In the previous post blog / blogs / 2011/12/26 / access based on help-role-controlrbac -to secure, management-the-NetScaler configuration / We looked into how to set up users and cmdspec that stricter control of the administration can be performed in Netscaler. In this blog, we will see a special case of the use of a stricter control in load balancing virtual server.
In global demand centered CDA entities today are also defined according to the application and it is represented by an endpoint LB / CS vservers on NetScaler. Each application has defined App owner and although different applications are owned by the same company, the property remains separate. This means that an owner App should not be allowed access to modify the resources for other applications and vice versa. So we need a model for enabling a user of RBAC to bind and unbind services to the vserver and vserver change some settings only. The RBAC user should be allowed to do that for the targeted vserver and there should be restrictions on other vservers. The reason for both bind / unbind commands with command set locks one of them will not be much impact the user can make the vserver down an order (bind / UNBIND or whole) himself even.
This can be performed using the spec command below,
(^ (bind | unbind) s + lb s + vserver s + v1 s + (s1 | s2) * $). | (^ Show s + lb s + vserver ( s + v1 |) $) | (^ Show s + Service ( s + (s1 | s2) |) $) | (^ Put s + lb s + vserver s + v1. *)
is tested 9.3 and 10.0 Netscaler releases.
I'll review the steps below on how to get to this cmdspec.
consider the name of the vserver name v1 and service as s1 and s2. The / unbind link must be authorized to v1 vserver for s1 and s2 services. It is covered by (^ (bind | unbind) s + lb s + vserver s + v1 s + (s1 |. S2) * $).
In the GUI, we must view the vserver and service operations so that bind / unbind / set can be performed on it. service display and vserver is achieved by (^ show s + lb s + vserver ( s + v1 |) $) | (^ Show s + Service ( s + (s1 | s2) |) $)
Once the cmdspec is created it can be tested for the commands as listed below in screenshot. Green commands are permitted where as in red are those that are not allowed. Based on this cmdspec, only bind / unbind lb vserver for s1 service s2 is permitted. Binding Service to s3 lb vserver v1 is not allowed and shown that red color. Similarly, set lb vserver is only permitted for vserver vserver v1 and not v2.
After binding of the control policy to the user, we should sign as a user in NetScaler GUI and check how the control policy is effective for 'user.
in capturing screen above, we can see that only s1 and s2 service are displayed although there are other services available Netscaler . Also below screenshot, we can see that only lb vserver v1 is displayed to the user.
----------------- ------------------ -------------------------------- ------------------ ----------
as authorized entities only are displayed in the GUI, the user with the control policy will not be able to see other entities configuration for which it is not allowed. The same cmdspec used herein may be modified by the need to extend the protection to other RBAC entities easily through NetScaler Configuration GUI.
In this way, RBAC can be used to provide more control over the configuration and entities can be easily managed.
0 Komentar