解决了

如何通过SSH授予棱镜管理员访问CVMS?

  • 2020年6月12日
  • 7回复
  • 3453观点
N.
徽章

目前我们正在研究一个项目,该项目需要将Admins的SSH陷入CVM以执行一些命令。

我们运行的问题是只有Nutanix \ Admin默认帐户实际上只能被SSH进入CVM。其他非默认管理员帐户(群集管理员)可以在棱镜中执行所有内容,但在尝试SSH时被拒绝访问。

非默认管理员需要额外的权限\配置才能SSH到cvm ?

图标

最好的答案科塔克奈尔2020年6月16日14:47

At this point in time SSH access to the CVM is limited to the user \u201cnutanix\u201d and \u201cadmin\u201d as Nutanix doesn\u2019t recommend any other user to have access to the CVMs for security reasons.<\/p>

\u00a0<\/p>

Even the \u201cadmin\u201d user\u00a0is not enabled to perform any cluster operation via ssh. This how by design is.<\/p>

\u00a0<\/p>

Cluster Admin user can have the full access of the Prism but not to the CVM<\/p>

\u00a0<\/p>

May I know why you need other admin user\u00a0 to access the CVM? What is your end goal?<\/p>

\u00a0<\/p>","className":"post__content__best_answer"}">

查看原版
Currently we are working on a project that requires couple of Admins to SSH into a CVM to execute some commands.\u00a0

The problem we are running into is that only the Nutanix\\Admin default account can actually SSH\u00a0 into CVMs. Other non-default admin accounts (Cluster Admin) can do everything in Prism but are denied access when they try to SSH.

Do The non-default admins need additional permissions\\configurations to be able to SSH into CVMs ?<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

7回复

科塔克奈尔
秩
UserLevel 3.
徽章 +4

此时,SSH访问CVM仅限于用户“Nutanix”和“管理员”,因为Nutanix不建议任何其他用户出于安全原因访问CVM。

即使是“管理员”用户也未启用以通过SSH执行任何群集操作。这是如何设计的。

集群Admin用户可以完全访问Prism,但不能访问CVM

我可以知道为什么你需要其他管理员访问CVM?你最终目标是什么?

At this point in time SSH access to the CVM is limited to the user \u201cnutanix\u201d and \u201cadmin\u201d as Nutanix doesn\u2019t recommend any other user to have access to the CVMs for security reasons.<\/p>

\u00a0<\/p>

Even the \u201cadmin\u201d user\u00a0is not enabled to perform any cluster operation via ssh. This how by design is.<\/p>

\u00a0<\/p>

Cluster Admin user can have the full access of the Prism but not to the CVM<\/p>

\u00a0<\/p>

May I know why you need other admin user\u00a0 to access the CVM? What is your end goal?<\/p>

\u00a0<\/p>","quoteUsername":"Neel Kotak","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

N.
徽章

谢谢Neel,这就是我的研究到目前为止所产生的。

我们正在将VHDXS(Gen2 VMS)从我们的旧Hyperv集群迁移到我们的新的Nutanix群集,作为我们将UEFI标志设置为True的过程中的一部分,通过SSH进入CVM。

由于多个人正在研究迁移,我们认为如果其他管理员可以通过VHDX迁移过程并创建“新”VM,而不是将任务排队为一个人的vhdx去做。

Thank you Neel, that is what my research have yielded so far as well.\u00a0<\/p>

We are in the process of migrating VHDXs (Gen2 VMs) from our old HyperV cluster to our new Nutanix cluster and as a part of the process we are setting the UEFI flag to true by SSH into a CVM.<\/p>

Since more than\u00a0one person is working on the migration, we thought it might be more efficient if other admins can set the UEFI Flag as they go through the VHDX migration process and creating the \u201cnew\u201d VMs, instead of queuing the task for one person to do.<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

科塔克奈尔
秩
UserLevel 3.
徽章 +4

您是否使用Nutanix Move将VM从旧的Hyper V迁移到uptaxnix AHV集群?如果是,移动版本是什么?

我可以知道Gen2VM上安装的Windows版本吗?主机上的Windows版本?

“Nutanix”用户可以在CVM同时拥有多个会话,因此它不可能与其他人共享“Nutanix”用户的凭据?

Are you using Nutanix Move to migrate the VMs from old Hyper V to Nutaxnix AHV cluster? If yes, what is the Move version?<\/p>

\u00a0<\/p>

May I know the Windows version installed on the Gen2VM? and Windows Version on the host?<\/p>

\u00a0<\/p>

\u201cnutanix\u201d user can have multiple sessions at the same time for the CVM so is it not possible to share the credentials of the \u201cnutanix\u201d user with other people?<\/p>","quoteUsername":"Neel Kotak","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

N.
徽章

尼尔,

我们不使用Nutanix Move,我们目前准备,VHDX迁移,VM创建和手动后迁移步骤。使用移动声音就像一个好主意,现在它支持Hyper-v。

需要UEFI标志的VM大多数是Server 2016,HV集群也是2016年。

它可以共享凭据,但我宁愿不用于安全和问责制。

Neel,<\/p>

We are not using Nutanix Move, we currently Prep, VHDX migration, VM Creation, and post migration steps manually. Using Move\u00a0sounds like a good Idea now that it support Hyper-V.<\/p>

The VMs that require UEFI flag are mostly Server 2016, the HV cluster is 2016 as well.<\/p>

It\u2019s possible to share credentials but I\u2019d rather not for security and accountability.\u00a0<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

科塔克奈尔
秩
UserLevel 3.
徽章 +4

我鼓励使用Nutanix举措将VM从Hyper V迁移到Nutanix AHV。以下是Nutanix Move 3.5的指南

https://portal.nutanix.com/page/documents/details/?targetid=nutanix-move-v35%3Anutanix-move-v35.

如果你面对任何进一步的问题,请随时免费接触我们......

N.
徽章

谢谢Neel。

Thank you Neel.<\/p>","quoteUsername":"NUser3565","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
一个

此时,SSH访问CVM仅限于用户“Nutanix”和“管理员”,因为Nutanix不建议任何其他用户出于安全原因访问CVM。

即使是“管理员”用户也未启用以通过SSH执行任何群集操作。这是如何设计的。

集群Admin用户可以完全访问Prism,但不能访问CVM

我可以知道为什么你需要其他管理员访问CVM?你最终目标是什么?

为什么 ?也许是因为某些组织不想为特定用法传播管理员帐户,例如,当地IT Guys需要为某些随机维护原因供电。

在这样的场景中,为什么我必须给那些人我通常的管理员密码或将该密码更改为别的东西?

当你想到10秒钟时,这完全疯狂了。

你问“为什么”?

?!?!

我可以问你这个:

为什么Nutanix为我决定我们的“安全”是什么?

相反,为什么不让那些买了你的软件(花了很多钱)的人简单地按照他们决定的方式去做呢?

这是真正的“为什么”在这里被问到。

我会完成这个:你问的简单事实“为什么?”展示了严重缺乏常识,现场经验和对其实际工作方式的一般知识。

\t
\t
\t
\t

At this point in time SSH access to the CVM is limited to the user \u201cnutanix\u201d and \u201cadmin\u201d as Nutanix doesn\u2019t recommend any other user to have access to the CVMs for security reasons.<\/p>\t

\u00a0<\/p>\t

Even the \u201cadmin\u201d user\u00a0is not enabled to perform any cluster operation via ssh. This how by design is.<\/p>\t

\u00a0<\/p>\t

Cluster Admin user can have the full access of the Prism but not to the CVM<\/p>\t

\u00a0<\/p>\t

May I know why you need other admin user\u00a0 to access the CVM? What is your end goal?<\/p>\t

\u00a0<\/p>\t<\/div>\t<\/div>\t<\/div>\t<\/div><\/content-quote>

\u00a0<\/p>

Why ? maybe because some organizations don\u2019t want to spread out the admin account for specific usages like, for example, local IT guys needing to power down a cluster for some random maintenance reason.<\/p>

In such a scenario, why do I have to give those guys my usual admin password or change that password to something\u00a0 else ?<\/p>

That\u2019s totally crazy when you think about it for 10 seconds.<\/p>

And you ask \u201cwhy\u201d ?<\/p>

?!?!<\/p>

May I ask you this :<\/p>

WHY is Nutanix deciding for me whats best for our \u201csecurity\u201d ?<\/p>

Instead, why don\u2019t simply leave people who bought your software (for heavy money) simply do stuff like that the way THEY have decided to do it.<\/p>

That\u2019s the real \u201cwhy\u201d to be asked here.<\/p>

And I\u2019ll finish on this : the simple fact you are asking \u201cwhy?\u201d demonstrates a serious lack of common sense, field experience and general knowledge on how IT actually works.<\/p>","quoteUsername":"AndreasS","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

回复


Baidu