will map any incoming connection to the rscd agent on this box to the local user Administrator. this os course is a really bad idea... so you should be using ACLs and RBAC to perform specific mappings based on the BladeLogic Role and username.
on windows the rscd uses a windows feature called 'user impersonation' to 'map' to the user noted in the exports and/or users/users.local
How many Target Server can one Application server manage ?
Thanks & Regards,
1 of 1 people found this helpful
it depends... i think we say something like 1 appserver per ~2500 targets, but it depends on your use case. for example - you might have 100 servers and need a job to run in 15 min across all targets and that might require 2 appservers. or you have 10,000 servers but only do deploys periodically to a handful at a time so a couple appservers might be ok for that.. i'd look through:
First, don't use the exports file like this. You're basically saying "any user that connects, map to the local administrator". This means any user that can have network access to your servers, and can install the Network Shell, could technically have full admin access on your servers.
As Bill mentioned, you should be using RBAC ACLs with the users.local or users file where only a valid RBAC role:user combo can access the servers.
As for how the BladeLogicRSCD user is mapping to Administrator, it goes like this:
1. The agent installer creates a watch dog service (RSCDsvc) that runs as the SYSTEM account.
2. The BladeLogicRSCD account is created during the first startup of the agent, if it doesn't exist (you can actually delete the account and restart the agent to recreate it).
3. When the agent starts, the RSCD process is spawned by SYSTEM account (listener on port 4750).
4. The listenner process will then spawn any new processes as requested and run as the BladeLogicRSCD user, which in turn, will get its privileges from User Impersonation based on what user it's supposed to map to as defined in either the exports, users.local or users.
A good way to understand this is to use Process Explorer from Microsoft and to monitor the processes spawned by RSCD.exe as you initiate commands on the server (i.e. run a job that initiates a remote command).
For example, let's say I run this command over NSH against the target:
nexec -e cmd /c dir tata.txt /s /b
This is what I would see in process explorer: