Sudo privileges for the environment users

This topic describes the rationale behind specific sudo privilege requirements for virtualizing IBM Db2 databases along with a few default commands. As required by the IBM Db2 connector, you must grant this OS account the following key privileges:

  1. Disable requiretty: The Delphix Continuous Data Engine requires the `requiretty` setting to be disabled. This allows the OS user to run sudo commands without a logged-in terminal session (tty).

  1. Add NOPASSWD: By including the NOPASSWD qualifier, you ensure that the "sudo" command does not prompt for a password when executing certain commands such as mount, umount, mkdir, and rmdir.

In the example configurations, the OS username delphix_os is used. Make sure to modify the username based on the OS user available in the environment for performing the linking and/or provisioning operations.

Since all the staging and target hosts are using the same privilege elevation profile, the hosts must all be configured with one identical OS user that will utilize privilege elevation to execute DB2 workflows.

Procedure

Perform the following steps on both the staging and target environments. 

  1. The sudo configuration is located in the/etc/sudoers file. Run the following  commands to open the `sudoers’ file:

    vi /etc/sudoers
Third party tools like `visudo`, can be helpful in minimizing syntax errors.
  1. Next, update the file with the following snippet to grant the required privileges to the `delphix_os` user:

    Defaults:delphix_os !requiretty
    delphix_os ALL=NOPASSWD: \
    /bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir

Configuringsudoaccess on AIX for IBM Db2 staging and target environments

In addition to sudo access to the mount, umount, and ps commands on AIX target hosts, Delphix Continuous Data Engine also requires sudo access to nfso. This is required on the staging/target hosts for the Delphix Continuous Data Engine to monitor the NFS read-write sizes configured on the AIX system. A super-user access level is needed to run the nfso command.

Example: AIX /etc/sudoers file for a Delphix Continuous Data Engine target

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/usr/sbin/mount, \
/usr/sbin/umount, \
/usr/sbin/nfso, \
/usr/bin/ps, \
/bin/mkdir, \
/bin/rmdir

Example 1

This example restricts the delphix_os user's use of sudo privileges to the directory /db2.

Note that the wildcards are allowed for the mount and umount options because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also makes it possible to specify the file system being mounted from the Delphix Continuous Data Engine.

However, wildcards are not acceptable on mkdir and rmdir commands because they can have any number of arguments after the options. For those commands, you must specify the exact options (-p, -p -m 755) used by the Delphix Continuous Data Engine.

Example /etc/sudoersfile configuration on the target environment for sudo Privileges on the VDB mount directory only (Linux OS)

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount  *        /db2/*, \
/bin/umount *        /db2/*, \
/bin/umount          /db2/*, \
/bin/mkdir -p        /db2/*, \
/bin/mkdir -p -m 755 /db2/*, \
/bin/mkdir           /db2/*, \
/bin/rmdir           /db2/*

Example 2

This example restricts the delphix_os user's use of sudo privileges to the directory /db2, restricts the mount commands to a specific Delphix Continuous Data Engine hostname and IP, and does not allow user-specified options for the umount command.

This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Continuous Data Engines.

Example: Configuring the /etc/sudoers file on the target environment for privileges on the VDB mount directory only, and allows mounting only from a single server (Linux OS)

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount           <delphix-server-name>* /db2/*, \
/bin/mount *         <delphix-server-name>* /db2/*, \
/bin/mount           <delphix-server-ip>*   /db2/*, \
/bin/mount *         <delphix-server-ip>*   /db2/*, \
/bin/mount "", \
/bin/umount          /db2/*, \
/bin/umount *        /db2/*, \
/bin/mkdir [*]       /db2/*, \
/bin/mkdir           /db2/*, \
/bin/mkdir -p        /db2/*, \
/bin/mkdir -p -m 755 /db2/*, \
/bin/rmdir           /db2/*

Privilege elevation requirements

The optional privilege elevation feature allows a non-privileged OS user (e.g., delphix_os) to gain the permissions of a privileged OS user (e.g., dlpxqa) for operations on the staging or target environments. This configuration can be valuable to maximize an environment's security posture. Privilege elevation can be used to work with Kerberos environments.

Procedure

First, the Privilege Elevation script, dlpx_db_exec, must be created and uploaded onto the Delphix Continuous Data Engine. Then, the non-privileged OS user must be granted the appropriate permissions.

Upload the privilege elevation script.

Perform one of the following  methods to upload the privilege elevation script:

a) CURL file upload method

Before running any of the following commands, update <CONTINUOUS-DATA-FQDN-or-IP>,  <USERNAME>, and <PASSWORD> placeholder values.

  1. Create a session with the Delphix Continuous Data Engine.

    1. Also, update the version values for the `major`, `minor`, and `micro` fields. 

      1. The correct values for your Delphix Continuous Data Engine version can be found in the API version information

        curl -i -c cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/session -d '{
            "version":{
                "major":1, 
                "minor":11,
                "micro": 5, 
                "type":"APIVersion"    },
            "type":"APISession"}'
  2. Login to Delphix Continuous Data Engine as the `admin` user.

    curl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/login -d '{
        "username":"<USERNAME>",
        "password":"<PASSWORD>",
        "type":"LoginRequest",
        "target":"DOMAIN"}'
  3. Copy DLPX_DB_EXEC contents to the Delphix Continuous Data Engine.

    curl -i -b cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{"type": "HostPrivilegeElevationProfileScript","contents": "#\n# Copyright (c) 2017 by Delphix. All rights reserved.\n#\n\n#\n# This script allows customization of command execution with an alternate user\n# account.\n# Arg $1 contains \"-u<optional user account>\" for the desired user under\n# which database commands will be executed.\n# By default this argument is ignored and the script is executed as the default\n# account.\n#\n\nif [[ $1 != -u* ]]; then\n    echo \"Incorrect command line paramaters, -u<optional user account> is required as the first parameter\"\n    exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\necho \"$user_id\" >> \/tmp\/test.log\nshift 1\n#echo \"$user_id and $DB2_DB_NAME\" >> \/tmp\/test.log\nif [ -z $user_id ]; then\n\"$@\"\nelif [[ $user_id != \"delphix_os\" ]]; then\ncommand=$(printf \"%s \" \"$@\")\nsudo su - $user_id -c \"cd \/home\/delphix_os;export DB2DBDFT=$DB2DBDFT;$command\"\nelse\n\"$@\"\nfi"}'
If the dlpx_db_exec script is updated after the environment(s) is added, refresh the environment to propagate the changes.

b) CLI Method

For steps on creating a privilege elevation profile, refer to CLI Cookbook: How to create or edit privilege elevation profiles and profile scripts.

Configure sudo privileges to grant privilege elevation

With privilege elevation, all IBM Db2 connector commands are run via the dlpx_db_exec script with the first parameter being the user to execute, and the remaining parameters being the command to execute and within this script, the commands are run using ‘sudo’(or some other custom elevation utility). This script may be customized by the end user, but it must always return the results of the executed command and exit with the return code from the executed command.

When a command is invoked with dlpx_db_exec, instance IDs that were discovered during the discovery phase will be passed to the script. All Db2 changes are based on top of the Db2 DB level changes.

To execute the connector commands as the high-privileged OS user, sudoers entries are required.

To add additional sudoers entries you need to edit the /etc/sudoers file. Run the following  commands to open the `sudoers’ file:

vi /etc/sudoers
# or
visudo
Third party tools like `visudo`, can be helpful in minimizing syntax errors.

Entries required for both linking and provisioning via low-privileged user (delphix_os):

Defaults:delphix_os !requiretty
delphix_os ALL=(ALL) NOPASSWD: /bin/mkdir, /bin/rmdir, /bin/mount, /bin/umount
delphix_os ALL=(ALL) NOPASSWD: ALL

The dlpx_db_exec script

The formatted dlpx_db_exec script is presented here for completeness.

# This script allows customization of command execution with an alternate user  account.

# Arg $1 contains "-u<optional user account>" for the desired user under

# which database commands will be executed.

# By default this argument is ignored and the script is executed as the default

# account.

if [[ $1 != -u* ]]; then
echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"exit 1
fi

user_id=`echo $1 | sed -e "s/^-u//"`
echo "$user_id" >> /tmp/test.log
shift 1
echo "$user_id and $DB2_DB_NAME" >> /tmp/test.log
if [ -z $user_id ]; then
$@
elif [[ $user_id != "delphix_os" ]]; then
command=$(printf "%s " "$@")
sudo su - $user_id -c "cd /home/delphix_os;export DB2DBDFT=$DB2DBDFT;$command"else
$@
fi