calypso/PERMISSIONS-SETUP.md

# Calypso User Permissions Setup
**Tanggal:** 2025-01-09  
**User:** `calypso`  
**Status:** ✅ **CONFIGURED**

## Problem

User `calypso` tidak memiliki permission yang cukup untuk:
- Mengakses raw disk devices (`/dev/sd*`)
- Menjalankan ZFS commands (`zpool`, `zfs`)
- Mengakses tape devices
- Menjalankan SCST commands

## Solution

### 1. Group Membership

User `calypso` telah ditambahkan ke groups berikut:
- `disk` - Access to disk devices
- `tape` - Access to tape devices  
- `storage` - Storage-related permissions

```bash
sudo usermod -aG disk,tape,storage calypso
```

### 2. Sudoers Configuration

File `/etc/sudoers.d/calypso` telah dibuat dengan permissions berikut:

#### ZFS Commands
```sudoers
calypso ALL=(ALL) NOPASSWD: /usr/sbin/zpool, /usr/sbin/zfs, /usr/bin/zpool, /usr/bin/zfs
```

#### SCST Commands
```sudoers
calypso ALL=(ALL) NOPASSWD: /usr/sbin/scstadmin, /usr/bin/scstadmin
```

#### Tape Utilities
```sudoers
calypso ALL=(ALL) NOPASSWD: /usr/bin/mtx, /usr/bin/mt, /usr/bin/sg_*, /usr/bin/sg3_utils/*
```

#### System Monitoring
```sudoers
calypso ALL=(ALL) NOPASSWD: /usr/bin/systemctl status *, /usr/bin/systemctl is-active *, /usr/bin/journalctl -u *
```

## Verification

### Check Group Membership
```bash
groups calypso
# Output should include: disk tape storage
```

### Check Sudoers File
```bash
sudo visudo -c -f /etc/sudoers.d/calypso
# Should return: /etc/sudoers.d/calypso: parsed OK
```

### Test ZFS Access
```bash
sudo -u calypso zpool list
# Should work without errors
```

### Test Device Access
```bash
sudo -u calypso ls -la /dev/sdb
# Should show device permissions
```

## Backend Code Changes Needed

Backend code perlu menggunakan `sudo` untuk ZFS commands. Contoh:

```go
// Before (will fail with permission denied)
cmd := exec.CommandContext(ctx, "zpool", "create", ...)

// After (with sudo)
cmd := exec.CommandContext(ctx, "sudo", "zpool", "create", ...)
```

## Current Status

✅ **Groups:** User calypso added to disk, tape, storage groups  
✅ **Sudoers:** Configuration file created and validated  
✅ **Permissions:** File permissions set to 0440 (secure)  
⏭️ **Code Update:** Backend code needs to use `sudo` for privileged commands

## Next Steps

1. ✅ Groups configured
2. ✅ Sudoers configured
3. ⏭️ Update backend code to use `sudo` for:
   - ZFS operations (`zpool`, `zfs`)
   - SCST operations (`scstadmin`)
   - Tape operations (`mtx`, `mt`, `sg_*`)
4. ⏭️ Restart Calypso API service
5. ⏭️ Test ZFS pool creation via frontend

## Important Notes

- Sudoers file uses `NOPASSWD` for convenience (service account)
- Only specific commands are allowed (security best practice)
- File permissions are 0440 (read-only for root and group)
- Service restart required after permission changes

---

**Status:** ✅ **PERMISSIONS CONFIGURED**  
**Action Required:** Update backend code to use `sudo` for privileged commands