othman.suseno/calypso

Fork 0

Files

Othman H. Suseno 7b91e0fd24 fix storage

2026-01-09 16:54:39 +00:00

2.8 KiB

Raw Permalink Blame History

Calypso User Permissions Setup

Tanggal: 2025-01-09
User: calypso
Status: ✅ CONFIGURED

Problem

User calypso tidak memiliki permission yang cukup untuk:

Mengakses raw disk devices (/dev/sd*)
Menjalankan ZFS commands (zpool, zfs)
Mengakses tape devices
Menjalankan SCST commands

Solution

1. Group Membership

User calypso telah ditambahkan ke groups berikut:

disk - Access to disk devices
tape - Access to tape devices
storage - Storage-related permissions

sudo usermod -aG disk,tape,storage calypso

2. Sudoers Configuration

File /etc/sudoers.d/calypso telah dibuat dengan permissions berikut:

ZFS Commands

calypso ALL=(ALL) NOPASSWD: /usr/sbin/zpool, /usr/sbin/zfs, /usr/bin/zpool, /usr/bin/zfs

SCST Commands

calypso ALL=(ALL) NOPASSWD: /usr/sbin/scstadmin, /usr/bin/scstadmin

Tape Utilities

calypso ALL=(ALL) NOPASSWD: /usr/bin/mtx, /usr/bin/mt, /usr/bin/sg_*, /usr/bin/sg3_utils/*

System Monitoring

calypso ALL=(ALL) NOPASSWD: /usr/bin/systemctl status *, /usr/bin/systemctl is-active *, /usr/bin/journalctl -u *

Verification

Check Group Membership

groups calypso
# Output should include: disk tape storage

Check Sudoers File

sudo visudo -c -f /etc/sudoers.d/calypso
# Should return: /etc/sudoers.d/calypso: parsed OK

Test ZFS Access

sudo -u calypso zpool list
# Should work without errors

Test Device Access

sudo -u calypso ls -la /dev/sdb
# Should show device permissions

Backend Code Changes Needed

Backend code perlu menggunakan sudo untuk ZFS commands. Contoh:

// Before (will fail with permission denied)
cmd := exec.CommandContext(ctx, "zpool", "create", ...)

// After (with sudo)
cmd := exec.CommandContext(ctx, "sudo", "zpool", "create", ...)

Current Status

✅ Groups: User calypso added to disk, tape, storage groups
✅ Sudoers: Configuration file created and validated
✅ Permissions: File permissions set to 0440 (secure)
⏭️ Code Update: Backend code needs to use sudo for privileged commands

Next Steps

✅ Groups configured
✅ Sudoers configured
⏭️ Update backend code to use sudo for:
- ZFS operations (zpool, zfs)
- SCST operations (scstadmin)
- Tape operations (mtx, mt, sg_*)
⏭️ Restart Calypso API service
⏭️ Test ZFS pool creation via frontend

Important Notes

Sudoers file uses NOPASSWD for convenience (service account)
Only specific commands are allowed (security best practice)
File permissions are 0440 (read-only for root and group)
Service restart required after permission changes

Status: ✅ PERMISSIONS CONFIGURED
Action Required: Update backend code to use sudo for privileged commands

2.8 KiB Raw Permalink Blame History