Delegation of Solaris Zone Administration

In Solaris 11 'Zone Delegation' is a built in feature. The Zones system now uses fine grained RBAC authorisations to allow delegation of management of distinct zones, rather than all zones which is what the 'Zone Management' RBAC profile did in Solaris 10.

The data for this can be stored with the Zone or you could also create RBAC profiles (that can even be stored in NIS or LDAP) for granting access to specific lists of Zones to administrators.

For example lets say we have zones named zoneA through zoneF and we have three admins alice, bob, carl.  We want to grant a subset of the zone management to each of them.

We could do that either by adding the admin resource to the appropriate zones via zonecfg(1M) or we could do something like this with RBAC data directly:

First lets look at an example of storing the data with the zone.

# zonecfg -z zoneA
zonecfg:zoneA> add admin
zonecfg:zoneA> set user=alice
zonecfg:zoneA> set auths=manage
zonecfg:zoneA> end
zonecfg:zoneA> commit
zonecfg:zoneA> exit

Now lets look at the alternate method of storing this directly in the RBAC database, but we will show all our admins and zones for this example:

# usermod -P +'Zone Management' -A +solaris.zone.manage/zoneA alice

# usermod -A +solaris.zone.login/zoneB alice


# usermod -P +'Zone Management' -A +solaris.zone.manage/zoneB bob
# usermod -A +solaris.zone.manage/zoneC bob


# usermod -P +'Zone Management' -A +solaris.zone.manage/zoneC carl
# usermod -A +solaris.zone.manage/zoneD carl
# usermod -A +solaris.zone.manage/zoneE carl
# usermod -A +solaris.zone.manage/zoneF carl

In the above alice can only manage zoneA, bob can manage zoneB and zoneC and carl can manage zoneC through zoneF.  The user alice can also login on the console to zoneB but she can't do the operations that require the solaris.zone.manage authorisation on it.

Or if you have a large number of zones and/or admins or you just want to provide a layer of abstraction you can collect the authorisation lists into an RBAC profile and grant that to the admins, for example lets great an RBAC profile for the things that alice and carl can do.

# profiles -p 'Zone Group 1'
profiles:Zone Group 1> set desc="Zone Group 1"
profiles:Zone Group 1> add profile="Zone Management"
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneA
profiles:Zone Group 1> add auths=solaris.zone.login/zoneB
profiles:Zone Group 1> commit
profiles:Zone Group 1> exit
# profiles -p 'Zone Group 3'
profiles:Zone Group 1> set desc="Zone Group 3"
profiles:Zone Group 1> add profile="Zone Management"
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneD
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneE
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneF
profiles:Zone Group 1> commit
profiles:Zone Group 1> exit


Now instead of granting carl  and aliace the 'Zone Management' profile and the authorisations directly we can just give them the appropriate profile.

# usermod -P +'Zone Group 3' carl

# usermod -P +'Zone Group 1' alice


If we wanted to store the profile data and the profiles granted to the users in LDAP just add '-S ldap' to the profiles and usermod commands.

For a documentation overview see the description of the "admin" resource in zonecfg(1M), profiles(1) and usermod(1M)

Comments:

Hi Darren,

I am trying to replicate your step on my Solaris 11 box. but I am getting below error.
# usermod -P +Zone Management -A +solaris.zone.manage/zone3 oracle
UX: usermod: ERROR: Invalid syntax.
usage: usermod -u uid [-o] | -g group |-G [+|-]group[[,group]...] |
-d dir [-m] | -s shell | -c comment |
-l new_logname | -f inactive | -e expire |
-A [+|-]authorization[[,authorization]...] |-K key[+|-]=value ... |
-P [+|-]profile[[,profile]...] | -R [+|-]role[[,role]...] |
[-S [files | ldap]] login
#

Even creating the 'Zone Group is failing.

# profiles -p 'Aone Group 1'
profiles:Aone Group 1> set desc="Zone Group 1"
profiles:Aone Group 1> add profile="Zone Management"
syntax error at '='
Subcommands:
add <property-name>=<property-value>
cancel
clear <property-name>
commit
delete [-F]
end
exit [-F]
export [-f output-file]
help [usage] [subcommands] [properties] [<subcommand>] [<property>]
info [<property-value>]
remove [-F] <property-name>[=<property-value>]
revert [-F]
select cmd=<path>
set <property-name>=<property-value>
verify
profiles:Aone Group 1>

Kindly help.

Regards,
Gaurav

Posted by Gaurav Mittal on January 24, 2014 at 06:22 AM GMT #

Hi Gaurav, I've updated the posting with the missing quotes, it should work if you try the updated version. This is because the RBAC profile names have spaces in them so they have to be quoted when run from the shell.

Posted by Darren J Moffat on January 24, 2014 at 11:48 PM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today