othman.suseno/calypso
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a3ff6a12c720172880bee5de9808b72b0e7c145
calypso/PERMISSIONS-SETUP.md
Othman H. Suseno 7b91e0fd24 fix storage
2026-01-09 16:54:39 +00:00

2.8 KiB
Raw Blame History

Calypso User Permissions Setup

Tanggal: 2025-01-09
User: calypso
Status: CONFIGURED

Problem

User calypso tidak memiliki permission yang cukup untuk:

  • Mengakses raw disk devices (/dev/sd*)
  • Menjalankan ZFS commands (zpool, zfs)
  • Mengakses tape devices
  • Menjalankan SCST commands

Solution

1. Group Membership

User calypso telah ditambahkan ke groups berikut:

  • disk - Access to disk devices
  • tape - Access to tape devices
  • storage - Storage-related permissions
sudo usermod -aG disk,tape,storage calypso

2. Sudoers Configuration

File /etc/sudoers.d/calypso telah dibuat dengan permissions berikut:

ZFS Commands

calypso ALL=(ALL) NOPASSWD: /usr/sbin/zpool, /usr/sbin/zfs, /usr/bin/zpool, /usr/bin/zfs

SCST Commands

calypso ALL=(ALL) NOPASSWD: /usr/sbin/scstadmin, /usr/bin/scstadmin

Tape Utilities

calypso ALL=(ALL) NOPASSWD: /usr/bin/mtx, /usr/bin/mt, /usr/bin/sg_*, /usr/bin/sg3_utils/*

System Monitoring

calypso ALL=(ALL) NOPASSWD: /usr/bin/systemctl status *, /usr/bin/systemctl is-active *, /usr/bin/journalctl -u *

Verification

Check Group Membership

groups calypso
# Output should include: disk tape storage

Check Sudoers File

sudo visudo -c -f /etc/sudoers.d/calypso
# Should return: /etc/sudoers.d/calypso: parsed OK

Test ZFS Access

sudo -u calypso zpool list
# Should work without errors

Test Device Access

sudo -u calypso ls -la /dev/sdb
# Should show device permissions

Backend Code Changes Needed

Backend code perlu menggunakan sudo untuk ZFS commands. Contoh:

// Before (will fail with permission denied)
cmd := exec.CommandContext(ctx, "zpool", "create", ...)

// After (with sudo)
cmd := exec.CommandContext(ctx, "sudo", "zpool", "create", ...)

Current Status

Groups: User calypso added to disk, tape, storage groups
Sudoers: Configuration file created and validated
Permissions: File permissions set to 0440 (secure)
⏭️ Code Update: Backend code needs to use sudo for privileged commands

Next Steps

  1. Groups configured
  2. Sudoers configured
  3. ⏭️ Update backend code to use sudo for:
    • ZFS operations (zpool, zfs)
    • SCST operations (scstadmin)
    • Tape operations (mtx, mt, sg_*)
  4. ⏭️ Restart Calypso API service
  5. ⏭️ Test ZFS pool creation via frontend

Important Notes

  • Sudoers file uses NOPASSWD for convenience (service account)
  • Only specific commands are allowed (security best practice)
  • File permissions are 0440 (read-only for root and group)
  • Service restart required after permission changes

Status: PERMISSIONS CONFIGURED
Action Required: Update backend code to use sudo for privileged commands