解决了

如何通过SSH协议授予Prism管理员访问cvm的权限?

  • 2020年6月12
  • 7回复
  • 3448的浏览量
N
徽章

目前我们正在做一个项目,需要几个管理员SSH到CVM执行一些命令。

我们遇到的问题是,只有Nutanix\Admin默认帐户可以实际SSH到cvm。其他非默认的管理帐户(集群管理)可以在Prism中做任何事情,但当他们尝试SSH时被拒绝访问。

非默认管理员需要额外的权限\配置才能SSH到cvm ?

图标

最佳答案科塔克奈尔2020年6月16日14:47

At this point in time SSH access to the CVM is limited to the user \u201cnutanix\u201d and \u201cadmin\u201d as Nutanix doesn\u2019t recommend any other user to have access to the CVMs for security reasons.<\/p>

\u00a0<\/p>

Even the \u201cadmin\u201d user\u00a0is not enabled to perform any cluster operation via ssh. This how by design is.<\/p>

\u00a0<\/p>

Cluster Admin user can have the full access of the Prism but not to the CVM<\/p>

\u00a0<\/p>

May I know why you need other admin user\u00a0 to access the CVM? What is your end goal?<\/p>

\u00a0<\/p>","className":"post__content__best_answer"}">

查看原始
Currently we are working on a project that requires couple of Admins to SSH into a CVM to execute some commands.\u00a0

The problem we are running into is that only the Nutanix\\Admin default account can actually SSH\u00a0 into CVMs. Other non-default admin accounts (Cluster Admin) can do everything in Prism but are denied access when they try to SSH.

Do The non-default admins need additional permissions\\configurations to be able to SSH into CVMs ?<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

7回复

科塔克奈尔
排名
Userlevel 3
徽章 +4

此时,SSH访问CVM仅限于用户“nutanix”和“admin”,因为出于安全原因,nutanix不建议其他用户访问CVM。

即使是“admin”用户也不能通过ssh执行任何集群操作。设计就是这样。

集群Admin用户可以完全访问Prism,但不能访问CVM

请问为什么需要其他admin用户访问CVM?你的最终目标是什么?

At this point in time SSH access to the CVM is limited to the user \u201cnutanix\u201d and \u201cadmin\u201d as Nutanix doesn\u2019t recommend any other user to have access to the CVMs for security reasons.<\/p>

\u00a0<\/p>

Even the \u201cadmin\u201d user\u00a0is not enabled to perform any cluster operation via ssh. This how by design is.<\/p>

\u00a0<\/p>

Cluster Admin user can have the full access of the Prism but not to the CVM<\/p>

\u00a0<\/p>

May I know why you need other admin user\u00a0 to access the CVM? What is your end goal?<\/p>

\u00a0<\/p>","quoteUsername":"Neel Kotak","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

N
徽章

谢谢你,尼尔,这也是我目前为止的研究成果。

我们正在将VHDXs (Gen2 vm)从我们的旧HyperV集群迁移到我们的新Nutanix集群,作为这个过程的一部分,我们通过SSH将UEFI标志设置为true到一个CVM。

由于不止一个人在进行迁移工作,我们认为,如果其他管理员在经历VHDX迁移过程和创建“新”虚拟机时可以设置UEFI Flag,而不是让一个人来执行任务,可能会更有效率。

Thank you Neel, that is what my research have yielded so far as well.\u00a0<\/p>

We are in the process of migrating VHDXs (Gen2 VMs) from our old HyperV cluster to our new Nutanix cluster and as a part of the process we are setting the UEFI flag to true by SSH into a CVM.<\/p>

Since more than\u00a0one person is working on the migration, we thought it might be more efficient if other admins can set the UEFI Flag as they go through the VHDX migration process and creating the \u201cnew\u201d VMs, instead of queuing the task for one person to do.<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

科塔克奈尔
排名
Userlevel 3
徽章 +4

你使用Nutanix移动迁移虚拟机从旧Hyper V Nutaxnix AHV集群?如果是,Move版本是什么?

请问Gen2VM上安装的Windows版本是什么?主机上的Windows版本?

“nutanix”用户可以在同一时间为CVM有多个会话,所以不可能与其他人共享“nutanix”用户的凭据?

Are you using Nutanix Move to migrate the VMs from old Hyper V to Nutaxnix AHV cluster? If yes, what is the Move version?<\/p>

\u00a0<\/p>

May I know the Windows version installed on the Gen2VM? and Windows Version on the host?<\/p>

\u00a0<\/p>

\u201cnutanix\u201d user can have multiple sessions at the same time for the CVM so is it not possible to share the credentials of the \u201cnutanix\u201d user with other people?<\/p>","quoteUsername":"Neel Kotak","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

N
徽章

奈尔,

我们没有使用Nutanix Move,我们目前手动准备,VHDX迁移,虚拟机创建和后迁移步骤。使用Move听起来像一个好主意,现在它支持Hyper-V。

需要UEFI flag的虚拟机多为Server 2016, HV集群也是2016。

可以共享凭证,但出于安全和责任考虑,我宁愿不这样做。

Neel,<\/p>

We are not using Nutanix Move, we currently Prep, VHDX migration, VM Creation, and post migration steps manually. Using Move\u00a0sounds like a good Idea now that it support Hyper-V.<\/p>

The VMs that require UEFI flag are mostly Server 2016, the HV cluster is 2016 as well.<\/p>

It\u2019s possible to share credentials but I\u2019d rather not for security and accountability.\u00a0<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

科塔克奈尔
排名
Userlevel 3
徽章 +4

我鼓励使用Nutanix Move将虚拟机从Hyper V迁移到Nutanix AHV。下面是Nutanix Move 3.5的指南

https://portal.nutanix.com/page/documents/details/?targetId=Nutanix-Move-v35%3ANutanix-Move-v35

如果您面临任何与Nutanix Move的进一步问题,请随时联系我们……

N
徽章

谢谢你奈尔。

Thank you Neel.<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
一个

此时,SSH访问CVM仅限于用户“nutanix”和“admin”,因为出于安全原因,nutanix不建议其他用户访问CVM。

即使是“admin”用户也不能通过ssh执行任何集群操作。设计就是这样。

集群Admin用户可以完全访问Prism,但不能访问CVM

请问为什么需要其他admin用户访问CVM?你的最终目标是什么?

为什么?可能是因为一些组织不希望将管理帐户分散到特定的用途上,例如,本地IT人员需要出于一些随机的维护原因关闭集群。

在这种情况下,为什么我要给他们我通常的管理密码或更改密码为其他东西?

当你想10秒钟的时候,你会觉得很疯狂。

你问为什么?

? ! ? !

我可以问你一个问题吗?

为什么让Nutanix替我决定什么对我们的“安全”是最好的?

相反,为什么不让那些买了你的软件(花了很多钱)的人简单地按照他们决定的方式去做呢?

这才是这里要问的真正的“为什么”。

我将以这个结束:你问的这个简单的事实“为什么?”“严重缺乏常识、现场经验和IT实际工作原理的常识。”

\t
\t
\t
\t

At this point in time SSH access to the CVM is limited to the user \u201cnutanix\u201d and \u201cadmin\u201d as Nutanix doesn\u2019t recommend any other user to have access to the CVMs for security reasons.<\/p>\t

\u00a0<\/p>\t

Even the \u201cadmin\u201d user\u00a0is not enabled to perform any cluster operation via ssh. This how by design is.<\/p>\t

\u00a0<\/p>\t

Cluster Admin user can have the full access of the Prism but not to the CVM<\/p>\t

\u00a0<\/p>\t

May I know why you need other admin user\u00a0 to access the CVM? What is your end goal?<\/p>\t

\u00a0<\/p>\t<\/div>\t<\/div>\t<\/div>\t<\/div><\/content-quote>

\u00a0<\/p>

Why ? maybe because some organizations don\u2019t want to spread out the admin account for specific usages like, for example, local IT guys needing to power down a cluster for some random maintenance reason.<\/p>

In such a scenario, why do I have to give those guys my usual admin password or change that password to something\u00a0 else ?<\/p>

That\u2019s totally crazy when you think about it for 10 seconds.<\/p>

And you ask \u201cwhy\u201d ?<\/p>

?!?!<\/p>

May I ask you this :<\/p>

WHY is Nutanix deciding for me whats best for our \u201csecurity\u201d ?<\/p>

Instead, why don\u2019t simply leave people who bought your software (for heavy money) simply do stuff like that the way THEY have decided to do it.<\/p>

That\u2019s the real \u201cwhy\u201d to be asked here.<\/p>

And I\u2019ll finish on this : the simple fact you are asking \u201cwhy?\u201d demonstrates a serious lack of common sense, field experience and general knowledge on how IT actually works.<\/p>","quoteUsername":"AndreasS","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

回复


Baidu