Skip to main content
Delphix

Delphix (sudo) Privilege Elevation Profiles for DelphixOS

Summary

In order for the Delphix Engine to perform out of the box functionality, such as Auto-Discovery and mounting filesystems, the DelphixOS user must be able to run some privileged user functions (aka root/superuser functions). This ability is granted through Privilege Elevation Profiles. The Delphix Engine ships with a single profile which leverages the sudo program to provide elevated privileges, however it is simple to create additional profiles which use other programs. It is possible to not use sudo to manage elevated privileges by utilizing the Privilege Elevation Profiles that Delphix has developed. All privilege elevation commands are executed with a profile, even sudo; this ensures that the use of non-sudo programs does not change the basic inner workings of Delphix. With a new privilege elevation profile, you can change the way in which the DelphixOS calls the required commands to provision Environments and perform Auto-Discovery. Additional Privilege Elevation Profiles provide integration with third party centralized privilege management software, or custom scripts; it is possible to use multiple Privilege Elevation Profiles in your environment, to support legacy programs. 

Privileged Command Details

  • ps / pargs: (Source and Target) Delphix auto-discovery uses the TNS_ADMIN environment variable of the Oracle Listener processes with non-standard configurations to discover details about the environment. An Oracle Listener is normally owned by a different user (oracle) than the delphix_osuser. The dephix_osuser needs superuser access to examine the environment variables of a Listener process owned by a different user.  
  • mkdir / rmdir: (Target only) Delphix dynamically makes and removes directories under the provisioning directory during VDB operations. This privilege is required because the provisioning directory may be owned by superuser.
  • mount / umount: (Target only) Delphix dynamically mounts and unmounts directories under the provisioning directory during VDB operations. This privilege is required because mount and umount are typically reserved for superuser.
  • nfso (Target only, AIX only) : Delphix monitors NFS read and write sizes on an AIX target host. It uses the nfso command to query the sizes in order to optimize NFS performance for VDBs running on the target host. Only a superuser can issue the nfso command.

SUDO Alternative Solutions:

Additional Privilege Elevation Profiles can be created with the assistance of Delphix, currently these option are available:

  • PowerBroker
  • sesudo
  • BoKS/Keon
  • become
  • dzdo
  • custom scripts