On HP-UX we just change file permissions on the nsrjb binary, "/tmp/scsidev AT
0.0.0 DOT lck" and "/dev/lgto/c0t0d0" (substitute the appropriate values for
the "0's").
This allows our operators to run any nsrjb based commands.
-----Original Message-----
From: Legato NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU]
On Behalf Of Dave Mussulman
Sent: Friday, June 17, 2005 10:19 AM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: Re: [Networker] Can a non-root user run nsrjb command?
George,
As you noted a few times in your message, the nwadmin GUI does a few
things poorly while the command line tools work very well. The clincher
for using nsrjb over nwadmin inventory commands for me was parallelism
... nsrjb uses N-1 drives for inventories (all N drives if you add -f
flags for each device,) and the GUI does them serially. You can also
add non-adjacent slots to one nsrjb command and let it do it's thing.
(nsrjb -I -S 3-5 -S 20-32) And, as you noted, the GUI doesn't report on
what it's doing.
I think you'll spend a lot less time setting up sudo and getting your
users comfortable with nsrjb than you will trying to make the GUI do
what you want.
Dave
On Fri, Jun 17, 2005 at 09:51:00AM -0400, George Sinclair wrote:
> Thank you. That was very helpful. I played around with those operation
> fields from the GUI as a non-root administrator, and they work okay.
> Will probably use this method since scripting is a bit too much right
> now. A non-root administrator(s) can use the GUI for this, but may
> consider setting up Sudo at some point in the near future.
>
> One thing I notice, though, is that the GUI isn't very good at letting
> you know you've attempted an illegal operation like trying to import a
> tape into an occupied slot or trying to import a tape when there is
> nothing in the CAP door to import and/or if you were, say specifying the
> wrong Port number. The nsrjb command will tell or warn you. I see
> nothing in the messages window for Nwadmin or the jukebox window itself
> when doing this via the GUI. Even /nsr/logs/messages or daemon.log
> mentions nothing.
>
> Question:
> Is there a way to monitor the progress of the withdraw or deposit
> functions? The GUI shows no hourglass or progress indicator. For things
> like labeling and inventorying, the main window at least shows some
> activity, but for deposits/withdrawals, it just comes right back. The
> "Messages" field in the jukebox window does get updated but only after
> the operation completes, and you have to close it out and re-open that
> screen to see the new entry; it's not real-time. The only way I can see
> is to login to the storage node or server and run something like: 'ps
> -ef l | grep nsrjb' to see if the actual nsrjb process is running. Of
> course, the user could do this or look at the mount list to see if the
> volumes are listed in the slots, but it is nice to know when the command
> is completed. With the nsrjb command at least you know when it's done.
>
> Thanks.
>
> George
>
> Davina Treiber wrote:
>
> >George Sinclair wrote:
> >
> >
> >>I'm not aware that the NSR jukebox resource would do anything for you.
> >>The user doesn't need to update/modify this resource, they need to be
> >>able to do things like import/export/label/inventory tapes, stuff like
> >>that.
> >>
> >>
> >
> >Well Tarik is correct but I don't think he explained too well what this
> >allows you to do.
> >It is rather obscure, but there are a number of attributes you can
> >update in the NSR jukebox resource (from nwadmin or nsradmin) which will
> >cause nsrjb commands to be executed (as root, naturally). I believe the
> >relevant attributes are:
> > operation: ;
> > operation device: ;
> > operation slots: ;
> > operation ports: ;
> > operation options: ;
> > operation barcodes: ;
> >but some others may also be relevant.
> >In order to use this functionality you would probably need to spend a
> >fair bit of time scripting the actions you require, it's obscure but
> >possible. I haven't done it myself, I prefer to take the easy option and
> >use sudo or a suid perl script.
> >
> >
> >
> >>The command line nsrjb binary is nice since it allows you to label tapes
> >>using multiple drives. The wadmin GUI too seems limited to whatever
> >>drive you select. Also, the Unix version of nwadmin does not offer an
> >>import/export tape feature like the Windows version does,
> >>
> >>
> >
> >Actually it does, but it is hidden away. In fact it uses the same
> >attributes mentioned above. Look at the operation field of the NSR
> >jukebox resource, it's a hidden attribute. The pull down values include
> >deposit, withdraw, and reset. You might find this useful.
> >
> >
> >
> >>Tarik El Mansouri wrote:
> >>
> >>
> >>
> >>>Hello
> >>>
> >>>Yes it's possible.
> >>>Two ways.
> >>>
> >>>It's possible on Solaris using RBAC (/etc/security directory).
> >>>The other way is to use an nsradmin script by updating the "NSR
> >>>jukebox ressource"
> >>>
> >>>Regards,
> >>>Tarik EL MANSOURI
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>--- George Sinclair <George.Sinclair AT NOAA DOT GOV> a écrit :
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>Hi,
> >>>>
> >>>>Is it possible for a non-root user, who is on the administator list,
> >>>>to be able to run the nsrjb command without resorting to Sudo? It
> >>>>appears that only the super user can run this, as the non-root
> >>>>administrator receives:
> >>>>
> >>>>nsrjb: You are not authorized to run this command.
> >>>>
> >>>>and the user was logged in on the primary server and storage node,
> >>>>and is listed for each in the server setup.
> >>>>
> >>>>Seems that if you can perform functions like labeling, inventorying,
> >>>>etc. via the GUI then you should be able to do it from the command
> >>>>line, too, using nsrjb? Why does NetWorker not allow this? Am I
> >>>>missing something? The file permissions on the binary allow it, but
> >>>>looks like NetWorker is still saying 'no' if you're not super user.
> >>>>The command line is preferred for many things but looks like only the
> >>>>Sudo utility will be a work around? Not opposed to it, just asking.
> >>>>
> >>>>Also, are there other NetWorker binaries that a non-root user cannot
> >>>>run BUT that a backup tape operator or assistant would need? nsrjb
> >>>>is the main one I can think of.
> >>>>
> >>>>
> >
> >--
> >Note: To sign off this list, send a "signoff networker" command via email
> >to listserv AT listserv.temple DOT edu or visit the list's Web site at
> >http://listserv.temple.edu/archives/networker.html where you can
> >also view and post messages to the list. Questions regarding this list
> >should be sent to stan AT temple DOT edu
> >=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
> >
> >
> >
>
> --
> Note: To sign off this list, send a "signoff networker" command via email
> to listserv AT listserv.temple DOT edu or visit the list's Web site at
> http://listserv.temple.edu/archives/networker.html where you can
> also view and post messages to the list. Questions regarding this list
> should be sent to stan AT temple DOT edu
> =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listserv.temple DOT edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
also view and post messages to the list. Questions regarding this list
should be sent to stan AT temple DOT edu
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listserv.temple DOT edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
also view and post messages to the list. Questions regarding this list
should be sent to stan AT temple DOT edu
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
|
