Its good to know that other customers feel the same about this. Not to over-spin the issue, but Alan brought up a good point - "ApplianceThink".
That is, we don't need a complicated user management system with password aging and dictionary lookups. In fact, I don't expect to create more than a handful (less that 10) administrative accounts on filers.
Even though these boxes are "appliances", they serve mission and business critical roles in mostly enterprise computing environments. These roles and type of environments necessitate different groups of people with different levels of basic access. Backup operators need to dump and restore, monitoring robots need read-only access to allocation and usage information, 1st and 2nd tier support need to create/delete/modify quotas, qtrees, exports, and shares, and 3rd tier engineering support needs full access.
All to often I hear appliance vendors say "we can't implement that small subset of functionality because it implies complexity which invalidates our appliance concept." It is ApplianceThink and is a bit narrow minded. It would be great for NetApp to stand up and say "We're not afraid of throwing some small manage-ability features in - our product is still easier than our competitors".
Besides, I can't imagine any feature that could be added to ONTAP that would make it harder to use than, oh, say an Auspex? =)
-- Jeff
-- ---------------------------------------------------------------------------- Jeff Krueger, NetApp CA E-Mail: jeff@qualcomm.com Senior Engineer Phone: 858-651-6709 NetApp Filers / UNIX Infrastructure Fax: 858-651-6627 QUALCOMM, Inc. IT Engineering Web: www.qualcomm.com
On Thu, Nov 30, 2000 at 10:37:42AM -0700, Alan Fleming wrote:
Jeffrey Krueger wrote:
You can use "useradmin" to create multiple administrative accounts, but unfortunately they are all root equivalents. It would be really handy if parts of the OS were ACL'd off so that each administrative account could have custom defined access to the OS. This would allow some users to be able to create CIFS shares and modify quotas, but not bounce the machine. *HINT* to dl-toasters@netapp.com *HINT* =)
Just wanted to say "hear hear" on that last comment. I understand that part of the "appliance" model is to get away from things like user accounts but having all users be root isn't an (in my opinion) usable setup.
I'm using netsaint to monitor our network and would love to rsh off commands like quota so that I can have netsaint monitor quota levels. Unfortunately, to do this means creating a second root level account (the user we use for netsaint) and setting it up for password-less rsh. If the netsaint user is ever compromised, our filers are now at risk. Blech!
-- Think Peace.
- Alan (alanf@mancala.com) http://www.dorje.com/~alanf/
KotBBBB (1988 GSXR1100J) RaceBike (FT500) DOD# 4210 PGP key available