Milestone 6.1 ‐ Storage and Roles - jacobwilliams100/sys-350 GitHub Wiki
Part 1: Storage with NFS
Creating new datastore
Select NFS
We want 4.1
NFS name: Super#-NFS-Shared
NFS Folder: /var/nfs/share
NFS Server: 192.168.3.190
No Kerberos
select this host
and Create!
Deliverable 1. Provide a screenshot that shows the NFS properties of your NFS share.
Making a sample file superX.txt
and upload it to the NFS Share! (Note, it may may fail and direct you to accept a certificate. If so, do it!)
Deliverable 2. Provide a screenshot that shows the uploaded file in your NFS share.
Task 2: Another NFS Datastore for VMs
Create a new datastore...
NFS, NFS4.1,
these settings
no kerberos
put it on super19 only
Deliverable 3 Take a screenshot showing the second NFS Datastore
Launching new VM from Rocky8 Template
Pick SuperX-NFS-VMs and MAKE SURE TO SELECT THIN PROVISION
Deliverable 3.5: Take a screenshot of your new VM
Part 2: Roles
On the second tab, add a folder "rbac"
and create three subfolders "alice" "bob" "charlie" and "shared-vms"
Creating AD Users for Alice/Bob/Charlie in Active Directory Users and Computer on DC1
Make sure to uncheck the change password requirement
Create two groups:
- sys350-power-user (includes alice)
- sys350-restricted-user (contains bob and charlie)
Back in vSphere, rclick the alice folder, add permissions, and add these permissions
let's throw the VM from earlier in the Alice folder
log back in as [email protected]
notice, we can only access the resources in the alice folder we created earlier.
Deliverable 4: Login as alice and demonstrate you are limited to the VM placed in the alice folder. Provide a screenshot
Now, back on the domain admin vsphere, we will whip up a new VM in the shared-VMs folder and add some new permissions
Bob and Charlie should be limited to a handful of console operations. For instance Bob should not be able to Grab a snapshot. Relog as Bob and try it.
Deliverable 5. Provide a screenshot demonstrating that Bob's Take snapshot option is grayed out.
Ok, we've decided that the ‘Virtual Machine’ console user role has far too much power. Figure out how to clone the role, name it something like "Virtual Machine console no power user". Edit this cloned role such that those assigned that role will not be able to perform power operations. Change the permissions for share-vms so that the restricted user group gets your new limited role.
From the administration section, clone this role
Now edit it
uncheck power off, power on, reset and suspend
back on inventory, change the restricted-user group to utilize this new role
Now, relog as charlie, and see if you can power off the VM you have access to
Deliverable 6: Provide a screenshot of Charlie's VM with the PowerOn, Off actions disabled.
Deliverable 8: Reflection
This lab was relatively simple and straightforward. The biggest difficulties came from navigating vSphere to set things up correctly, but this just took some browsing and exploring the different sections of the UI. Also, it took me a while to get started because I was dealing with an unrelated storage issue that was making my management VM VERY slow. I had worked with NFS a bit before in SYS-265, but it was interesting to see how virtual environments could interface with them.
NFS has no security by default, and the administrator must implement security by whitelisting specific IP Addresses and hostnames. However, this can be circumvented, if an attacker hijacks the NFS server's DNS, allowing the assignment of legitimate hostnames to unauthorized IPs. NFS 3.x is especially vulnerable because it does not actually enforce any file locks; unauthorized clients can still modify/delete locked files. Similarly, data in-transit to and from NFS 3 is transmitted in clear text, meaning sensitive data could be intercepted and read without decryption.
https://community.netapp.com/t5/Tech-ONTAP-Blogs/NFSv3-and-NFSv4-What-s-the-difference/ba-p/441316