Preparation for Scanning Dell EMC PowerScale
StorageGuard collects configuration data from Dell EMC PowerScale storage systems by running read-only OneFS commands over a secure SSH session.
The following table lists the requirements for scanning Dell EMC PowerScale storage systems:
# |
Description |
1 |
Provide the network name or IP address of each PowerScale storage system.
|
2 |
Provide an array user account (and password) for each PowerScale storage system.
|
3 |
The user account should be assigned with an unlimited read-only role, capable of running all “list” and “view” and other read-only OneFS OS commands. Examples of read-only commands used:
- isi auth users list -v
- isi services -l
- isi_log_server list
- isi_ntp_config list
|
4 |
Verify that IP connectivity through SSH (default is port 22) is available between the StorageGuard server and each Dell EMC PowerScale system. |
Creating a User Account for Scanning Dell EMC PowerScale
The following suggested method can be used to create a user account with appropriate privileges:
(1) Create user
- isi auth users create cntuser --password <Password>
- isi auth roles create cntrole
- isi auth roles modify cntrole --add-user cntuser
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_ANTIVIRUS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_AUDIT
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_AUTH
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_CERTIFICATE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_CLOUDPOOLS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_CLUSTER
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_DEVICES
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_ESRS_DOWNLOAD
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_EVENT
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_FILE_FILTER
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_FTP
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_GET_SET
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_HARDENING
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_HDFS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_HTTP
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_IFS_BACKUP
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_IFS_RESTORE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_JOB_ENGINE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_LICENSE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_LOGIN_CONSOLE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_LOGIN_PAPI
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_LOGIN_SSH
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_MONITORING
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_NDMP
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_NETWORK
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_NFS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_NS_IFS_ACCESS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_NS_TRAVERSE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_NTP
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_PERFORMANCE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_QUOTA
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_REMOTE_SUPPORT
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_ROLE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SMARTPOOLS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SMB
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SNAPSHOT
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SNMP
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_STATISTICS
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SWIFT
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SYNCIQ
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SYS_SUPPORT
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SYS_TIME
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_SYS_UPGRADE
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_VCENTER
- isi auth roles modify cntrole --add-priv-ro ISI_PRIV_WORM
(2) Grant sudo rights
- Edit /etc/mcp/override/sudoers Add the following line: cntuser ALL=(ALL)
- NOPASSWD: /usr/bin/isi_ntp_config list, /usr/sbin/isi_log_server list, /usr/bin/isi status, /usr/bin/isi version, /usr/bin/isi networks list interfaces -w, /usr/bin/isi networks list subnets, /usr/bin/isi license status, /usr/bin/isi license list --format csv, /usr/bin/isi services -l, cat /etc/ifs/array.xml
|
Comments
0 comments
Please sign in to leave a comment.