Skip to main content
Delphix

How to grant non-admin user access to object(s) in a replication namespace?

Overview

The Delphix Replication feature allows for Provisioning from Replicated Data Sources and VDBs. This allows a user to select an object (Data Source or virtaul database (VDB)) that resides on the replication target Engine, in the replication target namespace, as a source for a provision operation. By default, only an 'admin' user defined in Delphix can access the objects in the replication namespace. A non-admin user will not be able to see the namespace itself, or any of the objects in that namespace. This document will detail how to provide authorizations for a non-admin user to access the objects in the replication namespace for the purposes of provisioning.

Configuration and Requirements

Given the above pre-existing configuration with the following pre-requirements:

  1. Non-Admin User (joe) - A non-admin Delphix user has been created on the replication target engine.
  2. Admin User (delphix_admin) - An admin user that can be used to set the authorizations for the non-admin user.
  3. Group (Group-B) - A group must exist in the primary namespace. This is the group into which the non-admin user wishes to provision a VDB>
  4. Replication Namespace (repl_source.domain) - Access to a replication target engine (Engine-B) that has an existing replication namespace that was created by running a replication job. Commonly, the replication namespace name is the name, or IP address, of the replication source Delphix Engine.

The following ‘authorizations' are required to be able to provision from objects in the replication namespace to the Primary Namespace (in Group-B):

  • Read’ privilege on the replication namespace - repl_source.domain

  • OWNER’ privilege on the group in the primary namespace - Group-B

  • One of the following:

    • PROVISIONER’ privilege on the entire group in the replication namespace. This allows the non-admin user to provision from any object in the specified group. Group-A and repl_source.domain

    • ‘Read’ privilege on the group in the replication namespace AND ‘PROVISIONER’ privilege on the specific object(s) under that group. This allows the non-admin user to 'read', or view, all the objects in the specified group, but only provision from the specific object that was granted with the 'PROVISIONER' privilege. Group-A and Prod-dSource and repl_source.domain

Step 1: Connect to the Replication Target

As of Delphix version 5.1 the required authorizations cannot be granted using the GUI. The CLI must be used to provide the required authorizations. To access the CLI connect to the Delphix Engine via SSH as the admin user (delphix_admin):

Systems-MacBook-Pro:~ bk$ ssh -l delphix_admin Engine-B
Password: <enter delphix_admin password>
Engine-B>

Step 2: Get the replication namespace name

Engine-B> cd /namespace
Engine-B namespace> ls
Objects
NAME      
repl_source.domain

NOTE: The namespace will be identified by the name, or IP address, of the replication source Delphix Engine (repl_source.domain).

Step 3: List the current 'authorizations'

Engine-B> cd /authorization 
Engine-B authorization> ls
Objects
REFERENCE     USER      ROLE     TARGET                    
AUTHORIZATION-1  sysadmin    OWNER    sysadmin
AUTHORIZATION-2  delphix_admin OWNER    delphix_admin
AUTHORIZATION-3  delphix_admin OWNER    domain0
AUTHORIZATION-35 joe      OWNER    joe

NOTE: Since the non-admin user has already been created there will be at least one authorization for the user but there may be more depending on what other privileges the user has been granted.

Step 4: Set 'OWNER' privilege on group in primary namespace

Engine-B authorization> create
Engine-B authorization create *> set user=joe
Engine-B authorization create *> set role=OWNER 
Engine-B authorization create *> set target=Group-B 
Engine-B authorization create *> commit
Engine-B authorization> ls
Objects
REFERENCE     USER      ROLE  TARGET    
AUTHORIZATION-1  sysadmin    OWNER sysadmin
AUTHORIZATION-2  delphix_admin OWNER delphix_admin
AUTHORIZATION-3  delphix_admin OWNER domain0
AUTHORIZATION-35 joe      OWNER joe
AUTHORIZATION-58 joe      OWNER Group-B

Step 5: Set 'Read' privilege on the replication namespace

Engine-B authorization> create
Engine-B authorization create *> set user=joe
Engine-B authorization create *> set role=Read
Engine-B authorization create *> set target=repl_source.domain 
Engine-B authorization create *> commit
Engine-B authorization> ls
Objects
REFERENCE     USER      ROLE  TARGET     
AUTHORIZATION-1  sysadmin    OWNER sysadmin
AUTHORIZATION-2  delphix_admin OWNER delphix_admin
AUTHORIZATION-3  delphix_admin OWNER domain0
AUTHORIZATION-35 joe      OWNER joe
AUTHORIZATION-58 joe      OWNER Group-B
AUTHORIZATION-60 joe      Read  repl_source.domain

Step 6: Set 'PROVISIONER' privilege on the group/object to provision from

The following are examples of how to set the 'PROVISIONER' privilege on the required object(s) based on the level of authorization required. More general access is provided by granting this privilege to all objects in the group, or more specific access is provided by granting privilege to only specific object within a group.

Example 1: Set 'PROVISIONER' for the entire group in the replication namespace. This will allow the non-admin user (joe) to provision from any object in that group (Group-A):

Engine-B authorization> create 
Engine-B authorization create *> set user=joe
Engine-B authorization create *> set role=PROVISIONER 
Engine-B authorization create *> set target=Group-A@repl_source.domain
Engine-B authorization create *> commit
Engine-B authorization> ls
Objects
REFERENCE     USER      ROLE     TARGET       
AUTHORIZATION-1  sysadmin    OWNER    sysadmin
AUTHORIZATION-2  delphix_admin OWNER    delphix_admin
AUTHORIZATION-3  delphix_admin OWNER    domain0
AUTHORIZATION-35 joe      OWNER    joe
AUTHORIZATION-58 joe      OWNER    Group-B
AUTHORIZATION-60 joe      Read     repl_source.domain
AUTHORIZATION-61 joe      PROVISIONER Group-A@repl_source.domain

Example 2: Set 'PROVISIONER' for only a specific object (Prod-dSource) in a specific group (Group-A). This allows the non-admin user (joe) to be able to 'read', or view, all the objects in a group (Group-A), but only provision from a specific object (Prod-dSource).

Engine-B authorization> create
Engine-B authorization create *> set user=joe
Engine-B authorization create *> set role=Read
Engine-B authorization create *> set target=Group-A@repl_source.domain
Engine-B authorization create *> commit
Engine-B authorization> create
Engine-B authorization create *> set user=joe
Engine-B authorization create *> set role=PROVISIONER 
Engine-B authorization create *> set target=Group-A@repl_source.domain/Prod-dSource@repl_source.domain
Engine-B authorization create *> commit
Engine-B authorization> ls
Objects
REFERENCE     USER      ROLE     TARGET                    
AUTHORIZATION-1  sysadmin    OWNER    sysadmin
AUTHORIZATION-2  delphix_admin OWNER    delphix_admin
AUTHORIZATION-3  delphix_admin OWNER    domain0
AUTHORIZATION-35 joe      OWNER    joe
AUTHORIZATION-58 joe      OWNER    Group-B
AUTHORIZATION-60 joe      Read     repl_source.domain
AUTHORIZATION-62 joe      Read     Group-A@repl_source.domain
AUTHORIZATION-63 joe      PROVISIONER Group-A@repl_source.domain/Prod-dSource@repl_source.domain

NOTE: The general format for specifying an object in a replication namespace is : <object>@<namespace>. The group is merely identified as the <group>@<namespace>. Whereas the object (VDB or dSource) is referenced by the group and the object : <group>@<namespace>/<object>@<namespace>.

Step 7: Log into the Delphix Engine UI as the non-admin user

After logging into the Delphix Engine UI as the non-admin user the namespace and applicable objects from that namespace will be accessible.

 

CLI NOTE: The CLI supports <tab completion> to assist in fining available options for properties. In the following example, when specifying the target property for a specific authorization the user started typing the group name, Group-A, then hit the <tab key> and the CLI provided a list of available substitutions:

Engine-B authorization> create
Engine-B authorization create *> set user=joe
Engine-B authorization create *> set role=Read
Engine-B authorization create *> set target=Group-A<tab key>
Group-A@repl_source.domain                
Group-A@repl_source.domain/UAT-VDB@repl_source.domain 
Group-A@repl_source.domain/QA-VDB@repl_source.domain 
Group-A@repl_source.domain/Prod-dSource@repl_source.domain    

Engine-B authorization create *> set target=Group-A@repl_source.domain
Engine-B authorization create *> commit
  • Was this article helpful?