With Enginuity 5875 and SE 7.2.0, new array based licensing has been introduced. This means any host attached to the array with SE installed will have unrestricted access to the array and can make configuration changes. This has necessiated the implementation of Host based Symmetrix Access Control on the arrays. The purpose is to disable servers from making config changes on the arrays, and restrict their access to a certain set of snaps/clones and corresponding source devices. Oveall process involves readying the array for access control, and then configuring the accesses as per the requirements.
Initial configuration on the array will be carried out by EMC CE. Steps involve:
* Enable Symmetrix Access Control (symacl)
* Create administrator accgroup
* Add management hosts to the group to carry out ACL administration
* Add service processor to the group for EMC remote support
* Create symacl pin or password which will be required to carry out ACL administration. Environment variable SYMCLI_ACCESS_PIN can be set so as to avoid prompt for PIN every time symacl command is run to change the configuration.
Initial set up can be verified as below.
MgmtHostA# symacl -sid 1234 show accgroup AdminGrp
Access Group: AdminGrp
Symmetrix ID: 000294901234
Access ID Name
--------------
gmthostA - Management Host (ECC)
gmthostB - Management Host (SE, SPA, SMC)
aclpin123 - PIN used for ACL manipulation
SP1234 - Service Processor
MgmtHostA# symacl -sid 1234 list -acl
Symmetrix ID: 000294901234
Group Name Pool Name Access Type
---------------------------------- --------------------------------- -----------
AdminGrp ALL_DEVS ADMIN
AdminGrp ALL_DEVS ALL
UnknwGrp ALL_DEVS BASE
UnknwGrp !INPOOLS ALL
MgmtHostA #
Now that the initial set up is complete, lets proceed to the configurations on arrays for servers accessing its storage. Steps listed below illustates the commands to run when you have a hostname, snap or clone devices, and their corresponding source devices (could be replicated or non-replicated).
Setting ACL for non-replicated devices
Summary of steps:
* Create an access group containing the hostname
* Create an access pool containing the devices
* Associate access group and access pool by granting desired permissions
Steps in detail with commands:
* Generate uniq acl id for a given host (to be run on given host)
servA# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-9D3D758B
servA#
* Prepare a file containing related commands on management host
MgmtServ# cat servA_acl
# Create an access group with appropriate naming convention
create accgroup servA_grp;
# Add the host to access group using its unique id
# There is a limitation of 8 characters on the name that you can assign
add host accid 2F5800AD-55448DCE-9D3D758B name servA to accgroup servA_grp;
# Create an access pool with appropriate naming convention
create accpool servA_pool;
# Add source and target devices to access pool
add dev 1000:100F to accpool servA_pool; # these are standard devices which are either snapped or cloned
add dev 2000:200F to accpool servA_pool; # these are either snaps or clones
# Bring access group, access pool, and level of access together
grant access=BASE to accgroup servA_grp for ALL devs;
grant access=BCV to accgroup servA_grp for accpool servA_pool; # To grant BCV access for clones
#grant access=SNAP to accgroup servA_grp for accpool servA_pool; # To grant SNAP access for snaps
MgmtServ#
* Preview/Prepare/Commit ACL changes
MgmtServ # symacl -sid 1234 -file servA_acl <preview|prepare|commit>
Enter Access PIN: <aclpin123> # This is symacl pin generated by CE. It won't be prompted
# if SYMCLI_ACCESS_PIN has been set.
Command file: (servA_acl)
PREVIEW............................................................Started.
PREVIEW............................................................Done.
PREPARE............................................................Started.
Creating group servA_grp........................................Done.
Adding Host access id servA to group servA_grp..................Done.
...
...
...
...
PREPARE............................................................Done.
Starting COMMIT....................................................Done.
MgmtServ #
* Verify the changes
MgmtServ# symacl -sid 1234 list -acl
Symmetrix ID: 000294901234
Group Name Pool Name Access Type
---------------------------------- --------------------------------- -----------
AdminGrp ALL_DEVS ADMIN
AdminGrp ALL_DEVS ALL
UnknwGrp ALL_DEVS BASE
UnknwGrp !INPOOLS ALL
servA_grp servA_pool BCV
servA_grp ALL_DEVS BASE
MgmtServ# symacl -sid 1234 list -accpool
Symmetrix ID: 000294901234
Number of Number of
Pool Name Devices ACLs
--------------------------------- --------- ---------
servA_pool 16 1
MgmtServ# symacl -sid 1234 list -accgroup
Symmetrix ID: 000294901234
Number of Number of
Group Name Access IDs ACLs
-------------------------------- ----------- ---------
AdminGrp 2 1
UnknwGrp 1 1
servA_pool 1 1
MgmtServ# symacl -sid 1234 show accgroup servA_grp -acl
Symmetrix ID: 000294901234
Group Name Pool Name Access Type
-------------------------------- -------------------------------- -----------
servA_grp servA_pool BCV
servA_grp ALL_DEVS BASE
MgmtServ# symacl -sid 1234 show accpool servA_pool -acl
Access Pool: servA_pool
Symmetrix ID : 000294901274
Number of Access Control Entries: 1
Number of Member Devices : 16
Access Control Entries (1):
{
--------------------------------------
Group Type
--------------------------------------
servA_grp BCV
}
Member Devices (16):
{
Device Name Device
---------------------------- --------------------------------------
Cap
Sym Physical Config Attribute Sts (MB)
---------------------------- --------------------------------------
1000 Not Visible TDEV N/Grp'd RW 23200
.....
.....
.....
}
MgmtServ#
Setting ACL for replicated devices
When devices involved are either R1 or R2 and are being snapped/cloned on the same server as with R1 or R2, configuration changes as it needs to cover both the arrays.
Summary of steps:
* Create same named access group on both the arrays, and add unique host id for both the hosts to the access group. Name of access group must be same on both the arrays.
* Create access pools on each array which includes local R1 or R2 devices, and corresponding snap/clone devices
* Grant BASE, RDF, SNAP/BCV permission to the access pool. Assignment of BASE permission is a must.
Steps in detail with commands
* Generate unique acl id for both the hosts
servR1# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-9D3D758B
servR1#
servR2# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-AE4E869C
servR2#
* Prepare a file containing related commands on management hosts per site
Command file for primary node servR1
MgmtServA# cat servR1_acl
# Create an access group with appropriate naming convention
create accgroup servR1_R2_grp;
# Add both the hosts to access group using their unique id (beware of 8 char limitation on host name)
add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;
add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;
# Create an access pool with appropriate naming convention
create accpool servR1_pool;
# Add source and target devices to access pool
add dev 1000:100F to accpool servR1_pool; # these are R1 devices which are either snapped or cloned
add dev 2000:200F to accpool servR1_pool; # these are either snaps or clones
# Bring access group, access pool, and level of access together
grant access=BASE to accgroup servR1_R2_grp for ALL devs;
grant access=RDF to accgroup servR1_R2_grp for accpool servR1_pool; # To grant RDF access for R1 devices
grant access=BCV to accgroup servR1_R2_grp for accpool servR1_pool; # To grant BCV access for clones
#grant access=SNAP to accgroup servR1_R2_grp for accpool servA_pool; # To grant SNAP access for snaps
Command file for secondary node servR2
MgmtServB# cat servR2_acl
# Create an access group with appropriate naming convention
create accgroup servR1_R2_grp;
# Add both the hosts to access group using their unique id (beware of 8 char limitation on host name)
add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;
add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;
# Create an access pool with appropriate naming convention
create accpool servR2_pool;
# Add source and target devices to access pool
add dev 3000:300F to accpool servR2_pool; # these are R2 devices which are either snapped or cloned
add dev 4000:400F to accpool servR2_pool; # these are either snaps or clones
# Bring access group, access pool, and level of access together
grant access=BASE to accgroup servR1_R2_grp for ALL devs;
grant access=RDF to accgroup servR1_R2_grp for accpool servR2_pool; # To grant RDF access for R1 devices
grant access=BCV to accgroup servR1_R2_grp for accpool servR2_pool; # To grant BCV access for clones
#grant access=SNAP to accgroup servR1_R2_grp for accpool servR2_pool; # To grant SNAP access for snaps
* Preview/Prepare/Commit ACL changes on both the arrays and run the commands to verify
SYMACL commands – cheatsheet
* To list ACLs defined on given array
# symacl -sid 1234 list -acl -v
* To list access groups defined on given array
# symacl -sid 1234 list -accgroup -v
* To list access pool defined on given array
# symacl -sid 1234 list -accpool -v
* To show details of given accgroup on given array
# symacl -sid 1234 show accgroup <groupname> -acl
* To show details of given accpool on given array
# symacl -sid 1234 show accpool <poolname> -acl
* To make configuration changes on given array
# symacl -sid 1234 -file <filename> preview|prepare|commit
* accgroup related commands in configuration file
create accgroup <groupname>;
# to create an accgroup
add host accid <acl id> name <host_identifier> to accgroup <groupname>;
# to add the host to accgroup
remove accid name <host_identifier> from accgroup <groupname>;
# to remove a host from accgroup
move accid name <host_identifier> to accgroup <new_groupname>;
# to move a host from existing to new accgroup
delete accgroup <groupname> [remove_aces=true];
# to delete an accgroup
* accpool related commands in configuration file
create accpool <poolname>;
# to create an accpool
add dev <devid> to accpool <poolname>;
# to add a single device to accpool
add dev <firstdev:lastdevid> to accpool <poolname>;
# to add a range of devices to accpool
remove dev <firstdev:lastdev> from accpool <poolname>;
# to remove devices from the accpool
delete accpool <poolname> [remove_aces=true];
# to delete an accpool
* commands in configuration file related to granting the permission
grant access=<accesstype> to accgroup <groupname> for accpool <poolname> | <all|non-pooled devs>;
remove access=<accesstype> from accgroup <groupname> for accpool <poolname> | <all|non-pooled devs>;
Different levels of permissions
For host based symacl, permissions allowed are listed below along with their description.
ADMIN: Administrative rights allowing ACL configuration changes. Lets you run symacl
BASE : Allows the host to discover the devices, and to obtain further information about directors and devices from the array
BCV : Allows the host to run TF/Clone related commands
SNAP : Allows the host to run TF/Snapshot related commands
RDF : Allows the host to run SRDF related commands
No comments yet.