5 Replies Latest reply on May 5, 2016 10:05 AM by Christopher Blanks

    set execution override to a specific user / role

    Christopher Blanks

      In previous threads such as:

       

      Re: set execution override

      blcli call to set execution override

       

      Methods to set job execution override are discussed.  My question builds on that a bit in that I would like to specify the EXECUTION_USER and EXECUTION_ROLE as well as setting the job execution override.

       

      Has anyone managed to accomplish this feat?

      -Chris

        • 2. Re: set execution override to a specific user / role
          Christopher Blanks

          Agreed.  But I would like to, say as BLAdmin:BLAdmins set the execution override to Bill:SuperCoolRole.  I have found no method to do this except as the user:role that you would like the override to run as.

           

          My use case:  Using AO configured with an adapter that has credentials in the BLAdmins role (local user mapping), execute a job as a DBA role (Automation Principle) that has network access.

           

          While this seems pretty straight forward, have someone in the role click execution override and never touch it again, we have been "bitten" by cases where the job had been changed and lost this attribute.  Another possible solution was to run another instance of the adapter with alternate credentials, however we have to add a server (or pair for redundancy) for each that we add as you can only leverage one set of credentials on a server because all adapters get the credentials of the last adapter that established credentials.

           

          Does that make sense?

          -Chris

          • 3. Re: set execution override to a specific user / role
            Bill Robinson

            being able to set the execution override to some role that is not you is a security issue.

             

            can you put the BLAdmin or other user in the role(s) you want to set exo as, switch to that role (Utility.assumeRole) and then set the exo ?

            • 4. Re: set execution override to a specific user / role
              Christopher Blanks

              That is an excellent idea that I had not considered.  I figured that it was a security concern to apply this to a role that you were not a member of, but had not taken this a step further and looked at Utility.assumeRole.  This should work, however this will take me a bit of time to test.  I'll try to post results within a week.

               

              Thanks, Bill.

              • 5. Re: set execution override to a specific user / role
                Christopher Blanks

                Thanks, Bill for the push in the right direction.  The Utility.assumeRole method worked for me.  Here are a few notes that I will provide in case anyone else ever has a similar use case from Atrium Orchestrator.

                 

                For BLCLI commands, I added a <user-role> element to <bladelogic-request> (In this case for WindowsAdmins) as follows:

                 

                <request-data>
                <bladelogic-request>
                  <user-role>WindowsAdmins</user-role>
                  <commands>
                   <command terminate-on-exit="false" timeout-secs="36000" executable-type="cli"><![CDATA[Server listAllServers]]></command>
                  </commands>
                </bladelogic-request>
                </request-data>

                For NSH commands, this was implemented a bit differently using chrole as follows: 

                 

                <request-data>
                <bladelogic-request>
                  <commands>
                   <command terminate-on-exit="false" timeout-secs="15" executable-type="nsh">
                     <command script-directory=""><![CDATA[chrole WindowsAdmins]]></command>
                   </command>
                   <command terminate-on-exit="false" timeout-secs="36000" executable-type="nsh">
                    <command script-directory=""><![CDATA[agentinfo server000001]]></command>
                   </command>
                  </commands>
                </bladelogic-request>
                </request-data>

                 

                One additional thing that I noted when configuring the adapter to leverage a user with multiple roles was that I had to add an environment variable to the startup (Linux server.sh) script so that the initial adapter credential acquisition would complete without errors as follows:

                 

                # BLADELOGIC MULTIPLE ROLES

                BL_RBAC_ROLE="BLAdmins"

                export BL_RBAC_ROLE

                 

                Thanks again for the information, Bill!!!

                -Chris