9 Replies Latest reply on Nov 2, 2012 8:42 AM by Narjit Najran

    blcli BlAclPolicy applyPolicyPermission

    Steven Alexson

      OM Version:


      I have a script to help automate the building of ACL Templates and Policies. I am using the "BlAclPolicy applyPolicyPermissions" command to add template authorizations to a policy. This command runs extremely slow. It takes about 13 secs to add each authorization to a policy. My script is written in Jython. All other commands run by this script execute rather quickly. It just seems to be this one command.


      Anyone else experience this type of performance with this command?

        • 1. Re: blcli BlAclPolicy applyPolicyPermission
          Bill Robinson

          Can you post the script or the snippet that's running this command?

          • 2. Re: blcli BlAclPolicy applyPolicyPermission
            Steven Alexson

            Here is the function that runs the command. The arguments passed to the function are:

                 aclPolicyName = ACL Policy to add authorizations to

                 roleName = Role to map authorizations to within the Policy

                 authName = Authorization Profile to read authorizations from


            def addAuthToAclPolicy(aclPolicyName, roleName, authName):
                    print_info('Adding Auth Profile (' + roleName + ':' + authName + ') to ACL policy (' + aclPolicyName + ')')


                            auths = run_blcli_cmd('AuthorizationProfile', 'showAuthorizations', authName).returnValue
                            print_error('Failed to retreive authorizations for Authorization Profile: ' + authName)


                    authList = list()
                    authList = auths.split("\n")


                    for auth in authList:
                            print_info('* Adding ' + roleName +':' + auth + ' to Policy ' + aclPolicyName + '...')
                            if auth:
                                            run_blcli_cmd('BlAclPolicy', 'addPolicyPermission', aclPolicyName, roleName, auth)
                                            print_error('Failed to add ' + roleName + ':' + authName + ' to ACL policy: ' + aclPolicyName)

            • 3. Re: blcli BlAclPolicy applyPolicyPermission
              Steven Alexson

              A couple of thoughts I had while continuing to work on this issue:


              1. The authorizations are being add to the ACL Policy AFTER the policy is being added to an ACL Template. Could this be slowing the process down due to some verification that may be happening because the ACL Policy is assigned to an ACL Template? I can (and will test) rearranging my script so that the authorization are added to the ACL Policy prior to adding the ACL Policy to the ACL Template.


              2. Within the BladeLogic console, I can add an Role:AuthProfile combination to an ACL Policy, and all the appropriate Role:Authorization mappings are added to the ACL Policy. There doesn't seem to be a BLCLI command to do this. BLCLI only seems to have the command I am currently using which only allows me to add individual Role:Authorization mappings to an ACL Policy one at a time. Since the BladeLogic console can use a Role:AuthProfile pairing to accomplish this, there must be a BladeLogic Java function to perform this step, correct? Since my script is a Jython script, I should then be able to leverage that Java function. Can someone tell me what that function is, and possibly its correct usage?

              • 4. Re: blcli BlAclPolicy applyPolicyPermission
                Bill Robinson

                Can you put the acls you want into a acl template and then assign the template to the policy w/ applyAclTemplateToPolicyPermission ?  I don't see any commands in the authorizationprofile namespace that would let you load the object, maybe there's a java class we can load in the script that will let us do this...


                I've noticed before working w/ authorizations in the cli seems slow, I had a script that stocked authorization profiles w/ authorizations and it took a while to add the authorizations...

                • 5. Re: blcli BlAclPolicy applyPolicyPermission
                  Steven Alexson

                  So,here is the process that are script follows to create our RBAC model:


                       1. Creates all application Roles

                            - Creates Roles

                            - Sets Agent ACL settings

                            - Adds Auth Profile to role


                       2. Create all application ACL Policies

                            - Creates empty Policies


                       3. Addes Role:Auth combinations to appropriate application policies

                            - Lists all auths in Roles assigned Auth Profile

                            - Adds each Role:Auth pairing to Policy


                       4. Creates all application ACL Templates

                            - Creates Templates

                            - Assigns default template to corresponding Role

                            - Adds Policies to Template (based on different Role relationships)


                  We are not assigning authorizations to the ACL Templates directly. We are using Policies to do that. This is how we were shown by Professional Services when Policies were first introduced in 7.5.


                  As far as the possibility of a Java class...I should be able to obtain that by opening a ticket with BMC Support, correct? I have to assume that there is one to add Role:Auth Profile pairing to a policy to gain the same results since the BL Console allows that action. I think this would be the best route, as interfacing with Java should USUALLY be faster than relying on the CLI.

                  • 6. Re: blcli BlAclPolicy applyPolicyPermission
                    Bill Robinson

                    I think this will do it:


                    blcli_execute BlAclPolicy addAuthProfileToAclPolicy <policyName> <roleName> <authProfileName>


                    drop the below xml into a file like /usr/nsh/br/xml/cli/BlAclPolicy-PS-1.xml     






                    function(){return A.apply(null,[this].concat($A(arguments)))}

                    <?xml version="1.0" encoding="UTF-8"?>
                    <!DOCTYPE command_inventory SYSTEM "file://bladelogic.com/dtds/Command-Inventory.dtd">
                        <name_space name="BlAclPolicy">
                            <complex_command command_id="addAuthProfileToAclPolicy-DEFAULT-0001" published="yes" release="yes">
                                    <argument desc="Name of the ACL policy." name="name">java.lang.String</argument>
                                    <argument desc="Name of the role." name="roleName">java.lang.String</argument>
                                    <argument desc="Name of the authorization profile." name="authProfileName">java.lang.String</argument>
                                        <input>NAMED_OBJECT=roleId NAMED_OBJECT=authProfileId true</input>
                    • 7. Re: blcli BlAclPolicy applyPolicyPermission
                      Paul Seager-Smith

                      This worked a treat for me. Thanks Bill!






                      • 8. Re: blcli BlAclPolicy applyPolicyPermission
                        Paul Seager-Smith

                        OK, it seems that I spoke to soon here. Whilst this updates the ACL Policies and adds in the Authentication profiles so that everything looks fine, the new ACL policies don't actually work!


                        If you apply the ACL policy to an object, that object becomes inaccessible to all except RBACAdmins ...


                        This applies on both 8.1 and 8.2 (haven't tried on anything earlier). I then tried adding the Auth profile into the ACL Policy through the UI and it behaves subtlely differently. It actually expands the Auth Profile into the individual authorisations and adds these to the policy.

                        This is different to the way that ACL templates are handled (again) - there the Auth Profiles are added to the ACL template (and not the individual authorisations). Why this is different and does not work for policies, I do not know.


                        However, it does give me a problem as I am not sure that I can create a custom XML file to do this and doing this through individual blcli commands is very slow (I tried it).


                        Anyone have any ideas?

                        • 9. Re: blcli BlAclPolicy applyPolicyPermission
                          Narjit Najran

                          Hi Paul, did you get any further with this by any chance? Thanks