Accessing Avi Linux CLI as a non-admin user using SSH client
Background
This article explains how a non-admin user account is used to login to Avi Linux CLI and how a non-admin user can have privileges similar to an admin user.
An SSH session to Avi Linux CLI is available only for admin username. Even if a user is configured as a super-user, they cannot login to Avi Linux CLI. Users other than admin, including super-users (whether local or remote), can only log in using cli@<Avi Controller IP> command.
If a non-admin user, even if it is configured as a super-user, tries to SSH to Avi Controller IP address, the system will return an Access Denied error as shown below.
login as: testuser
Avi Cloud Controller
Avi Networks software, Copyright (C) 2013-2017 by Avi Networks, Inc.
All rights reserved.
Version: 17.1.8
Date: 2017-09-21 06:03:07 UTC
Build: 9020
Management: 10.10.1.1/23 UP
Gateway: 10.10.1.10 UP
Esx and Openstackgslb@10.10.1.1's password:
Access denied
testuser@10.10.30.55's password:
Instructions
Follow the steps below to SSH into Avi CLI using a non-admin user account. In this example, the non-admin user is configured as a super-user too.
-
Open an SSH client and use
cli@<Avi Controller IP>command. Replace the Avi Controller IP with the IP of the Avi Controller for which access is required. -
Provide the credentials when prompted for username as shown in the below screenshot. In the below example, a user account with username testuser is used, which is also configured as a super-user on Avi Vantage.
Using username "cli".
Avi Cloud Controller
Avi Networks software, Copyright (C) 2013-2017 by Avi Networks, Inc.
All rights reserved.
Version: 17.1.8
Date: 2017-09-21 06:03:07 UTC
Build: 9020
Management: 10.10.1.1/23 UP
Gateway: 10.10.1.1 UP
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Last login: Fri Oct 27 10:32:02 2017 from 10.10.8.11
Launching a CLI shell in a container
No handlers could be found for logger "docker.auth.auth"
Login: testuser
Password:
- After providing the password as shown in the above CLI snippet, the user gets access to the Avi shell.
[admin:avi-controller]: >
From the Avi shell prompt, the user can run all the show commands and shell commands.
Checking logs using a super-user account
Use the account mentioned in the previous steps and use bash command to go the bash prompt.
As it is a container with no persistent storage, none of the log files are visible when ls command is used.
[admin:avi-controller]: > bash
root@04de723c268a:/#
root@04de723c268a:/# cd /opt
root@04de723c268a:/opt# ls
root@04de723c268a:/opt# <- No directory in /opt as seen here
Using username avidebuguser
Starting with Avi Vantage 17.1 release, a non-admin user (which is also a super-user) can be associated with the Avi Controller by using attach <Avi Controller IP> command. This will provide Avi Controller container access to the user as an avidebuguser. The avidebuguser is also a sudo user. Attach option is available only if the user (local or remote) is configured as a super-user.
[admin:avi-controller]: > attach controller 10.10.1.10
No handlers could be found for logger "root"
Warning: Permanently added '10.10.1.10' (ECDSA) to the list of known hosts.
Avi Cloud Controller
Avi Networks software, Copyright (C) 2013-2017 by Avi Networks, Inc.
All rights reserved.
Version: 17.1.8
Date: 2017-09-21 06:03:07 UTC
Build: 9020
Management: 10.10.1.10/23 UP
Gateway: 10.10.1.1 UP
Esx and OpenstackWelcome, this is your controller!!!
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Last login: Fri Oct 27 10:32:36 2017 from 172.17.0.2
avidebuguser@avi-controller:~$
- Try
lscommand to check the log files as shown below.
avidebuguser@avi-controller-2:/opt$ ls
*avi zookeeper-3.4.6*
avidebuguser@avi-controller-2:/opt/avi/log$ pwd
/opt/avi/log
Additional Information
For more information on Avi Linux CLI and Avi CLI access, refer to Avi CLI - Linux Command Line Mode and Avi Vantage CLI access, respectively.