Sudo privileges for the SAP HANA environment users

Each environment must have an environment (or operating system) user account. The Delphix Continuous Data Engine uses this environment user to communicate with other staging and target environments. You must grant this environment user the following two key privileges: 

  1. Disable `requiretty` The Delphix Continuous Data Engine requires the `requiretty` setting to be disabled. This allows the environment user to run sudo commands without a logged-in terminal session (tty). 

  2. Add `NOPASSWD` By including the `NOPASSWD` qualifier, you ensure that the "sudo" command does not prompt for a password when executing certain commands such as mount, umount, mkdir, and rmdir. 

In the example configurations, the environment username hdbadm is used. Make sure to modify the username based on the environment user available in the environment for performing the linking and provisioning operations. 

Procedure 

Perform the following steps on both the staging and target environments.  

  1. The sudo configuration is located in the /etc/sudoers file. Run the following  commands to open the `sudoers’ file: 

    vi /etc/sudoers
Third-party tools like `visudo`, can help minimize syntax errors. 
  1. Next, update the file with the following snippet to grant the two required privileges to the `hdbadm` user: 

    Defaults:hdbadm !requiretty  
    hdbadm ALL=NOPASSWD: 
    /sbin/mount, /sbin/umount, /bin/mkdir, /bin/rmdir

Additional examples 

The examples below demonstrate how a user’s privileges can be further refined. Note that these examples are for illustrative purposes only and are subject to change. 

Example: Restrict sudo privileges 

This example restricts sudo privileges to the /hana directory. 

Example: /etc/sudoers File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS) 

Defaults:delphix_os !requiretty  
delphix_os ALL=(root) NOPASSWD: \  
/bin/mount * /hana/*, \  
/bin/umount * /hana/*, \  
/bin/umount /hana/*, \  
/bin/mkdir -p /hana/*, \  
/bin/mkdir -p -m 755 /hana/*, \ / 
bin/mkdir /hana/*, \  
/bin/rmdir /hana/*
 The wildcards are allowed for the options with mount and umountcommands because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also enables you to specify the file system being mounted from the Delphix Continuous Data Engine. However, wildcards are not allowed with mkdir and rmkdirbecause they can have any number of arguments after the options. For those commands, you must specify the exact options (p, -p -m 755) used by the Delphix Continuous Data Engine. 

Example: Stronger user security 

This example restricts the delphix_os user's use of sudo privileges to the directory /hana, restricts the mount commands to a specific Delphix Continuous Data Engine hostname and IP, and does not allow user-specified options for the umount command. 

Defaults:delphix_os !requiretty  
delphix_os ALL=(root) NOPASSWD: \  
/bin/mount <delphix-server-name>* /hana/*, \  
/bin/mount * <delphix-server-name>* /hana/*, \  
/bin/mount <delphix-server-ip>* /hana/*, \  
/bin/mount * <delphix-server-ip>* /hana/*, \  
/bin/mount "", \  
/bin/umount /hana/*, \  
/bin/umount * /hana/*, \  
/bin/mkdir [*] /hana/*, \  
/bin/mkdir /hana/*, \  
/bin/mkdir -p /hana/*, \  
/bin/mkdir -p -m 755 /hana/*, \  
/bin/rmdir /hana/* 

This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Continuous Data Engines. 

ExampleConfiguring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only, and Allows Mounting Only from a Single Server (Linux OS).  

Non-database users, low-privileged users, and users for which privileges need to be elevated are not supported for performing SAP HANA operations.