How to run netbackup_deployment_insights command as a non-root user with minimal permissions on NetBackup version 10.5.0.1.
Description
How to run netbackup_deployment_insights command as a non-root user with minimal permissions on NetBackup version 10.5.0.1.
Summary of steps:
- Create a new output directory for the netbackup_deployment_insights reports owned by the non-root user account.
- Add a custom RBAC role in the NetBackup web UI with a limited set of permissions.
- Assign the non-root user to the custom RBAC role.
- Create an API Key file for the non-root user owned by the non-root user.
- Login as the non-root user and:
- Export the NBD_USE_MACHINE_CERT variable set to 1
- Run bpnbat -login -loginType WEB
- Execute netbackup_deployment_insights using nbcmdrun
Details:
1. As the 'root' or administrative user on the NetBackup primary server:
a. Create the output directory:
# mkdir /var/tmp/reports
b. Give ownership to the non-root user (testuser1):
# chown testuser1:testuser1 /var/tmp/reports
c. Follow the steps in the NetBackup Security and Encryption guide here Add a custom RBAC role - NB Security & Encryption Guide and at step 6, assign only the following RBAC permissions in the 'Custom' RBAC role:
Under NetBackup management - only the following:
- CLI sessions - CLI execute
- NetBackup hosts - View
- NetBackup backup images - View
- Licensing - View
- NetBackup Storage Lifecycle Images - View
d. In step 8 of the NetBackup Security and Encryption guide section Add a custom RBAC role - NB Security & Encryption Guide, assign the non-root user to the custom RBAC role.
e. Create an API key for the non-root user using the NetBackup WebUI and copy it to a file:
- In the WebUI, go to Security > Access Keys > click Add
- In the next screen enter the non-root username, click Add button in bottom-right and copy/paste the apikey-file into a file /home/testuser1/apikey_testuser1 so the contents look like this
- (example...replace primary.domain.com with the name of the primary server and replace key):
primary.domain.com:AwBfDO9xbd5RDuu-foifdxE_rRBjEIzbtfxdU2O6B0gP4H5rUbK-UTYfXXglji9ix6s
- Save the file.
Note: in this example, the API key file was named and place here /home/testuse1r/apikey_testuser1 ...and then assigned ownership to the non-root user:
# chown testuser1:testuser1 /home/testuser1/apikey_testuser1
2. Login as the non-root user, then:
a. Execute this to avoid potential permissions issues:
- $ export NBD_USE_MACHINE_CERT=1
b. Identify the non-root user to the system,execute:
- $ /usr/openv/netbackup/bin/bpnbat -login -loginType WEB
c. Execute netbackup_deployment_insights using nbcmdrun:
- $ /usr/openv/netbackup/bin/nbcmdrun netbackup_deployment_insights --verbose --gather --report --capacity --hoursago 2160 --output /var/tmp/reports --apikey-file /home/testuser1/apikey_testuser1
Note: If the NetBackup Primary server is configured to use a SERVICE_USER user account of 'root', then the aforementioned command will fail with the error:
The service user is not configured on the host. The Primary server must use a non-root user account for SERVICE_USER.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.