I have a customer who is interested in locking down some users to be able to access specific volumes and perform a limited set of operations on those volumes.
Sounds like a perfect scenario to use a custom role. I've done some lab on demand testing to sound out the requirements.
The requirements for the role are to have the following commands avaialble.
vol snapshot create
vol snapshot delete
vol snapshot show
vol snapshot restore
set -confirmations off
So far so good. The second requirement is that of each user should only be able to perform the above options on a specific set of volumes. To make it easy lets call them
produser - accessing volumes prod*
testuser - accessing volumes test*
devuser - accessing volumes dev*
The issue I've hit is with the snap restore command set.
I can create a role with the following
sec login role create -role prodrole -cmddirname volume -query "-volume prod*" -access all
But this doesn't include the volume snapshot restore commands So we add the follow
sec login role create -role prodrole -cmddirname volume snapshot -query "-volume prod*" -access all
again this doesn't include the volume snapshot restore commands.
So when we attempt to add this final extentionto the allowed commands
sec login role create -role prodrole -cmddirname volume snapshot restore -query "-volume prod*" -access all
"which includes the snapshot promote command"
The wildcard on the query is rejected. So we can only add a single volume here, with multiple volumes required. Is there way to list a set of volumes we can allow the user to perform restores for? Pipe and command seperation doen't seem to apply. I can't see anything in the documentation that hints at adding mulitple valid queries.
The prod, test and dev volumes are on the same vserver so to get the granularity we require if possible we'ed need to lock down the command