Wednesday, December 20, 2017

Authentication with LDAP: Elasticsearch, Logstash, Kibana

Use Apache Httpd Server as reverse proxy server to authenticate ELK

You may need install mod_ldap to enable ldap authentication for httpd.

# yum --enablerepo=ol7_optional_latest install mod_ldap

<Location "/">
        AuthType Basic
        AuthName "OnLine Services"

        AuthBasicProvider ldap

        AuthLDAPURL "ldap://ldap.goweekend.ca/dc=goweekend,dc=ca?uid?sub?(objectclass=*)"
        REQUIRE valid-user

        ProxyPass "http://127.0.0.1:5601/"
        ProxyPassReverse "http://127.0.0.1:5601/"

</Location>
Posted by at No comments:

Apache: Oracle Linux 7 Ldap Authentication

yum --enablerepo=ol7_optional_latest install mod_ldap
Posted by at No comments:

Tuesday, December 5, 2017

Solaris 11 ACL

ACL entry types, which are the ACL representations of owner, group, and other, are described in the following table.
Table 8-1 ACL Entry Types
ACL Entry Type
Description
owner@
Specifies the access granted to the owner of the object.
group@
Specifies the access granted to the owning group of the object.
everyone@
Specifies the access granted to any user or group that does not match any other ACL entry.
user
With a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid.
group
With a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid.
ACL access privileges are described in the following table.
Table 8-2 ACL Access Privileges
Access Privilege
Compact Access Privilege
Description
add_file
w
Permission to add a new file to a directory.
add_subdirectory
p
On a directory, permission to create a subdirectory.
append_data
p
Placeholder. Not currently implemented.
delete
d
Permission to delete a file.
delete_child
D
Permission to delete a file or directory within a directory.
execute
x
Permission to execute a file or search the contents of a directory.
list_directory
r
Permission to list the contents of a directory.
read_acl
c
Permission to read the ACL (ls).
read_attributes
a
Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).
read_data
r
Permission to read the contents of the file.
read_xattr
R
Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory.
synchronize
s
Placeholder. Not currently implemented.
write_xattr
W
Permission to create extended attributes or write to the extended attributes directory.Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute.
write_data
w
Permission to modify or replace the contents of a file.
write_attributes
A
Permission to change the times associated with a file or directory to an arbitrary value.
write_acl
C
Permission to write the ACL or the ability to modify the ACL by using the chmod command.
write_owner
o
Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.

ACL Inheritance

The purpose of using ACL inheritance is so that a newly created file or directory can inherit the ACLs they are intended to inherit, but without disregarding the existing permission bits on the parent directory.
By default, ACLs are not propagated. If you set a non-trivial ACL on a directory, it is not inherited to any subsequent directory. You must specify the inheritance of an ACL on a file or directory.
The optional inheritance flags are described in the following table.
Table 8-3 ACL Inheritance Flags
Inheritance Flag
Compact Inheritance Flag
Description
file_inherit
f
Only inherit the ACL from the parent directory to the directory's files.
dir_inherit
d
Only inherit the ACL from the parent directory to the directory's subdirectories.
inherit_only
i
Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.
no_propagate
n
Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.
-
N/A
No permission granted.
In addition, you can set a default ACL inheritance policy on the file system that is more strict or less strict by using the aclinherit file system property. For more information, see the next section.

ACL Property (aclinherit)

The ZFS file system includes the aclinherit property to determine the behavior of ACL inheritance. Values include the following:
  • discard – For new objects, no ACL entries are inherited when a file or directory is created. The ACL on the file or directory is equal to the permission mode of the file or directory.
  • noallow – For new objects, only inheritable ACL entries that have an access type of deny are inherited.
  • restricted – For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
  • passthrough – When property value is set to passthrough, files are created with a mode determined by the inheritable ACEs. If no inheritable ACEs exist that affect the mode, then the mode is set in accordance to the requested mode from the application.
  • passthrough-x – Has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The default mode for the aclinherit is restricted.
Posted by at No comments:

Expand LUN in LDOM thru Control Domain

How to modify the EFI label for a LUN that was online expanded and that belongs to a zpool. ( Doc ID 2129335.1 )

1. Before starting save a prtvtoc output from the disk on the control
domain:

# prtvtoc /dev/rdsk/cX***d0s2 > /var/tmp/LUN-vtoc.txt


2. Set the auto expand property to on the zpool

# zpool set autoexpand=on <zpool_name>


3. Increase the size of the LUN on the back end storage.

4. Run "format -e" on the control domain.

5. Select "expand", to expand to the new size of the LUN.

6. Print the current partition table, check the starting sector and the
total disk sectors, example:


Total disk sectors available: 146784222 + 16384 (reserved sectors)

Part Tag Flag First Sector Size Last Sector
0 usr wm 256 59.99GB 125812702
<....>


6. Select "0", to modify the initial slice and follow the prompts:

Enter partition id tag[usr]: <- accept default
Enter partition permission flags[wm]: <- accept default
Enter new starting Sector[34]: 256 <- Type 256 as above

On the following question use the max size as reported by format (69g):

Enter partition size[146784154b, 146784409e, 71671mb, 69gb, 0tb]:


7. Check the partition table, if the starting block is 256, all the
spaces is in slice 0 and there are no overlaps, use the "label" command
and select 1 for "[1] EFI Label" type.

8. Check the size of the zpool on the guest domain, if needed run the
following command:

# zpool online -e <pool_name> <LUN>

++++ end ++++

This instructions are from the document. The most important thing is that you shouldn't use "auto config" option.

>>> 2. whole LUN is allocated to guest LDOM and managed by ASM in Oracle RAC
Posted by at No comments:

How to modify the EFI label for a LUN that was online expanded and that belongs to a zpool







Solaris Operating System - Version 10 3/05 to 11.3 [Release 10.0 to 11.0]
Information in this document applies to any platform.


A zpool can become suspended after online expanding a LUN that belongs to the zpool after using the "Auto configure" option from the format utility.  The objective of this article is to prevent such problems.


Solution


Note: In Solaris 10, the patch 148098-03 (SPARC) / 148099-03 (x86) or later, needs to be installed for this procedure to work.


Before modifying the LUN and the zpool, make sure you have a backup of the data in the zpool and save the prtvtoc(1) output of each of the LUNs that are going to be modified:

# prtvtoc /dev/rdsk/c0t600144F0E1765470000056DDFBAC0001d0s2 > /var/tmp/c0t600144F0E1765470000056DDFBAC0001d0-label.txt

Also, make sure that the ZFS autoexpand property is set to on:

# zpool set autoexpand=on tank
# zpool get autoexpand tank
NAME  PROPERTY    VALUE  SOURCE
tank  autoexpand  on     local

Now proceed to add the space to the LUN(s) and follow the next steps to modify or verify that the label of the LUN recognizes the added space:

1. Use "format -e  <LUN>" to verify/modify the label of the LUN.
2. Select the "partition" option from the format menu.
3. Select "print" to review the partition table, verify partition zero starts at block 256 and has all the space assigned to it, except for the slice eight that will have 8 MB. Verify if the partition table reports the added space. Use the prtvtoc(1) output that was saved in the beginning to compare if needed.
4. If the new space is not reported use the "expand" option from the format->partition sub menu.
5. Print again the partition table, the new space should be visible on the second line, where it say "Total disk sectors available: XXXXXXX  + 16834 (reserved sectors)". Save the value of the first sector of the partition 8.
6. Type "0" on the "partition>" prompt to modify the first partition.
7. Accept the defaults for partition id tag, permission, starting sector (it should be 256).
8. Calculate the last sector of the partition zero by subtracting one from the first sector of the partition 8 noted on step #5. For example, if the first sector for partition 8 is 4177887 then use 4177886e (the "e" denotes the ending sector) on the prompt "Enter partition size". The character "$" can be used so the partition uses all available space.
9. Print again the partition table, make sure that this time the first partition starts at 256 and has the new space added to it. Do not proceed to the next step if the starting sector of the first partition is 34 or any number different from 256.
10. Type the command "label" to save the label to the disk. Select EFI if prompted for the label type and quit the format utility.
11. Check with "zpool list" if the zpool is now expanded. If not, use the command "zpool online -e <zpool_name> <LUN>" to expand the space and verify again if the space is now visible.

Important considerations:
1. Never use the "type -> Auto configure" option from the format facility.
2. Never label a LUN used by ZFS if the starting sector for the first partition is 34 or anything different from 256 for a zpool using whole disks labeled as EFI.
3. If the zpool was created created against the slice 0 of an EFI LUN (instead of using the whole disk), then the starting sector could be 34, the important consideration is that after adding the space and changing the label, the starting sector should remain the same.

The following is an example of the procedure outlined above:
# format -e c0t600144F0E1765470000056DDFBAC0001d0

c0t600144F0E1765470000056DDFBAC0001d0: configured with capacity of 1023.75MB
selecting c0t600144F0E1765470000056DDFBAC0001d0
[disk formatted]


FORMAT MENU:
        disk       - select a disk
        type       - select (define) a disk type
        partition  - select (define) a partition table
        current    - describe the current disk
        format     - format and analyze the disk
        repair     - repair a defective sector
        label      - write label to the disk
        analyze    - surface analysis
        defect     - defect list management
        backup     - search for backup labels
        verify     - read and display labels
        save       - save new disk/partition definitions
        inquiry    - show disk ID
        scsi       - independent SCSI mode selects
        cache      - enable, disable or query SCSI disk cache
        volname    - set 8-character volume name
        !<cmd>     - execute <cmd>, then return
        quit
format> partition


PARTITION MENU:
        0      - change `0' partition
        1      - change `1' partition
        2      - change `2' partition
        3      - change `3' partition
        4      - change `4' partition
        5      - change `5' partition
        6      - change `6' partition
        expand - expand label to use the maximum allowed space
        select - select a predefined table
        modify - modify a predefined partition table
        name   - name the current table
        print  - display the current table
        label  - write partition map and label to the disk
        !<cmd> - execute <cmd>, then return
        quit
partition> print
Current partition table (original):
Total disk sectors available: 2080701 + 16384 (reserved sectors)

Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256   1015.86MB        2080734  
  1 unassigned    wm                 0         0             0  
  2 unassigned    wm                 0         0             0  
  3 unassigned    wm                 0         0             0  
  4 unassigned    wm                 0         0             0  
  5 unassigned    wm                 0         0             0  
  6 unassigned    wm                 0         0             0  
  8   reserved    wm           2080735      8.00MB        2097118

partition> expand
The expanded capacity is added to the unallocated space.

partition> print
Current partition table (original):
Total disk sectors available: 4177853 + 16384 (reserved sectors)

Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256   1015.86MB        2080734  
  1 unassigned    wm                 0         0             0  
  2 unassigned    wm                 0         0             0
  3 unassigned    wm                 0         0             0  
  4 unassigned    wm                 0         0             0
  5 unassigned    wm                 0         0             0  
  6 unassigned    wm                 0         0             0  
  8   reserved    wm           4177887      8.00MB        4194270  

partition> 0 
Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256      1.99GB        4177885

Enter partition id tag[usr]:
Enter partition permission flags[wm]:
Enter new starting sector[256]:
Enter partition size[4177630b, 4177885e, 2039mb, 1gb, 0tb]: 4177886e
partition> print
Current partition table (unnamed):
Total disk sectors available: 4177853 + 16384 (reserved sectors)

Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256      1.99GB        4177886  
  1 unassigned    wm                 0         0             0  
  2 unassigned    wm                 0         0             0  
  3 unassigned    wm                 0         0             0  
  4 unassigned    wm                 0         0             0  
  5 unassigned    wm                 0         0             0  
  6 unassigned    wm                 0         0             0  
  8   reserved    wm           4177887      8.00MB        4194270

partition> label
[0] SMI Label
[1] EFI Label
Specify Label type[1]:
Ready to label disk, continue? y
Posted by at No comments:
Subscribe to: Posts (Atom)