14 Replies Latest reply on Sep 2, 2014 6:23 PM by Bill Robinson

    Changing Role During Execution of NSH Script

    Cody Dean

      Good afternoon,

      I have searched through the community and found a few solutions that didn't seem to work.  Is there an easy way of changing the user role during execution of an NSH script?  There is a command in the script that require a certain role and we would like to change the role during the script.

       

      I have tried;

       

      chrole RoleWanted

      blcli_execute Utility assumeRole RoleWanted

      blcli_setoption serviceProfileName RoleWanted

       

      Thank you in advance for suggestions.

       

      Cody

        • 1. Re: Changing Role During Execution of NSH Script
          Yanick Girouard

          If you run the script through the console you can't change the role as the console session overrides it. If you use your local NSH shell to run the script however, you can use the chrole command:

           

          NAME

                 chrole - Change the active role for the current Network Shell session.

           

          SYNOPSIS

                     chrole [role]

           

          DESCRIPTION

                 The chrole command changes the role preference for the current NSH ses-

                 sion. All subsequent NSH commands issued from within that  session  are

                 executed within the context of the new role.

           

                 If  you  do not provide a role preference when entering the chrole com-

                 mand, you are presented with a numbered list of  authorized  roles  and

                 prompted to make a selection from that list.

           

                 Entering  a  chrole  command  only changes the role for new connections

                 with Network Shell Proxy Servers.  To set up a new role for agents with

                 which  you already have proxy connections, you must disconnect. See the

                 EXAMPLES section below for a demonstration of the required procedure.

          • 2. Re: Changing Role During Execution of NSH Script
            Bill Robinson

            Why do you need to change roles during the script execution ?

            • 3. Re: Changing Role During Execution of NSH Script
              Cody Dean

              Bill Robinson - We are working on a rather complex version of the tcptunnel method of RDP Access via BladeLogic.  To do so, as you probably know, you need to be in the role with command rights to tcptunnel.  Initially the nsh script was getting called from a custom command and was located on a central server, but I have also tried to the chrole _RDPROLE_ method with the nsh script located locally to no avail.  I am not sure if what we are trying is even possible, although it would be really nice if it were.

               

              Thank You,

              Cody

              • 4. Re: Changing Role During Execution of NSH Script
                Yanick Girouard

                Bill, do you know if NSH custom commands have the same role override as NSH Script Jobs? If not, it should work providing all your users (whoever needs to run the custom command) are members of the role, and that the role in question is also part of the ACL of the server objects you want to connect to, and also pushed to the remote ACL (users file) of the servers.

                 

                EDIT: Actually thinking about it, you can't execute a script using custom commands as far as I know, unless maybe you create a function in the .nshrc used by the NSH shell that is spawned ? By default it will be in %userprofile% unless you change the HOME environment variable.

                 

                EDIT: Ok, scratch that, seems like anything spawned by a custom command has the same role override the rest of the console does, so this won't work. You also need to disconnect and cd to the target again for a chrole to take effect, so this can hardly be done with custom commands. You will need your sysadmins to switch to the tcptunnel allowed role in order to run the custom command, no other choice.

                • 5. Re: Changing Role During Execution of NSH Script

                  So, the following command works perfectly when launched from nsh under any account who has access to the _RDPTestUser_ role, but when we launch it from a custom command, it fails with "No authorization to access host."

                   

                  nsh -c 'chrole _RDPTestUser_; nsh rdptunnel.nsh %H'

                   

                  Also, it acts differently between NSH and custom command if you put in:

                   

                  nsh -c 'chrole _RDPTestUser_; agentinfo %H; nsh rdptunnel.nsh %H'

                   

                  I even wrapped all of that in a batch script called using a Local custom command, and it still won't use chrole properly.

                  • 6. Re: Changing Role During Execution of NSH Script
                    Yanick Girouard

                    Well I see a few things here. First you shouldn't call nsh within nsh, that's like a shell within a shell, and you will lose the credential info from one to the other. You're already calling nsh to begin with, so you would have to do this:

                     

                    nsh -c 'chrole _RDPTestUser_; /path/to/rdptunnel.nsh %H'

                     

                    That said, as I stated, it will work from a local NSH shell, but not when launched by the console (via a NSH Script Job or a Custom Command) because of the way the console's credential always override the ones you could manually try to set in a script, or at least it seems like this is it.

                     

                    I really don't think you'll be able to make it work like that with a Custom Command unless you switch to the _RDPTestUser_ role first to execute it.

                    • 7. Re: Changing Role During Execution of NSH Script

                      My issue is that the Custom Command isn't launching the script in the same way as just calling it from a command line. Literally, I can go to cmd and launch that one line from my non-RDP role and kick off an RDP session to a target host without having to change roles. It works great. But once it's put into a Custom Command, the role is being overridden and chrole doesn't work from a Custom Command, whether it's part of an NSH script or being directly invoked from the Custom Command, or whatever.

                       

                      Edit:

                       

                      Here's the results when I launch from command line:

                       

                      C:\Users\xxxxxxx>nsh -c "chrole _RDPTestUser_; nsh -c //xxxxxxxxxx/d/scripts/tools/rdptunnel.nsh SERVER1"

                      Pick Role:

                      1. BLAdmins

                      2. _RDPTestUser_

                      1

                      Doing chrole. The new role will only be selected for new connections.

                      Use "cd //" and "disconnect" to force termination of existing connections.

                      OPENING RDP TUNNEL FOR SERVER1

                      CONNECTING TO SERVER1 ON PORT 54814

                      CHECKING FOR ../nsh/bin/template.rdp

                      USING DEFAULT OPTIONS

                       

                      And here's from Custom Command (nsh -c "chrole _RDPTestUser_; nsh -c //xxxxxxxxxx/d/Scripts/Tools/rdptunnel.nsh %H"):

                       

                      Doing chrole. The new role will only be selected for new connections.

                      Use "cd //" and "disconnect" to force termination of existing connections.

                      OPENING RDP TUNNEL FOR SERVER1

                      CONNECTING TO SERVER1 ON PORT 47881

                      Can't access host "SERVER1": No authorization to access host

                      CHECKING FOR ../nsh/bin/template.rdp

                      USING DEFAULT OPTIONS

                      • 8. Re: Changing Role During Execution of NSH Script
                        Yanick Girouard

                        Yes I understand, that's why the only way you can do it as a custom command is to first switch to the _RDPTestUser_ role in the console so that the custom command runs as that role. You won't be able to bypass the role you are using in the console (the role you selected at login or after using Switch Role from the config menu).

                         

                        What you are seeing as per design, you won't be able to work around that. Custom commands will always run as the current role:user, the same as NSH Script Jobs would.

                        • 9. Re: Changing Role During Execution of NSH Script

                          Is the reason that it exhibits the behavior in NSH client because the NSH clients are configured to use the ssoproxy and the app server isn't? Or is that behavior the same even if the app server is configured for the ssoproxy?

                           

                          edit: wording

                          • 10. Re: Changing Role During Execution of NSH Script
                            Yanick Girouard

                            The behavior will be the same regardless the app server is going through the NSH Proxy or not, and it's not the app server that's causing this, it's the BSA server automation console (the GUI). Bill could comment on that in more details, I don't know the whole mechanism behind it, but I know the console's credential takes precedence.

                             

                            That said, I think you're just trying to use BSA the wrong way. The proper method of doing what you want would be to have your users switch to the role you want them to use for tcptunneling, and then use the simple Custom Command (which would work if they are already using the proper role). The whole purpose of the "Switch Role" function in the Configuration menu is to do this. Otherwise, just give the auth to tcptunnel to the roles your sysadmin are using. I just don't understand why it MUST be that role and only that role that has it and that your users can't simply switch to it.

                             

                            If you only want to give some of your sysadmins the right to RDP via BladeLogic, then you would be better off simply copying their role to create a new one, copy their auth profile into a new version and add the auth to tcptunnel in that new role. So for example, you'd have a Sysadmin role for normal Sysadmins, and a Remote_Sysadmin role for sysadmins that have the right to RDP.

                             

                            If you're trying to have all your users only use one role in the console you're doing it wrong.

                            • 11. Re: Changing Role During Execution of NSH Script
                              Yanick Girouard

                              I just created a new idea that would resolve this issue if it was available: https://communities.bmc.com/ideas/6884

                              • 12. Re: Changing Role During Execution of NSH Script
                                Bill Robinson

                                1.  A new Server authorization was added to BSA named Server.TCPTunnel.  When the TCPTunnel authorization is granted on both the Server object and at the Role level for a specific Role, the users file put on the server during an ACL Push Job will contain the tcptunnel flag.

                                2.  The tcptunnel flag in the ACL Push users file will not conflict with the tcptunnel command authorization so the previous behavior for Roles with the tcptunnel command remains true.

                                3.  Upon upgrade to 8.5 SP1, Server ACLs that grant Server.* access to Roles will now have Server.TCPTunnel.  Roles that have Server.* granted to them at the Role level WILL NOT have TCPTunnel granted by default.  This is to prevent automatically giving TCPTunnel access upon upgrade.  Any change to the Role level authorizations of a Role with Server.* will grant access to TCPTunnel.

                                 

                                so a fix for the real issue is coming in 8.5.01

                                • 13. Re: Changing Role During Execution of NSH Script
                                  richard mcleod

                                  Any idea what rev this is fixed in?