Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Module Objectives
By the end of this module, you should be able to: Restrict administrative access Restrict console and NetApp System Manager access Configure a client machine as an adminhost to manage a storage system
Secure Configuration
These steps were performed when we discussed configuring a storage system with System Manager and CLI
Administrator Users
Initially, there is only one administrator account
Root
Steps to implement:
Create a role with specific capabilities Create a group with one or more assigned role Create user(s) assigned to one or more group
Groups
Roles
Capabilities
Capabilities
Capabilities are:
Predefined privileges that allow users to execute commands or take other specified actions
Roles
A role is a defined set of capabilities Data ONTAP includes several predefined roles Administrators can create additional roles or modify existing roles
Groups
A group is:
A collection of users Associated with one or more roles
Groups have defined permissions and access levels that are defined by roles
Admin Role
Predefined Groups
Administrators - Grants all CLI, API, login, and security capabilities Power Users - Grants the ability to invoke cifs, nfs, and useradmin CLI commands, manage cifs and nfs API calls, and log in using Telnet, HTTP, RSH, and SSH sessions Compliance Administrators group - compliance role Backup Operators - none role Users - Grants the ability to make snmp-get and snmp-get-next API calls Guests - none role Everyone - none role
2009 NetApp. All rights reserved.
Empty list general information for all roles Specific role detailed information about a particular role
Capability can be one or more of login, CLI, security, or API capabilities Each capability can be refined to a specific subset
Users
A user is:
An individual account that may or may not have capabilities defined for the storage system Part of a group
Admin Role
Empty list general information for all groups Specific group detailed information about a particular group Create a new group using the CLI command:
useradmin group add <groupname> -r <role>,
Although you can provide access to data with local users, NetApp recommends using local users only for administrative access
2009 NetApp. All rights reserved.
Security Administration
User accounts are managed from the CLI using the following command:
useradmin This command allows you to list, add, and delete users The user account is maintained in the /etc/registry file
Admin Role
NOTE:
The root user ID cannot be deleted No initial password for root for upgrades (new installs require root password by default) Passwords cannot be the same as user name Root has full admin rights to machine without login if there are no other user definitions or password settings
Select
User Access
Administrative activities are logged For security purposes, each user should have a unique login account Only users can log in to the storage system The syslog file records console logins according to the following:
User name (may be up to 32 characters, not case-sensitive) Time of access Node name and address
Empty list: General information for all users Specific user: Detailed information about a particular user
Password may be required (see security options) User must be associated with one or more groups
2009 NetApp. All rights reserved.
Authentication Management
To configure users
To configure groups
Communicate Securely
NOTE: When upgrading, a storage system will inherit the settings of the previous version
Administration Host
The setup command requests the name and IP address of adminhost
This is typically a UNIX/Linux host that has access to mount the root volume from the storage system When mounted, root on the adminhost has root access to the root volume
If provided, the adminhost is granted access to the root volume for administrative purposes If not provided, all NFS clients will be granted read-write access to the root volume (not recommended)
2009 NetApp. All rights reserved.
Restricting Access
To improve security, you can configure the storage system to allow logins only from trusted hosts. This option can be configured using:
CLI command:
options trusted.hosts [hostname|*|-]
You may specify up to five clients to be given SSH and System Manager privileges
Physical Access
Physical access concerns:
Guard access to your storage systems
Root password can be reset
Discussed in Module 18
Module Summary
In this module, you should have learned to: Restrict administrative access Restrict console and NetApp System Manager access Configure a client machine as an adminhost to manage a storage system
Exercise
Module 5: Administration Security Estimated Time: 30 minutes