Configure non-root sudo user for Performance Management MySql backups

ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Configure non-root sudo user for Performance Management MySql backups

book

Article ID: 187370

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Our company policy requires me to use a non-root user to run the Performance Center backups.

The non-root user will need to stop and start the Performance Center services.

How do I set sudo for the non-root user? What command will the non-root user need to run?

The non-root user should only have the ability to stop the CA Performance center services.

Environment

Release : 3.7

Component : IM Reporting / Admin / Configuration

Resolution

These steps will help set up a new user, different from the install owner, that is a non-root user capable of creating Performance Center MySql DB backups.

The user is only capable of stopping the Performance Center services, running a MySql backup, and starting the Performance Center services. The commands called out in the sudoers file entry below are the minimum requirements to achieve the goal.

Create a new user on the Performance Center server. Set the users password.
Edit the /etc/sudoers file.
1. First we add the following Cmnd_Alias. Change the alias name sample PCMYSQLBACKUPS to another valid as needed.
  1. For RH 6.x releases:
    - Cmnd_Alias PCMYSQLBACKUPS = /etc/init.d/caperfcenter_console,/etc/init.d/caperfcenter_devicemanager,/etc/init.d/caperfcenter_eventmanager,/etc/init.d/caperfcenter_sso,/etc/init.d/mysql,/sbin/service,/opt/CA/MySql/bin/mysql,/opt/CA/MySql/bin/mysqldump
  2. For RH 7.x release:
    - Cmnd_Alias PMMYSQLBACKUPS = /etc/init.d/mysql,/opt/CA/PerformanceCenter/PC/bin/caperfcenter_console,/opt/CA/PerformanceCenter/DM/bin/caperfcenter_devicemanager,/opt/CA/PerformanceCenter/EM/bin/caperfcenter_eventmanager,/opt/CA/PerformanceCenter/sso/bin/caperfcenter_sso,/usr/bin/systemctl,/opt/CA/MySql/bin/mysql,/opt/CA/MySql/bin/mysqldump
2. Next we add the following user entry to state which commands the user can run with sudo permissions.
  1. backupUser ALL = PMMYSQLBACKUPS
    1. Change sample user name 'backupUser' to user name created for this task.
    2. Ensure the users Cmnd_Alias matches the one set above.
3. Save the changes to the /etc/sudoers file

We should not be able to log in as the sudo user and run the standard MySql backup commands per documentation, appending sudo to the start of each run.

An example netqosportal command would be:

bash-4.2$ sudo /opt/CA/MySql/bin/mysqldump --routines -u root -p netqosportal > /export/backupUser/mysqlbackups/netqosportal.sql

Enter password:

After entering the password for the backupUser it should successfully run the backup.

Additional Information

MySql Backup instruction documentation:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/performance-management/3-7/administrating/performance-center-administration/back-up-performance-center.html

Feedback

thumb_up Yes

thumb_down No