Caution should be used when granting workflow authorizations. Granting an administrator workflow...read, workflow...modify, and workflow...changeOwner effectively gives that administrator equivalent to root access through workflows, because the administrator can upload a workflow, change its ownership, and cause it to execute as root. The workflow.<owner>.<uuid>.changeOwner authorization should therefore be granted only to a very limited set of trusted administrators.