Delegation of Solaris Zone Administration
By darrenm on Jul 04, 2012
In Solaris 11 'Zone Delegation' is a built in feature. The Zones system now uses finegrained RBAC authorisations to allow delegation of management of distinct zones, rather than all zones which is what the 'Zone Management' RBAC profile did in Solaris 10.
The data for this can be stored with the Zone or you could also create RBAC profiles (that can even be stored in NIS or LDAP) for granting access to specific lists of Zones to administrators.
For example lets say we have zones named zoneA through zoneF and we have three admins alice, bob, carl. We want to grant a subset of the zone management to each of them.
We could do that either by adding the admin resource to the appropriate zones via zonecfg(1M) or we could do something like this with RBAC data directly:
First lets look at an example of storing the data with the zone.
# zonecfg -z zoneA
zonecfg:zoneA> add admin
zonecfg:zoneA> set user=alice
zonecfg:zoneA> set auths=manage
zonecfg:zoneA> end
zonecfg:zoneA> commit
zonecfg:zoneA> exit
Now lets look at the alternate method of storing this directly in the RBAC database, but we will show all our admins and zones for this example:
# usermod -P +Zone Management -A +solaris.zone.manage/zoneA alice
# usermod -A +solaris.zone.login/zoneB alice
# usermod -P +Zone Management-A +solaris.zone.manage/zoneB bob
# usermod -A +solaris.zone.manage/zoneC bob
# usermod -P +Zone Management-A +solaris.zone.manage/zoneC carl
# usermod -A +solaris.zone.manage/zoneD carl
# usermod -A +solaris.zone.manage/zoneE carl
# usermod -A +solaris.zone.manage/zoneF carl
In the above alice can only manage zoneA, bob can manage zoneB and zoneC and carl can manage zoneC through zoneF. The user alice can also login on the console to zoneB but she can't do the operations that require the solaris.zone.manage authorisation on it.
Or if you have a large number of zones and/or admins or you just want to provide a layer of abstraction you can collect the authorisation lists into an RBAC profile and grant that to the admins, for example lets great an RBAC profile for the things that alice and carl can do.
# profiles -p 'Zone Group 1'
profiles:Zone Group 1> set desc="Zone Group 1"
profiles:Zone Group 1> add profile="Zone Management"
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneA
profiles:Zone Group 1> add auths=solaris.zone.login/zoneB
profiles:Zone Group 1> commit
profiles:Zone Group 1> exit
# profiles -p 'Zone Group 3'
profiles:Zone Group 1> set desc="Zone Group 3"
profiles:Zone Group 1> add profile="Zone Management"
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneD
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneE
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneF
profiles:Zone Group 1> commit
profiles:Zone Group 1> exit
Now instead of granting carl and aliace the 'Zone Management' profile and the authorisations directly we can just give them the appropriate profile.
# usermod -P +'Zone Group 3' carl
# usermod -P +'Zone Group 1' alice
If we wanted to store the profile data and the profiles granted to the users in LDAP just add '-S ldap' to the profiles and usermod commands.