BSA: Operations run via blcli_execute BLCLI command in BSA 8.9 intermittently execute as the incorrect user when BLCLI Server Service is enabled

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BladeLogic Server Automation Suite


    COMPONENT:

    BladeLogic Server Automation


    APPLIES TO:

    BSA 8.9



    PROBLEM:

    User has an NSH Script which calls the BSA Command Line Interface performance commands.

    After upgrading to BSA 8.9, the operations performed by these commands (job execution, object creation etc) can intermittently execute as the incorrect BSA role.  There are a variety of possible symptoms, such as:
    The blcli commands create an object (job, depot object, etc).  The object shows as created by a different role than the one that ran the job.
    The blcli command returns an indicating a lack of permission to perform the desired action on the object.  A different role name than the job runs as may show in the error, For example something like "Role LinuxAdmins does not have DepotObject.Read on /Workspace/MyBlPackage" when the job ran as the BLAdmins role.
    After inspecting an object created or modified by a NSH Script Job with blcli commands, you notice that the object has a permission set assigned to it that does not match what you would expect the role running the job to have granted.



     


    CAUSE:

    BSA Defect QM002208472


    SOLUTION:

     

    There is a defect in the blcli server feature where a NSH Job running blcli commands going through the blcli server will pickup the wrong RBAC context and commands will execute under a different role than the job was run with.  BSA Defect QM002208472 is addressed in BSA 8.9.01 Rolling Update 3
    The workaround for 8.9 versions prior to 8.9.01 RU3 is to disable the BLCLI Server Service by running the following command on each appserver
     

      
    blasadmin -a set app EnableBlCliServer false
    Then restart the appserver on each host.  

    This does not prevent BLCLI calls from being executed. It restores the pre-BSA 8.9 functionality of not using a dedicated BLCLI Server Service within the BSA Appserver.
    Once RU3 has been applied to the 8.9.01 environment, the EnableBlCliServer flag can be reset back to true.

     


    Article Number:

    000135149


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles