Folks,
Since so many on this list are from Sun, I thought I would spark up a
discussion on improving RBAC.
I'm sure this might freak out some, so let me cover the context first.
Context:
Environment: 2,000 Sun Servers, 24/7/355 support.
Administrative Task Breakdown:
I. System Administrators
1. First Responders - minimal skills, associated with
monitoring
group (extend FS, check if system is really down, etc.)
2. Change Management Night work - India, procedure driven
3. Team centered general administrators
a. Primary Admin, part of design for new
implementations
b. Medium complexity Admins - assist primary
admins
4. Escalation and Engineering Administrators
II. Storage
1. SAN Management - team for Symms and Switches
2. Logical Voume Management - add volumes, FS, etc.
III. Application Engineering
1. Middleware Eng
2. Middleware Operations
IV. etc, etc, etc.
Each one of the above is a high level breakdown. And, I believe,
this is common in a large company. In this type of model, there is a
significant amount of work turnover between groups. This turnover
can result in missed procedure steps, or complex side by side work.
Even simple things such as root running root.sh during an oracle
install requires far more coordination than in a 10 person one
location shop.
Possible Solution:
So, this is what I propose - very similar to SUDO except we would
have the authorizations in addition:
1. RBAC should have a "host" field - not sure where it would be best
kept in, exec_attr, prof_attr, user_attr.
2. RBAC should allow for specifying not only the command, but the
arguments passed to the command
3. The "option" to specify variables in the path - please don't shoot
me ;)
Now here's some examples:
I. Oracle DBA needs to install oracle
a. If we can specify $ORACLE_HOME/blah/root.sh;uid=0 # then the dba
can run root.sh without massive coordination.
b. $CRS_HOME/bin/crs stop
II. Middleware Operational Support
a. Using VCS for Applicaiton Management Example:
Operator A can run hares -offline their_resource ; but not
hares -
offline my_resource, and not hares -modify X
This could be mapped to a specific cluster, or set of clusters
via
the host and command options above,
and stored in LDAP
Thoughts?
Bob Bailey
