|
|
<admin_dir_path>bpnbaz -[AddUser | DelUser] Group_Name Domain_Type:Domain_Name:User_Name [-OSGroup] [-M server] [-Server server1.domain.com] [-CredFile Credential]
<admin_dir_path>bpnbaz -[AddGroup | DelGroup] Group_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]
<admin_dir_path>bpnbaz -[ListPerms | ListMainObjects | ListGroups | ShowAuthorizers] [-M server] [-Server server1.domain.com] [-CredFile Credential]
<admin_dir_path>bpnbaz -ListGroupMembers Group_Name [-M server] [-Server server1.domain.com][-CredFile Credential]
<admin_dir_path>bpnbaz -AddPerms Permission_1[,Permission_2,...] -Group Group_Name -Object Object [-M server] [-Server server1.domain.com] [-CredFileCredential]
<admin_dir_path>bpnbaz -DelPerms [Permission_1,...] -Group Group_Name -Object Object [-M server] [-Server server1.domain.com] [-CredFileCredential]
<admin_dir_path>bpnbaz -[AllowAuthorization|DisallowAuthorization] Machine_Name [-M server] [-Server server1.domain.com]
<admin_dir_path>bpnbaz -SetupClient [client.server.com] [-out file] | -all [-images] [-out file] | [-file progress_file] [-dryrun] [-disable]
<admin_dir_path>bpnbaz -SetupMedia [media.server.com [-out file] | -all [-out file] | -file progress_file] [-dryrun] [-disable]
NetBackup uses the bpnbaz command to access the authorization portion of Symantec Product Authentication and Authorization Service. Authorization checks the rights on an object. This command enables you to do the following:
To use this command and its associated options, you must be a member of the NetBackup Security Administrators group (NBU_Security Administration). The only exception is with the SetupSecurity command.
You must have local administrator privileges on the authorization server to run this command.
When you use bpnbaz, assume that the Master server and the Az server are the same computer.
Creates an authorization group that is defined with the variable Group_Name.
Adds the specified permissions for the given role to the object or policy in question. Refer to the NetBackup Administrator's Guide for more information.
Adds the users by creating a unique enterprise account name, following this format: <Authentication type>:<Domain_Type>:<User_Name>The supported Authentication types for this variable are:
Nis ... Network Information Services
NISPLUS ... Network Information Services Plus
Unixpwd ... UNIX Password file on the Authentication server
WINDOWS ... Primary Domain Controller or Active Directory
Vx ... Veritas Private database.
The Domain_Type variable is the domain that the user or group belongs, and the User_Name variable defines the applicable user or group name.
Specifies which computers are allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) can examine the Authorization database to perform authorization checks.
Determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns "61". Only NetBackup installers use this option.
Specifies a file name (Credential) from which to obtain a Symantec Product Authentication and Authorization Service credential, rather than the default location.
Deletes all the members of the group when you delete an Az group from the authorization engine. This operation is not reversible; if you remove a group, you revoke the rights that are granted to members of the group.
Removes a user from an authorization group. This operation is not reversible. Refer to the AddUser option for definitions of the Domain_Type, User_Names, and Authentication types.
Specifies which computers are not allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) are not permitted to examine the Authorization database to perform authorization checks.
Identifies the authorization group on which an operation is to be performed. NetBackup does not allow user groups to be nested.
Lists the group member that is associated with a particular group defined by Group_Name.
Lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that you can use to verify changes to permissions on an object. This option shows the permissions each group has within the authorization system.
Shows all applicable permissions for a given object or object type within the database. This option helps the user to create meaningful customizations to their authorization.
Specifies the name of the master server as defined in the variable server. This server name may be different from the local host name.
Controls the access to specified objects or object collections.
Defines a named collection of authentication principals that are established in a native operating system and treated as a single entity. All members of an authentication group or OS group are from the same authentication domain.
Sets up NBAC on the client. Run it after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server. It expects connectivity between the master server and target clients systems.
The following describes the options that can be part of the -bpnbaz -SetupClient command.
client.server.com specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.
-out file specifies the
output file. The default is SetupClient.nbac.
-all scans all the storage units and collects all unique host names. You can scan in a sorted order. The results are written to the progress file.
-images searches all images for unique host names. Do not use this option with large catalogs unless you include the -dryrun option. This option discovers all unique clients that are contained in the image catalog. Older catalogs may contain a large number of decommissioned hosts, renamed hosts, and hosts relocated to new masters. Runtime can increase significantly as this command tries to contact unreachable hosts.
-file progress_file option is used to specify a different file name for the progress log. If -file is used, the input and out files are the same, which allows multiple rounds to execute without changing the command.
-dryrun generates the list of media server names and writes them to the log.
-disable disables NBAC (USE_VXSS = PROHIBITED) on targeted hosts.
By default, NBAC messages
are logged to a file in the local directory that is called
SetupClient.nbac. This file is
formatted as follows:
client1.server.com #client2.server.com #SUCCESS (0) @(07/16/09 12:09:29) client3.server.com #INTERNAL_ERROR(68) @(07/16/09 12:09:39)
The first line indicates that client1.server.com has not yet been contacted at all.
The second line indicates that client2.server.com has been successfully contacted. Each success is commented out (with a leading #) and not contacted multiple time.
The third line indicates that client3.server.com has been contacted but that there was an error.
Errors are printed out on the command line with a general recommendation of what to do about the error. The error number is indicated in the logs (bperror -S and the error number should help indicate what has gone wrong). The progress files are designed to be used in an iterative fashion. For example, the file can be fed back in a second time once client3.server.com is available on line.
Sets up the master server to use NBAC. The bpnbaz -SetupMaster command contains no user arguments. You are prompted for the password for your current operating system user identity. The authorization server and authentication broker must be installed and running on the master server.
An NetBackup administrator group member can run the bpnbaz -SetupMedia command after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server. It expects connectivity between the master server and target media server systems.
The following describes the options that can be part of the -bpnbaz -SetupMedia command.
media.server.com is the name of a single target host. Use this option to add a single additional host for use with NBAC.
-all goes through all the storage units and collect all unique host names that are found in the storage units. You can try these in a sorted order. The results are written to the progress file.
-dryrun can generate the list of media server names and write them to the log. This option can work with media.server.com but it is intended to be used with the -all option.
-disable disables NBAC (USE_VXSS = PROHIBITED) on targeted hosts.
-file progress_file option is used to specify a different file name for the progress log.
-out file specifies the
output file. The default is SetupMedia.nbac.
By default, this command logs messages to the SetupClient.nbac file in the local directory. This file is formatted as follows:
client1.server.com #client2.server.com #SUCCESS (0) @(07/16/09 12:09:29) client3.server.com #INTERNAL_ERROR(68) @(07/16/09 12:09:39)
The first line indicates
that client1.server.com has not yet
been contacted at all.
The second line indicates
that client2.server.com has been
successfully contacted. Each success is commented out using the
leading # character and thus, is not contacted multiple time.
The third line indicates
that client3.server.com has been
contacted but that an error has occurred. The command prints the
errors on the command line with a general recommendation of how to
fix the error. The logs list the error number and bperror -S should help indicate the problem. Use
the progress files iteratively. For example, the file can be fed
back in a second time once client3.server.com is available on line.
This command specifies the Az server being used. Currently we expect the Az server and the NetBackup master server to exist on the same system.
This command lists the computers are allowed to perform authorization checks.
Modifies the NetBackup operation schema by adding authorization objects. In addition, this option upgrades default user accounts with default permissions for these new objects.
NetBackup installers use this option when you upgrade from NetBackup 6.0 to NetBackup 6.5. The customer can use this option if it fails during installation. You must have NBU_Security Admin privileges.
The -Silent option directs the upgrade operation to automatically enhance the permissions of groups to account for new objects in the system. This option occurs only for the default groups, and only if those groups have never been changed.
See the NetBackup Security and Encryption Guide for more information.
EXAMPLE 1 - Create and list an Az group
An Az group is a collection within the Authorization engine where other OS groups and OS users are placed. This collection is the building block against which permissions are applied on the objects within the database. If you add a user to an Az group, you grant them all the rights and privileges that are associated with that group. When a user is placed in more than one group, that user's effective permissions are as follows: the logical "or" of the applicable permissions of each group to which the user belongs. The following example demonstrates how to create and list an existing Az group.
# bpnbaz -AddGroup "New Group 1" -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroups -server test.domain.veritas.com Administrators Operators Security Administrators Resource Management Applications Applications New Group 1 NBU_Unknown NBU_User NBU_Operator NBU_Media Device Operator NBU_Admin NBU_Executive NBU_Security Admin NBU_Database Agent Operator NBU_Database Agent Administrator Operation completed successfully.
EXAMPLE 2 - Delete an Az group
If you delete an Az group from the authorization engine, all the members are removed from the group. This operation is not reversible. When you remove a group, you revoke the rights that are granted to members of the group. Therefore, carefully consider the implications of deleting groups.
# bpnbaz -DelGroup "New Group 1" -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroups -server test.domain.veritas.com Administrators Operators Security Administrators Resource Management Applications Applications NBU_Unknown NBU_User NBU_Operator NBU_Media Device Operator NBU_Admin NBU_Executive NBU_Security Admin NBU_Database Agent Operator NBU_Database Agent Administrator Operation completed successfully.
EXAMPLE 3 - Add and remove users from Az groups (and List group members)
Add users by creating a unique enterprise name of the following format: <Authentication type>:<Domain to which user or group belongs>:<user or group name>
# bpnbaz -AddUser NBU_Operator nis:domain.veritas.com:ssosa -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroupMembers NBU_Operator -server test.domain.veritas.com ========== Type: User Domain Type: nis Domain:domain.veritas.com Name: jdimaggio ========== Type: User Domain Type: nis Domain:domain.veritas.com Name: ssosa Operation completed successfully. # bpnbaz -DelUser NBU_Operator nis:domain.veritas.com:ssosa -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroupMembers NBU_Operator -server test.domain.veritas.com ========== Type: User Domain Type: nis Domain:domain.veritas.com Name: jdimaggio Operation completed successfully.
EXAMPLE 4 - List applicable permissions
The -ListPerms option shows all applicable permissions for a given object or object type within the database. This information helps the user to create meaningful customizations to their authorization.
# bpnbaz -ListPerms -server test.domain.veritas.com Object Type: Unknown Browse Object Type: Media Browse Read New Delete Eject . . . Restart Synchronize Object Type: PolicyGroup Browse Read New Delete Activate Deactivate Backup Operation completed successfully.
The -ListMainObjects option lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that can be used to verify changes to permissions on an object. It shows what permissions each group has within the authorization system.
# bpnbaz -ListMainObjects -server test.domain.veritas.com . . . NBU_RES_Policy: Role: NBU_User Unknown Role: NBU_Media Device Operator Browse Read Role: NBU_Executive Read Browse Role: NBU_Database Agent Operator Unknown Role: NBU_Unknown Unknown Role: NBU_Operator Browse Read Role: NBU_Admin Browse New Activate Backup Read Delete Deactivate Role: NBU_Security Admin Unknown Role: NBU_Database Agent Administrator Unknown Role: Administrators Unknown Role: Operators Unknown Role: Applications Unknown Role: NBU_Security Admin Unknown . . . NBU_RES_Job: Role: NBU_Media Device Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Executive Browse Read Role: NBU_Database Agent Operator Unknown Role: NBU_User Unknown Role: NBU_Unknown Unknown Role: NBU_Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Admin Browse Delete Resume Read Suspend Cancel Role: NBU_Security Admin Unknown Role: NBU_Database Agent Administrator Unknown Role: Administrators Unknown Role: Operators Unknown Role: Applications Unknown Role: NBU_Security Admin Unknown . . . Operation completed successfully.
EXAMPLE 6 - Add and delete permissions from an object or policy
Delete all permissions from an object for a given group. Add the permissions that are specified for the given role to the object or policy in question.
# bpnbaz -AddPerms Browse,Read, New,Delete -Group TestGroup1 -Object NBU_RES_Job -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListMainObjects -server test.domain.veritas.com NBU_RES_Unknown: Role: NBU_User . . . NBU_RES_Job: Role: NBU_Media Device Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Executive Browse Read Role: NBU_Database Agent Operator Unknown Role: TestGroup1 Read Delete New Browse Role: NBU_User Unknown Role: NBU_Unknown Unknown Role: NBU_Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Admin Browse Delete Resume Read Suspend Cancel Role: NBU_Security Admin Unknown Role: NBU_Database Agent Administrator Unknown Role: Administrators Unknown Role: Operators Unknown Role: Applications Unknown Role: NBU_Security Admin Unknown NBU_RES_Service: Role: NBU_Unknown . . . Operation completed successfully. # bpnbaz -DelPerms -Group TestGroup1 -Object NBU_RES_Policy -server test.domain.veritas.com Operation completed successfully.
EXAMPLE 7 - Specify what servers can perform authorization checks
This example also views what servers can perform authorization checks. In addition. It also disallows a server from performing authorization checks.
The -AllowAuthorization option specifies which computers are allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) are permitted to examine the Authorization database to perform authorization checks. The following examples demonstrate how to allow or disallow a computer to perform authorization.
# bpnbaz -AllowAuthorization butterball.domain.veritas.com -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ShowAuthorizers -server test.domain.veritas.com ========== Type: User Domain Type: vx Domain:NBU_Machines@test.domain.veritas.com Name: butterball.domain.veritas.com Operation completed successfully. # bpnbaz --DisallowAuthorization butterball.domain.veritas.com -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ShowAuthorizers -server test.domain.veritas.com Operation completed successfully.
EXAMPLE 8 - Set up initial security boot strapping
The user must run the -SetupSecurity option as root on the Az server. The user must then provide the logon information for the first NetBackup Security administrator.
|
Note: |
The root user on the system upon which the Az server is installed is always a security administrator. |
# bpnbaz -SetupSecurity test.domain.veritas.com -server test.domain.veritas.com Authentication Broker: test.domain.veritas.com Authentication port[ Enter = default]: Domain: domain.veritas.com Name: ssosa Password: Authentication type (NIS, NISplus, WINDOWS, vx, unixpwd: NIS Operation completed successfully.