# $Id: //depot/prod/test/nacldev/lib/NACL/MTask/VserverRbacSetup.pm#1 $ # # Copyright (c) 2012 NetApp, Inc., All Rights Reserved # Any use, modification, or distribution is prohibited # without prior written consent from NetApp, Inc. # ## @summary VserverRbacSetup Task Module ## @author anupamap@netapp.com,dl-nacl-dev@netapp.com ## @status shared ## @pod here package NACL::MTask::VserverRbacSetup; use strict; use warnings; use NATE::Log qw(log_global); my $Log = log_global(); my $may_enter = $Log->may_enter(); my $may_exit = $Log->may_exit(); use base qw(NACL::MTask::MTask); use NACL::STask::Vserver; use NACL::STask::SystemServicesFirewallPolicy; use NACL::STask::SecurityLogin; use NACL::CS::SecurityLogin; use NACL::C::SystemServicesFirewall; use NACL::CS::SystemServicesFirewall; use NACL::Exceptions::NoElementsFound qw(:try); use Params::Validate qw/validate_with SCALAR ARRAYREF HASHREF OBJECT SCALARREF BOOLEAN/; use Class::MethodMaker [ new => [ '-hash', 'new' ], scalar => [ { -type => 'NACL::C::CommandInterface::ONTAP' }, 'command_interface', ], scalar => [ { -type => 'NACL::C::SystemServicesFirewall' }, 'firewall' ], scalar => [ { -type => 'NACL::STask::SystemServicesFirewallPolicy' }, 'firewall_policy' ], scalar => [ { -type => 'NACL::STask::SecurityLogin' }, 'security_login' ], scalar => '_security_login_created', scalar => '_security_login_unlock', ]; =head1 NAME NACL::MTask::VserverRbacSetup =head1 DESCRIPTION C provides a number of well-defined but potentially complex or multi-step methods related to Vserver RBAC configuration in ONTAP. The MTask will mainly be concerned with setting up role based access control on a given vserver. This task supports only CMode. =head1 ATTRIBUTES =head2 command_interface (Required) A component object that represents the host to which to send commands. =head2 security_login An object of type NACL::STask::SecurityLogin representing the login details such as vserver name, username, authmethod and application indicating the login to be created , also the password to reset. =head2 firewall An object of type NACL::C::SystemServicesFirewall representing the firewall details such as node name, and firewall state to modify on a given node. =head2 firewall_policy An object of type NACL::C::SystemServicesFirewallPolicy representing firewall policy details such as policy name, action, service, and the ip-list indicating the firewall policy to be created. =head1 METHODS =head2 setup my $vserver_rbac_obj = NACL::MTask::VserverRbacSetup->setup( command_interface => $command_interface, security_login => { vserver => $vserver_name, username => $username, password => $password, application => $application, authmethod => $authentication, }, firewall => { node => $node, enabled => $string, }, firewall_policy => { policy => $policy, action => $action, service => $service, 'ip-list' => [ $ip-list1 ], }, ); (Class Method) This method includes following steps : Step 1 : Setting vsadmin password. Step 2 : Unlocking vsadmin account. Step 3 : Disabling firewall setting on surrent node. Step 4 : Setting up application level access like ontapi,ssh etc. Step 5 : Setting suitable firewall policies for given services. =over =item Options =over =item C<< security_login => $security_login >> (Required) A hash ref containing vserver name, user name, application, authmethod and password indicating the security login to be created. These arguments get passed to the following methods : L<< NACL::C::SecurityLogin->password|lib-NACL-C-SecurityLogin-pm/password >> L<< NACL::C::SecurityLogin->unlock|lib-NACL-C-SecurityLogin-pm/unlock >> L<< NACL::STask::SecurityLogin->create|lib-NACL-STask-SecurityLogin-pm/create >> =item C<< firewall => $firewall >> (Required) A hash ref with the firewall enable state as 'false' to disable the firewall on the given node. These arguments get passed to the following method : L<< NACL::C::SystemServicesFirewall->modify|lib-NACL-C-SystemServicesFirewall-pm/modify >> =item C<< firewall_policy => $firewall_policy >> (Required) A hash ref with the policy name, action , service and ip-list indicating the parameters used to create firewall policy These arguments get passed to the following method : L<< NACL::STask::SystemServicesFirewallPolicy->create|lib-NACL-STask-SystemServicesFirewallPolicy-pm/create >> =back =back =cut sub setup { $Log->enter() if $may_enter; my $pkg = shift; my %opts = $pkg->_common_validate_with( params => \@_, only_static_method => 1, additional_spec => { firewall => { type => HASHREF, }, firewall_policy => { type => HASHREF, }, security_login => { type => HASHREF, }, }, ); my %common_opts; $pkg->_move_common_component_params_with_ci( source => \%opts, target => \%common_opts, ); my %security_login = %{ $opts{security_login} }; my %firewall = %{ $opts{firewall} }; my %firewall_policy = %{ $opts{firewall_policy} }; my %security_opts; my $command_interface = $common_opts{command_interface}; my $obj = $pkg->new( command_interface => $command_interface, ); my $Was_Created = 0; my $lock; #--------------------------------------------------------------------------- # Check whether given vserver is present or not. #--------------------------------------------------------------------------- #Check whether given vserver is present or not my $vserver_obj = NACL::STask::Vserver->find( %common_opts, filter => { vserver => $security_login{vserver} }, ); #--------------------------------------------------------------------------- # STEP 1 : Reset vsadmin password #--------------------------------------------------------------------------- NACL::STask::SecurityLogin->password( newpwd => $security_login{'password'}, newpwd2 => $security_login{'password'}, username => $security_login{'username'}, vserver => $security_login{'vserver'}, %common_opts, ); #--------------------------------------------------------------------------- # STEP 2 : Unlock vsadmin account , If its locked already #--------------------------------------------------------------------------- try { # Checking for the current state of vsadmin account my $state = NACL::CS::SecurityLogin->fetch( %common_opts, filter => NACL::C::SecurityLogin->get_primary_keys_options(%security_login), requested_fields => [qw(acctlocked)], ); my $status = $state->acctlocked(); # If vsadmin account is locked if ( $status =~ /yes/ ) { NACL::STask::SecurityLogin->unlock( %common_opts, username => $security_login{'username'}, vserver => $security_login{'vserver'}, ); $obj->_security_login_unlock(1); } } catch NACL::Exceptions::NoElementsFound with { # No user named 'vsadmin' exists with the given attributes. # Unlock vsadmin account , after creating security login , $lock = 1; }; #--------------------------------------------------------------------------- # STEP 3 : Disable firewall if its enabled already #--------------------------------------------------------------------------- # Checking for the current state of firewall my $system_obj = NACL::CS::SystemServicesFirewall->fetch( %common_opts, requested_fields => [qw(enabled node)], ); my $current_enable = $system_obj->enabled(); # If firewall is enabled on current node if ( $current_enable =~ /true/ ) { NACL::C::SystemServicesFirewall->modify( enabled => $firewall{'enabled'}, node => $firewall{'node'}, %common_opts ); my $c_obj = $system_obj->get_component_instance(); $obj->firewall($c_obj); } #--------------------------------------------------------------------------- # STEP 4 : Setting up application level access like ontapi, ssh etc #--------------------------------------------------------------------------- my $security_login = NACL::STask::SecurityLogin->create( _was_created => \$Was_Created, %security_login, %common_opts, ); $obj->security_login($security_login); $obj->_security_login_created(1) if ($Was_Created); if ($lock) { NACL::STask::SecurityLogin->unlock( %common_opts, username => $security_login{'username'}, vserver => $security_login{'vserver'}, ); $obj->_security_login_unlock(1); } #--------------------------------------------------------------------------- # STEP 4 : Setting up firewall policies #--------------------------------------------------------------------------- my $firewall_policy = NACL::STask::SystemServicesFirewallPolicy->create( _was_created => \$Was_Created, %firewall_policy, %common_opts, ); $obj->firewall_policy($firewall_policy); $Log->exit() if $may_exit; return $obj; } ## end sub create =head2 purge $vserver_rbac_obj->purge(); (Instance Method) This method reverts all changes made by L<< NACL::MTask::VserverRbacSetup->create|lib-NACL-MTask-VserverRbacSetup-pm/create >> Purge method wont reset the password for the given username of the particular vserver. It is applicable only for CMode. =over =item Options =over =item C<< nacltask_verify => $nacltask_verify >> (Optional) If '0' (default), verification will not be performed. If '1', verification will be performed to ensure that the deletion did happen successfully. =back =back =cut sub purge { $Log->enter() if $may_enter; my $obj = shift; my %opts = $obj->_common_validate_with( params => \@_, additional_spec => { nacltask_verify => { type => BOOLEAN, default => 0 }, }, ); my $command_interface = $opts{command_interface}; my $verify = delete $opts{nacltask_verify}; # Revert back the firewall state if ( $obj->firewall() ) { $obj->firewall()->modify(enabled => 'true',); } # Delete the security login if is created during rbac setup if ( $obj->_security_login_created() ) { $obj->security_login()->purge( nacltask_verify => $verify ); } else { # Lock the vsadmin account if it is unlocked during setup if ( $obj->_security_login_unlock() ) { NACL::STask::SecurityLogin->lock( command_interface => $command_interface, username => $obj->security_login()->username(), vserver => $obj->security_login()->vserver(), ); } } # Delete the firewall policy if is created during rbac setup if ( $obj->firewall_policy() ) { $obj->firewall_policy()->purge( nacltask_verify => $verify ); } } ## end sub purge 1;