8 Replies Latest reply on Jun 29, 2011 7:50 AM by Santosh Pande

    Script work in NSH command but not as NSH job

      Hi,

       

      I am trying to run the following script to add users and this works from NSH command prompt.

       

      But when I try to run this script as a NSH job it executes but users are not created and it gives me a message 'User Creation is Command execution failed.  Access Denied on role level check of User.Create'

       

      The script is as below, my understanding is we dont have to pass any credentials while executing the script as NSH job

       

       

      for INPUTLINE in `cat /c/tmp/import.txt`

      do

      echo $INPUTLINE

      USER=`echo $INPUTLINE |cut -d',' -f1`

      echo "USER is $USER"

      ROLE=`echo $INPUTLINE |cut -d',' -f2`

      echo "ROLE is $ROLE"

      USER_EXISTS=`blcli -v defaultProfile -r RBACAdmins RBACUser isUserExists ${USER}`

      if test "$USER_EXISTS" = "true"

      then

      echo "Warning: user $USER already exists.  Skipping to next user (if applicable)."

      else

      RESULT=`blcli -v defaultProfile -r RBACAdmins RBACUser createUser ${USER} password ${USER}`

      echo "User Creation is $RESULT"

      RESULT=`blcli -v defaultProfile -r RBACAdmins RBACUser addRole ${USER} ${ROLE}`

      echo "Adding role is $RESULT"

      RESULT=`blcli -v defaultProfile -r RBACAdmins RBACUser setAdkAuthenticationEnabled ${USER} true`

      echo "AD Authentication is $RESULT"

      RESULT=`blcli -v defaultProfile -r RBACAdmins RBACUser setSrpAuthenticationEnabled ${USER} false`

      echo "SRP Disable is $RESULT"

      fi

      done

       

      Please can someone help me to resolve this problem.

       

      Regards

       

      Santosh

        • 1. Script work in NSH command but not as NSH job
          Bill Robinson

          are you running this as a job, and as BLAdmins?  if so what you are doing won't work.  try this (it assumes the user running the script is also in the RBACAdmins role in addition to the role they are using to run the job).  you are also not using the performance commands, and this will execute quite slowly if you are adding alot of users.

           

          for INPUTLINE in `cat /c/tmp/import.txt`

          do

          echo $INPUTLINE

          USER=`echo $INPUTLINE |cut -d',' -f1`

          echo "USER is $USER"

          ROLE=`echo $INPUTLINE |cut -d',' -f2`

          echo "ROLE is $ROLE"

          blcli_execute Utility assumeRole RBACAdmins

          blcli_execute  RBACUser isUsersExists ${USER}

          blcli_storeenv USER_EXISTS

          if test "$USER_EXISTS" = "true"

          then

          echo "Warning: user $USER already exists.  Skipping to next user (if applicable)."

          else

          blcli_execute RBACUser createUser ${USER} password ${USER}

          blcli_storeenv RESULT

          echo "User Creation is $RESULT"

          blcli_execute RBACUser addRole ${USER} ${ROLE}

          blcli_storeenv RESULT

          echo "Adding role is $RESULT"

          blcli_execute RBACUser setAdkAuthenticationEnabled ${USER} true

          blcli_storeenv RESULT

          echo "AD Authentication is $RESULT"

          blcli_execute RBACUser setSrpAuthenticationEnabled ${USER} false

          blcli_storeenv RESULT

          echo "SRP Disable is $RESULT"

          fi

          done

          1 of 1 people found this helpful
          • 2. Re: Script work in NSH command but not as NSH job

            Hi Bill,

             

            P.S :- I have edited the earlier reply as later I found the NSH job doesnot work only with BLAdmins role.

             

            I had tried the the script with performance command (blcli_execute) but still it was not working.

             

            Then as per your above instruction I added "blcli_execute Utility assumeRole RBACAdmins" to the the script in the NSH job because RBAC credentials were needed to run the script, but still was getting the same error.

             

            Then to test I added user BLAdmin to the RBACAdmins role and executed the NSH job, this was succesfull and script was functioning.

             

            Later I removed the RBACAdmins role on BLAdmin user and restarted the app server service, then again I run the NSH script job now the script is not functioning as expected. Do I have to set any other permission's please let me know

             

            My Script is as below

             

            for INPUTLINE in `cat /c/tmp/import.txt`

            do

            echo $INPUTLINE

            USER=`echo $INPUTLINE |cut -d',' -f1`

            echo "USER is $USER"

            ROLE=`echo $INPUTLINE |cut -d',' -f2`

            echo "ROLE is $ROLE"

            blcli_execute Utility assumeRole RBACAdmins

            blcli_execute RBACUser isUserExists ${USER}

            blcli_storeenv USER_EXISTS

            if test "$USER_EXISTS" = "true"

            then

            echo "Warning: user $USER already exists.  Skipping to next user."

            else

            blcli_execute RBACUser createUser ${USER} password ${USER}

            echo "User Created"

            blcli_execute RBACUser addRole ${USER} ${ROLE}

            echo "ROle Added"

            blcli_execute RBACUser setAdkAuthenticationEnabled ${USER} true

            echo "AD Authentication enabled"

            blcli_execute RBACUser setSrpAuthenticationEnabled ${USER} false

            echo "SRP Disables"

            fi

            done

             

            Regards

             

            Santosh

            • 3. Re: Script work in NSH command but not as NSH job
              Bill Robinson

              if the user is no longer in the RBACAdmins role, you should not be able to switch roles.  maybe there is a cache?  try running this now and see if you can still switch roles.

               

              otherwise you should leave this user in the RBACAdmins role if you want this script to work.

              • 4. Re: Script work in NSH command but not as NSH job

                Hi Bill,

                 

                I had removed the RBACAdmins role from BLAdmin user and I am not able to run this script as NSH job, it gives me an error

                 

                "Command execution failed. com.bladelogic.mfw.util.BlException: User 'BLAdmin' is not a member of the 'RBACAdmins' role"

                 

                This script only works when I add BLAdmin user to RBACAdmins role.

                 

                So does this mean any RBACUser command (i.e createuser, addrole etc) to execute needs RBACAdmin roles ? If so then how will this work in a scheduled NSH Job wherel the jobs are run by BLAdmin ?

                 

                Is it ok to add BLAdmin to make a member of RBACAdmins role ?

                 

                Regards

                 

                Santosh

                • 5. Re: Script work in NSH command but not as NSH job
                  Bill Robinson

                  the way the acls are setup out of the box, BLAdmins do not have rights to modify user and role objects.  so your user must be in RBACAdmins to do this.  however, RBACAdmins cannot run jobs w/ the OOB acl setup.

                   

                  so for the above to work, you need a user in both BLAdmins and RBACAdmins.

                  • 6. Re: Script work in NSH command but not as NSH job

                    Hi Bill,

                     

                    Thanks for the response.

                     

                    All the scheduled jobs which run from Bladelogic application server will by default use BLAdmin credentials. Hence to run any NSH script as a Scheduled NSH job in bladelogic application server which uses blcli RBAC commands, BLAdmin user should be made the member of RBACAdmins role.

                     

                    Correct me if I am wrong.

                    • 7. Re: Script work in NSH command but not as NSH job
                      Bill Robinson

                      Yes – if you need to run commands that affect rbac objects, your user needs to be in the RBACAdmins role and you need to use the Utility assumeRole command to switch inside your script.

                      • 8. Re: Script work in NSH command but not as NSH job

                        Thankyou bill for the quick response

                         

                        Regards

                         

                        Santosh