1 2 Previous Next 22 Replies Latest reply on Jun 26, 2014 7:00 AM by Bill Robinson

    Remove ACL's from File-Server

    Steffen Kreis

      Thx to some "professional", doing our initial BSA setup ages ago, we have ACL's pushed to our File-Server (Solaris host).

       

      It is even worse than that, as we don't really push, but have entries for all our Roles with a mapping to a local user called "blfsuser" in the users.local.

       

      So it looks similar to this:

       

      Windows-Server-Admins:*     rw,map=blfsuser

      Unix-Server-Admins:*     rw,map=blfsuser

       

      The teams don't have access to the Server-Object of the File-Server itself, which is also registered in our env.

       

      Since we reviewed our RBAC model a couple of weeks ago, i noticed the following WARNING appearing over and over in the AppServer logs:

       

      [22 Jun 2014 01:02:33,045] [WorkItem-Thread-7] [WARN] [Automation:Windows_Operating:] [Deploy] Cannot set impersonation credential, reverting to legacy user mapping: Access Denied Server.Read on [OUR_FILE_SERVER]

       

      Any idea what is causing this ? Is this due to the fact they have no Server.Read on the FS-Server-Object in the Console ?

       

      In addition, i would like to "remove" the ACL's from the File-Server, so that all happens as System, is this easily doable at this stage ?

       

      Cheers

      Steffen

        • 1. Re: Remove ACL's from File-Server
          Santhosh Kurimilla

          The best way to find out the ACL Pushes is to go thru the rscd.log on the target server i.e. your file server here.

          Also, from the Appserver logs, it is during a Deploy job run.

          • 2. Re: Remove ACL's from File-Server
            Joe Piotrowski

            Check the exports file and the users.local file. The exports file should be open or locking down connections from servers in your environment. The users.local file should contain an entry like:

            System:System rw,map=blfsuser

             

            And maybe a BLAdmin(s) reference. If so, wipe all all the user entries in the users file.

             

            A common problem in BSA is getting ACLs pushed to the File Server (which only populates the users file). The two workarounds I've seen are to not have the File Server listed in the All Servers smart server group (or whatever smart group is being used by the ACL Push Job). Or make those files immutable on the File Server so they can't get overwritten accidentally.

            • 3. Re: Remove ACL's from File-Server
              Joe Piotrowski

              After that, go find the File Server /storage directory and make sure the owner of all the files and directories are the same. Something like root:blfsuser or whatever it was setup initially to be.

               

              I was going to post a link to our docs explaining this, but it looks like they're in the process of updating our docs BSA pages and I can't see it at the moment.

              1 of 1 people found this helpful
              • 4. Re: Remove ACL's from File-Server
                Bill Robinson

                Typically the users.local file or exports file on the file server is setup to map all connections from the appserver(s) to a user that owns the file server files, and this agent connection is not used to manage the OS.

                 

                so the error message you see seems to be from a deploy job, where the [Automation:Windows_Operating:] role:user is trying to deploy to your file server (it's a target of a deploy job) and it does not have the Server.Read permission (which is interesting because if that role lacks read then it should not see the server object to be able to make it a target)


                when you say "remove acls" from the file server and "happens as system" can you clarify what you mean?  which acls (rsc files or server object) and what should happen as 'system' (and system being the windows localsystem ? ) ?

                • 5. Re: Remove ACL's from File-Server
                  Steffen Kreis

                  Hi Joe,

                   

                  okay, i was afraid removing ACL's from the File-Server is much more tricky.

                  This sounds pretty straight forward. Will test this in DEV.

                   

                  Cheers

                  Steffen

                  • 6. Re: Remove ACL's from File-Server
                    Steffen Kreis

                    Hi Bill,

                     

                    the WARN that i posted appears for every Deploy Job a user does via BSA.

                    And no these are not Deploy Jobs, where the File-Server is the target. No "normal" user has access to the Server-Object of the File-Server.

                     

                    When i say, remove ACL's, i want none of our roles appearing in users or users.local. I was hoping the following entry in users.local would work for all and every usages of the File-Server

                     

                    user.local:

                    System:System rw,map=blfsuser


                    I'm aware that with this we are unable to manage the File-Server as a "Target", but that's completely fine for now.


                    Steffen

                    • 7. Re: Remove ACL's from File-Server
                      Joe Piotrowski

                      I forgot to mention that on the file server it's also typical to have the exports file mapped similarly to the users.local file. So your exports file may look like this:

                      * rw,user=blfsuser

                      or

                      appserverName rw,user=blfsuser

                      etc

                      • 8. Re: Remove ACL's from File-Server
                        Steffen Kreis

                        Oh,

                         

                        that was what's missing for me.

                        Just reading this page https://docs.bmc.com/docs/display/public/bsa83/How+to+configure+the+file+server+agent+ACLs

                        with your and Bill's comments :-)

                         

                        So some more precise questions.

                         

                        1.) System:System is just for the initial setup, when the App-Server checks the File-Server on the Startup. It should be mapped to root ?

                         

                        2.) The "appserverName rw,user=blfsuser" entry in the export causes all other inconing connections from the App-Servers to be mapped to the more or less unprivileged account blfsuser (which owns the FS content), correct ?

                         

                        3.) No ACL's shall ever be pushed. So no further entries should appear in the Users file ?

                         

                        4.) What Permissions should be set on the File-Server Server-Object in the Console ?

                         

                         

                        Steffen

                        • 9. Re: Remove ACL's from File-Server
                          Joe Piotrowski

                          Just to clarify, the File Server is unique and should be treated separately than all other Target servers in BSA. It is very common to exclude the File Server from BSA maintenance (like ACL Push Jobs) and treat it differently.

                           

                          Having said that the typical setup for a File Server (using a non-privileged account) is like this:

                          exports

                          * rw,user=blfsuser

                           

                          users

                          <emtpy>

                           

                          users.local

                          System:System rw,map=blfsuser

                           

                          File Server /storage directory should be owned by the blfsuser account.

                           

                          That's basically all you need. You could use root as well, but this allows you to use a non-privileged account instead. You can add entries in your exports file to only allow connections from certain servers instead of all (*).

                          • 10. Re: Remove ACL's from File-Server
                            Joe Piotrowski

                            1.) System:System is just for the initial setup, when the App-Server checks the File-Server on the Startup. It should be mapped to root?

                            Map it to root across the board. If you want to use a non-privileged account map everything to that account.

                             

                            2.) The "appserverName rw,user=blfsuser" entry in the export causes all other inconing connections from the App-Servers to be mapped to the more or less unprivileged account blfsuser (which owns the FS content), correct?

                            Correct. The exports file is used to lock down connections from servers by name or IP address. If * that allows connections from any server. Mapping to an account directly here is only recommended on the File Server only, not on Targets.

                             

                            3.) No ACL's shall ever be pushed. So no further entries should appear in the Users file ?

                            Correct. Some customers make these files immutable on Linux boxes so they can't get touched. Or they remove the File Server as a target in Server Groups in BSA.

                             

                            4.) What Permissions should be set on the File-Server Server-Object in the Console?

                            It can be whatever you want depending on how you wish to control/manage the File Server in BSA.

                            • 11. Re: Remove ACL's from File-Server
                              Bill Robinson

                              how will you prevent acl pushes to the file server agent ?

                               

                              also - what kind of deploy jobs are these ?  depot software?  blpackage ?

                              • 12. Re: Remove ACL's from File-Server
                                Yanick Girouard

                                You can't remove the file server target from the console if you want to use it in deploy jobs or patch catalogs as the patch catalog repository, so that may not be an option. What I have done on our environment is to set the IS_ONLINE property to false for that target. It prevents most of the jobs from running on it, but I don't think it affects admin tasks however, so your only other option is to set the ACL of the target so only a certain role can edit it, and then everyone to read only. Manually set the local ACL of the target using the users.local and exports file as explained above, and never push the ACL to it again from the console.

                                 

                                If you have a daily ACL Push job, just make sure it runs with a role that doesn't have access to that target, or simply exclude the target from the smartgroup you're using for it, or even better; do both.

                                • 13. Re: Remove ACL's from File-Server
                                  Steffen Kreis

                                  Hey Bill,

                                   

                                  just realized we see that WARN for all kind of Jobs.

                                   

                                  [PatchAnalysis]

                                  [PatchRemediation]

                                  [BLPackage]

                                  [Deploy]

                                   

                                  Am i right in thinking that this is a bit weird ?!

                                   

                                  Steffen

                                  • 14. Re: Remove ACL's from File-Server
                                    Bill Robinson

                                    well, it depends - are you using this server for something other than the file server ?  patch repo?  network deploy share ?  the errors you are getting seem to be from the server object's acl, not the rsc files.  it seems like these jobs are trying to use this server object for something and the roles running these jobs don't have Server.Read on the object.

                                    1 2 Previous Next