Skip to main content
Delphix

How To Create a Privilege Elevation Profile Via CLI (KBA5888)

 

KBA

KBA# 5888

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

How to Create a Privilege Elevation Profile

Delphix uses sudo as the default for its privilege elevation profile mechanism and, in order to use an alternative third party or proprietary privilege elevation mechanism other than sudo, you will need to create a privilege elevation profile and include the necessary scripts.

Delphix offers no formal support for configuring these scripts, and they are the sole responsibility of the customer to ensure they work. Customers are strongly encouraged to work with Delphix Professional Services to formulate reliable profile scripts if needed.

The contents used in the example for mount, umountmkdirrmdir & ps are the default content lines Delphix uses for the default sudo profile.

Command    Default Contents
mount      $DLPX_BIN/dlpx_pfexec mount  "$@"      
umount     $DLPX_BIN/dlpx_pfexec umount "$@"
mkdir      $DLPX_BIN/dlpx_pfexec mkdir "$@"
rmdir      $DLPX_BIN/dlpx_pfexec rmdir "$@"
ps         $DLPX_BIN/dlpx_pfexec ps "$@"

In the example below we will create the scripts to run the following commands where the dzdo binary is in directory /usr/share/centrifydc/bin.

Please be advised the CLI method is only capable of adding single-line content.

Example - dzdo

The following example walks through the process of creating a Privilege Elevation Profile utilizing dzdo, with no additional command options.

 

  1. Login to the Delphix Engine as an admin user
  2. Create the privilege elevation profile name dzdo.
    DE> host
    DE host> privilegeElevation 
    DE host privilegeElevation> profile
    DE host privilegeElevation profile> create
    DE host privilegeElevation profile create *> set name=dzdo
    DE host privilegeElevation profile create *> set version=1.0
    DE host privilegeElevation profile create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE-2
        
  3. The profile scripts for executing commands for privilege elevation via dzdo require modification of the dlpx_pfexec script used for elevation of privileges.
    DE> host
    DE host> privilegeElevation
    DE host privilegeElevation> profileScript 
    DE host privilegeElevation profileScript> create
    DE host privilegeElevation profileScript create *> set profile=dzdo
    DE host privilegeElevation profileScript create *> set name=dlpx_pfexec
    DE host privilegeElevation profileScript create *> set contents
    Enter contents: /usr/share/centrifydc/bin/dzdo "$@"
    DE host privilegeElevation profileScript create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-8

    All other command scripts for mount, mkdir, etc, will be built with default contents provided in the previous section.

    DE host privilegeElevation profileScript> create
    DE host privilegeElevation profileScript create *> set profile=dzdo
    DE host privilegeElevation profileScript create *> set name=dlpx_mount
    DE host privilegeElevation profileScript create *> set contents
    Enter contents: $DLPX_BIN/dlpx_pfexec mount  "$@"
    DE host privilegeElevation profileScript create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-9
    
    DE host privilegeElevation profileScript> create
    DE host privilegeElevation profileScript create *> set profile=dzdo
    DE host privilegeElevation profileScript create *> set name=dlpx_umount
    DE host privilegeElevation profileScript create *> set contents
    Enter contents: $DLPX_BIN/dlpx_pfexec umount "$@"
    DE host privilegeElevation profileScript create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-10
    
    DE host privilegeElevation profileScript> create
    DE host privilegeElevation profileScript create *> set profile=dzdo
    DE host privilegeElevation profileScript create *> set name=dlpx_rmdir
    DE host privilegeElevation profileScript create *> set contents
    Enter contents: $DLPX_BIN/dlpx_pfexec rmdir "$@"
    DE host privilegeElevation profileScript create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-11
        
    DE host privilegeElevation profileScript> create
    DE host privilegeElevation profileScript create *> set profile=dzdo
    DE host privilegeElevation profileScript create *> set name=dlpx_ps
    DE host privilegeElevation profileScript create *> set contents
    Enter contents: $DLPX_BIN/dlpx_pfexec ps "$@"
    DE host privilegeElevation profileScript create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-12
        
    DE host privilegeElevation profileScript> create
    DE host privilegeElevation profileScript create *> set profile=dzdo
    DE host privilegeElevation profileScript create *> set name=dlpx_mkdir
    DE host privilegeElevation profileScript create *> set contents
    Enter contents: $DLPX_BIN/dlpx_pfexec mkdir "$@"
    DE host privilegeElevation profileScript create *> commit
        `HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-13

    In the example above, the default contents has not been changed for mount, umount, rmdirmkdir or ps but if these need to be changed then you would edit the required contents.

  4. Assign this Elevation Profile to the desired host
    DE> host 
    DE host > select '<HOST>'
    DE host '<HOST>'> update
    DE host '<HOST>' update *> set privilegeElevationProfile=dzdo
    DE host '<HOST>'  update *> commit
  5. After assigning the Elevation Profile an environment refresh of the host environment will be needed to push the changes to the selected host. This can be performed from the web interface or CLI as desired.
    DE> environment
    DE environment> select '<ENVIRONMENT>'
    DE environment '<ENVIRONMENT>'> refresh
    DE environment '<ENVIRONMENT>' refresh *> commit
    
  6. To assign the Elevation profile dzdo as the default profile for new environments:
    DE> host
    DE host> privilegeElevation
    DE host privilegeElevation> update
    DE host privilegeElevation update *> set defaultProfile=dzdo
    DE host privilegeElevation update *> commit
    

Related Articles

The following articles may provide more information or related information to this article: