如何将导出策略命令限制为特定用户组?
适用场景
- ONTAP 9
- 基于角色的访问控制(RBAC)
问题解答
- 首先为用户类别创建安全角色、并 将命令目录"
DEFAULT"访问权限设置为"all"
示例:
::> security login role create -role restrict -cmddirname DEFAULT -access all
- 然后、对于同一角色、将命令目录 "
vserver export-policy" 访问设置为"none"
::> security login role create -role restrict -cmddirname "vserver export-policy" -access none -query ""
- 验证配置:
::> security login role show -role restrict
Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- aff320-2n-rtp-2 restrict DEFAULT all vserver export-policy none
创建一个测试用户或组、并将您创建的角色与此用户关联。
::> security login create -user-or-group-name test -application ssh -authentication-method password -role restrict
Please enter a password for user 'test':
Please enter it again:通过使用
user:test登录到新会话进行验证,然后运行 ‘vserver export-policy’命令,该命令应失败并显示错误:
::> whoami (security login whoami) User: test Role: restrict ::> vserver export Error: "export" is not a recognized command ::> vserver export-policy show Error: "export-policy" is not a recognized command