PowerVM NovaLink Access Control Framework

PowerVM® NovaLink Access Control Framework is used to provide access for non-root users to access (read, write, and execute) the privileged files or commands for various types of tasks such as viewing the configuration of PowerVM NovaLink logical partition. It uses the sudo and acl facility on an operating system instance. The sudo facility is generally used to provide permissions to run privileged commands with specific arguments.

1. Install the framework. The following files are installed when the pvm-core package of PowerVM NovaLink 1.0.0.4 is installed in the PowerVM NovaLink logical partition:
   • /etc/security/pvm_access.conf: This file contains the default access rules for the group pvm_viewer. The rules allow the members of the pvm_viewer group to view configuration information of various resources such as hardware, firmware, logical partitions, CPU, memory, networks, Open vSwitch, and storage of the system managed by using PowerVM NovaLink. The group pvm_viewer is also created when this configuration file is installed.
   • /usr/bin/pvm_access: This command is used to apply or enable the access rules defined in the /etc/security/pvm_access.conf file. It also provides options to check, get and disable the rules defined in the /etc/security/pvm_access.conf file.
2. Enabling the framework and adding authorized users. This configuration is performed by the PowerVM NovaLink administrator user.
   1. Enter the sudo pvm_access -h command to list the optional flags of the pvm_access command. Syntax: pvm_access [ -c | -s | -g | -d | -h | --help

      Where

      • -c is used to verify the correctness of the access rules
      • -s is used to set the access rules
      • -g is used to get your access rules
      • -d is used to disable the access rules
      • -h | --help is used to print this help
   2. Enter sudo cat /etc/security/pvm_access.conf to view the access rules. You can also add or modify rules if required. The pvm_access.conf file contains sufficient information for understanding or updating the rules in this file.
   3. Enter sudo pvm_access -c to verify whether the rules defined in the pvm_access.conf file are correct. The command returns an error if any rule is incorrect. The command also verifies the requirements for using this framework.
   4. Enter sudo pvm_access -s to set, apply, or enable the access rules defined in the pvm_access.conf file. Running the command generates the following files:
      • /etc/sudoers.d/pvm_access_sudoer
      • /etc/profile.d/pvm_access_profile.sh
      • /etc/profile.d/pvm_access_aliases
      • /etc/profile.d/pvm_access_aliases_unset

      Running the command also logs the list of rules applied, together with some other information in the /var/log/pvm/pvm_access.log file.

   5. To create a user called pviewer, belonging to the group pvm_viewer, enter the following commands:

      sudo adduser pviewer

      sudo usermod -aG pvm_viewer pviewer

3. Using the framework as a user. For example, a user called pviewer, who is privileged by this framework.
   1. Enter pvm_access -g to list the files you are allowed to read or write, and the commands (with arguments) that you are allowed to execute. You can also redirect the output and search for commands or files that you want to view. For example pvm_access -g | grep pvmctl
   2. The following commands are enabled for the users, for example pviewer belonging to the group pvm_viewer.

      pvmctl lpar list 

      pvmctl –help

      lshw

      lsmcode

      Note: If your shell type is not bash, you need to switch to the bash shell and then source the /etc/profile.d/pvm_access_aliases file by typing the following command:

      bash ./etc/profile.d/pvm_access_aliases

      To avoid switching to the bash shell and sourcing the /etc/profile.d/pvm_access_aliases file, you can modify the login shell of the user by using the sudo usermod -s /bin/bash <userName> command. To unset the aliases that are created by /etc/profile.d/pvm_access_aliases, you can source the /etc/profile.d/pvm_access_aliases_unset file.
4. Disabling the access rules. This task is performed by the PowerVM NovaLink administrator user. Enter sudo pvm_access -d to disable the rules. It removes all the files generated when the rules were enabled. It also unsets the ACLs modified by the script.