集群管理员可以针对指定的命令自定义访问控制角色并将用户帐户映射到该角色来限制用户的访问权限,使其只能访问特定命令。
以下示例将创建一个名为“vol_snapshot”的访问控制角色,该角色只能访问 volume snapshot 命令,还会创建一个名为“snapshot_admin”的“vs1” Storage Virtual Machine(SVM,以前称为 Vserver)用户帐户,并为该帐户分配“vol_snapshot”角色。按照该角色的定义,该用户对 volume snapshot 命令具有完全访问权限。用户可以使用 SSH 访问 SVM,并使用密码进行身份验证。
cluster1::> security login role create -vserver vs1 -role vol_snapshot -cmddirname "volume snapshot" cluster1::> security login role show -vserver vs1 -role vol_snapshot Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ---------------------------- -------- vs1 vol_snapshot DEFAULT none vs1 vol_snapshot volume snapshot all 2 entries were displayed. cluster1::> security login create -vserver vs1 -user-or-group-name snapshot_admin -application ssh -authmethod password -role vol_snapshot Please enter a password for user 'snapshot_admin': Please enter it again: cluster1::>
以下示例将创建一个名为“sec_login_readonly”的访问控制角色。该自定义角色对 security login 目录具有只读访问权限,但无权访问 security login domain-tunnel、security login publickey 或 security login role 子目录。因此,该角色只能访问 security login show 命令。之后,还会创建一个名为“new_admin”的集群用户账号,并为该帐户分配“sec_login_readonly”角色。该用户可以使用控制台访问集群,并使用密码进行身份验证。
cluster1::> security login role create -vserver cluster1 -role sec_login_readonly -cmddirname "security login" -access readonly cluster1::> security login role create -vserver cluster1 -role sec_login_readonly -cmddirname "security login domain-tunnel" -access none cluster1::> security login role create -vserver cluster1 -role sec_login_readonly -cmddirname "security login publickey" -access none cluster1::> security login role create -vserver cluster1 -role sec_login_readonly -cmddirname "security login role" -access none cluster1::> security login role show -vserver cluster1 -role sec_login_readonly (security login role show) Role Command/ Access Vserver Name Directory Query Level ---------- -------------------- --------- ---------------------- -------- cluster1 sec_login_readonly DEFAULT none cluster1 sec_login_readonly security login readonly cluster1 sec_login_readonly security login domain-tunnel none cluster1 sec_login_readonly security login publickey none cluster1 sec_login_readonly security login role none 5 entries were displayed. cluster1::> security login create -vserver cluster1 -user-or-group-name new_admin -application console -authmethod password -role sec_login_readonly Please enter a password for user 'new_admin': Please enter it again: cluster1::>