EMC – Symmetrix Access Control – symacl

Print Friendly, PDF & Email

With Enginuity 5875 and SE 7.2.0, new array based licensing has been introduced. This means any host attached to the array with SE installed will have unrestricted access to the array and can make configuration changes. This has necessiated the implementation of Host based Symmetrix Access Control on the arrays. The purpose is to disable servers from making config changes on the arrays, and restrict their access to a certain set of snaps/clones and corresponding source devices. Oveall process involves readying the array for access control, and then configuring the accesses as per the requirements.

Initial configuration on the array will be carried out by EMC CE. Steps involve:

* Enable Symmetrix Access Control (symacl)
* Create administrator accgroup
* Add management hosts to the group to carry out ACL administration
* Add service processor to the group for EMC remote support
* Create symacl pin or password which will be required to carry out ACL administration. Environment variable SYMCLI_ACCESS_PIN can be set so as to avoid prompt for PIN every time symacl command is run to change the configuration.

Initial set up can be verified as below.

MgmtHostA# symacl -sid 1234 show accgroup AdminGrp 
Access Group: AdminGrp 
Symmetrix ID: 000294901234 
     Access ID Name 
     -------------- 
     gmthostA  - Management Host (ECC)
     gmthostB  - Management Host (SE, SPA, SMC) 
     aclpin123 - PIN used for ACL manipulation 
     SP1234    - Service Processor 
MgmtHostA# symacl -sid 1234 list -acl 
Symmetrix ID: 000294901234 
Group Name                         Pool Name                         Access Type 
---------------------------------- --------------------------------- ----------- 
AdminGrp                           ALL_DEVS                          ADMIN
AdminGrp                           ALL_DEVS                          ALL 
UnknwGrp                           ALL_DEVS                          BASE 
UnknwGrp                           !INPOOLS                          ALL 
MgmtHostA #

Now that the initial set up is complete, lets proceed to the configurations on arrays for servers accessing its storage. Steps listed below illustates the commands to run when you have a hostname, snap or clone devices, and their corresponding source devices (could be replicated or non-replicated).

Setting ACL for non-replicated devices

Summary of steps:

* Create an access group containing the hostname
* Create an access pool containing the devices
* Associate access group and access pool by granting desired permissions

Steps in detail with commands:

* Generate uniq acl id for a given host (to be run on given host)

servA# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-9D3D758B
servA#

* Prepare a file containing related commands on management host

MgmtServ# cat servA_acl
# Create an access group with appropriate naming convention
create accgroup servA_grp;

# Add the host to access group using its unique id 
# There is a limitation of 8 characters on the name that you can assign
add host accid 2F5800AD-55448DCE-9D3D758B name servA to accgroup servA_grp;

# Create an access pool with appropriate naming convention
create accpool servA_pool;

# Add source and target devices to access pool
add dev 1000:100F to accpool servA_pool; # these are standard devices which are either snapped or cloned
add dev 2000:200F to accpool servA_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access together
grant access=BASE to accgroup servA_grp for ALL devs;
grant access=BCV to accgroup servA_grp for accpool servA_pool; # To grant BCV access for clones 
#grant access=SNAP to accgroup servA_grp for accpool servA_pool; # To grant SNAP access for snaps

MgmtServ#

* Preview/Prepare/Commit ACL changes

MgmtServ # symacl -sid 1234 -file servA_acl <preview|prepare|commit>
Enter Access PIN: <aclpin123> # This is symacl pin generated by CE. It won't be prompted 
                              # if SYMCLI_ACCESS_PIN has been set.
    Command file: (servA_acl) 
    PREVIEW............................................................Started.
    PREVIEW............................................................Done.
    PREPARE............................................................Started. 
       Creating group servA_grp........................................Done.
       Adding Host access id servA to group servA_grp..................Done.
       ...
       ...
       ...
       ...
    PREPARE............................................................Done. 
    Starting COMMIT....................................................Done. 
MgmtServ #

* Verify the changes

MgmtServ# symacl -sid 1234 list -acl 
Symmetrix ID: 000294901234 
Group Name                         Pool Name                         Access Type 
---------------------------------- --------------------------------- ----------- 
AdminGrp                           ALL_DEVS                          ADMIN
AdminGrp                           ALL_DEVS                          ALL 
UnknwGrp                           ALL_DEVS                          BASE 
UnknwGrp                           !INPOOLS                          ALL 
servA_grp                          servA_pool                        BCV
servA_grp                          ALL_DEVS                          BASE

MgmtServ# symacl -sid 1234 list -accpool 
Symmetrix ID: 000294901234 
                                      Number of Number of 
    Pool Name                         Devices   ACLs 
    --------------------------------- --------- --------- 
    servA_pool                          16         1 

MgmtServ# symacl -sid 1234 list -accgroup
Symmetrix ID: 000294901234 
                                      Number of   Number of 
    Group Name                        Access IDs  ACLs 
    -------------------------------- ----------- --------- 
    AdminGrp                             2         1 
    UnknwGrp                             1         1 
    servA_pool                           1         1 

MgmtServ# symacl -sid 1234 show accgroup servA_grp -acl
Symmetrix ID: 000294901234 
    Group Name                        Pool Name                        Access Type    
    --------------------------------  -------------------------------- ----------- 
    servA_grp                         servA_pool                       BCV
    servA_grp                         ALL_DEVS                         BASE

MgmtServ# symacl -sid 1234 show accpool servA_pool -acl
Access Pool: servA_pool 
Symmetrix ID                    : 000294901274 
Number of Access Control Entries: 1 
Number of Member Devices        : 16
Access Control Entries (1): 
    { 
    -------------------------------------- 
    Group                        Type 
    -------------------------------------- 
    servA_grp                       BCV 
    } 
Member Devices (16): 
    { 
            Device Name                       Device 
    ---------------------------- -------------------------------------- 
                                                                  Cap 
    Sym  Physical                Config       Attribute    Sts    (MB) 
    ---------------------------- -------------------------------------- 
    1000 Not Visible             TDEV         N/Grp'd      RW     23200 
    .....
    .....
    .....
    } 
MgmtServ# 

Setting ACL for replicated devices

When devices involved are either R1 or R2 and are being snapped/cloned on the same server as with R1 or R2, configuration changes as it needs to cover both the arrays.

Summary of steps:

* Create same named access group on both the arrays, and add unique host id for both the hosts to the access group. Name of access group must be same on both the arrays.
* Create access pools on each array which includes local R1 or R2 devices, and corresponding snap/clone devices
* Grant BASE, RDF, SNAP/BCV permission to the access pool. Assignment of BASE permission is a must.

Steps in detail with commands

* Generate unique acl id for both the hosts

servR1# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-9D3D758B
servR1#

servR2# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-AE4E869C 
servR2#

* Prepare a file containing related commands on management hosts per site

Command file for primary node servR1

MgmtServA# cat servR1_acl
# Create an access group with appropriate naming convention
create accgroup servR1_R2_grp;

# Add both the hosts to access group using their unique id (beware of 8 char limitation on host name)
add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;
add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;

# Create an access pool  with appropriate naming convention
create accpool servR1_pool;

# Add source and target devices to access pool
add dev 1000:100F to accpool servR1_pool; # these are R1 devices which are either snapped or cloned
add dev 2000:200F to accpool servR1_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access together
grant access=BASE to accgroup servR1_R2_grp for ALL devs;
grant access=RDF to accgroup servR1_R2_grp for accpool servR1_pool; # To grant RDF access for R1 devices
grant access=BCV to accgroup servR1_R2_grp for accpool servR1_pool; # To grant BCV access for clones 
#grant access=SNAP to accgroup servR1_R2_grp for accpool servA_pool; # To grant SNAP access for snaps

Command file for secondary node servR2
MgmtServB# cat servR2_acl
# Create an access group with appropriate naming convention
create accgroup servR1_R2_grp;

# Add both the hosts to access group using their unique id (beware of 8 char limitation on host name)
add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;
add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;

# Create an access pool with appropriate naming convention
create accpool servR2_pool;

# Add source and target devices to access pool
add dev 3000:300F to accpool servR2_pool; # these are R2 devices which are either snapped or cloned
add dev 4000:400F to accpool servR2_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access together
grant access=BASE to accgroup servR1_R2_grp for ALL devs;
grant access=RDF to accgroup servR1_R2_grp for accpool servR2_pool; # To grant RDF access for R1 devices
grant access=BCV to accgroup servR1_R2_grp for accpool servR2_pool; # To grant BCV access for clones 
#grant access=SNAP to accgroup servR1_R2_grp for accpool servR2_pool; # To grant SNAP access for snaps

* Preview/Prepare/Commit ACL changes on both the arrays and run the commands to verify

SYMACL commands – cheatsheet

* To list ACLs defined on given array
# symacl -sid 1234 list -acl -v

* To list access groups defined on given array
# symacl -sid 1234 list -accgroup -v

* To list access pool defined on given array
# symacl -sid 1234 list -accpool -v

* To show details of given accgroup on given array
# symacl -sid 1234 show accgroup <groupname> -acl

* To show details of given accpool on given array
# symacl -sid 1234 show accpool <poolname> -acl

* To make configuration changes on given array
# symacl -sid 1234 -file <filename> preview|prepare|commit

* accgroup related commands in configuration file
create  accgroup <groupname>; # to create an accgroup
add host accid <acl id> name <host_identifier> to accgroup <groupname>; # to add the host to accgroup
remove accid name <host_identifier> from accgroup <groupname>; # to remove a host from accgroup
move accid name <host_identifier> to accgroup <new_groupname>; # to move a host from existing to new accgroup
delete accgroup <groupname> [remove_aces=true]; # to delete an accgroup

* accpool related commands in configuration file
create  accpool <poolname>; # to create an accpool
add dev <devid> to accpool <poolname>; # to add a single device to accpool
add dev <firstdev:lastdevid> to accpool <poolname>; # to add a range of devices to accpool
remove dev <firstdev:lastdev> from accpool <poolname>; # to remove devices from the accpool
delete accpool <poolname> [remove_aces=true]; # to delete an accpool

* commands in configuration file related to granting the permission
grant access=<accesstype> to accgroup <groupname> for accpool <poolname> | <all|non-pooled devs>;
remove access=<accesstype> from accgroup <groupname> for accpool <poolname> | <all|non-pooled devs>;

Different levels of permissions

For host based symacl, permissions allowed are listed below along with their description.
ADMIN: Administrative rights allowing ACL configuration changes. Lets you run symacl ALL : All type of access granted except ADMIN and ADMINRD. Must be used only with devices (ALL devs)
BASE : Allows the host to discover the devices, and to obtain further information about directors and devices from the array
BCV : Allows the host to run TF/Clone related commands
SNAP : Allows the host to run TF/Snapshot related commands
RDF : Allows the host to run SRDF related commands

, ,

sanaswati
No comments yet.

Leave a Reply

*