1 Reply Latest reply on Nov 9, 2006 2:30 PM by Andrew Knott

    Who am I when running NSH proxy?

      When running NSH proxy, which user and role do I inherit? I would expect that the "id" command would tell me this, but it doesn't appear to reflect the proper role.


      Here are three hypothetical situations.


      First, I start nsh on my workstation. I am asked to pick a user and a role. Is that the user & role that I am using? ID doesn't agree.


      +C:\Documents and Settings\jommen\My Documents\somecompany\bl_7.0.2\Doc>nsh



      Pick Role:


      Select Role:11

      jommen% id

      uid=400(jommen) gid=401(mkpasswd)

      jommen% cd //someserver06

      someserver06% pwd


      someserver06% cat //someserver/usr/lib/rsc/users.local


      1. Copyright (c) 2001-2006 BladeLogic, Inc.

      2. -- All Rights Reserved --


      1. This file contains a list of user permission overrides. The permissions

      2. defined in this file will override any associated permissions defined in the

      3. "exports" or "users" file.


      1. Please read the BladeLogicAdministration.pdf or "users" man page for details

      2. on how to use this file.


      someserver06% cat //someserver06/usr/lib/rsc/users


      1. This file was automatically generated by the BladeLogic RBAC console.

      2. Any changes to this file will be lost upon the next update by the RBAC

      3. console. Local changes should be made in the users.local file


      1. Date created: Wed Nov 08 10:39:59 PST 2006


      1. CMAdmins ACLs



      1. RBACAdmins ACLs



      1. NSH-only ACLs


      johnv rw,map=root

      RBACAdmin rw,map=root




      tlfe06% id

      uid=400(jommen) gid=401(mkpasswd)+


      Second, I change directory to a managed host. Since I am now communicating with a different host, has my environment changed? In other words, does the appserver examine the "exports" "users" and "users.local" file of the managed host when I "cd" into it?


      Third, what if I do the same procedure, but I start from the app server itself? As I understand it, my user and role in that situation will be based on the user and role of the operating system login for the appserver (since the connection isn't proxied when you're on the app server.) See below:


      +login as: jvan

      jvan@someappserver01's password:

      $ nsh

      blogic01% cd //someserver06

      cd: no authorization to access host: //someserver06

      someappserver01% id

      uid=725(jvan) gid=725(jvan) groups=725(jvan),726(bladmin)