That's exactly the explanation I didn't get
My problem is: when do I need root equivalency?
Take a Use Case : To execute NSH script which runs on client and do things which only allow to root user.
So, if you want to do things on client and root equivalency configuration is not done then you will get failures.
Maybe I've found the answer myself. This is the explanation of root equivalency given during RSCD agent installation:
By default the RSCD Agent does not give root permissions to
root clients. To be able to perform some functions, such as
remotely updating configuration files and/or installing software,
you will need to have root privileges. If you would like, the
Install script can now setup an initial host from which the root
user will have root privileges (called root equivalency) on this
host giving you an initial root privileged entry point.
Root client mentioned here is the application server? Does that mean that if I don't set up root equivalency, BSA Server will never be able to install software nor modify configurations on my RSCD Agent machine?
BladeLogic maps incomming connections to the RSCD agent to local users on the system the agent is running on. it determines these mappings by looking at the exports, users and users.local files in the 'rsc' folder. you can make this very open - * rw,user=root in exports - which would map anyone connecting w/ a nsh client to root on the target - or very restrictive ROLE:USER rw,map=root - in the users / users.local.
all permissions are handled by ROLE in bsa, so other than allowing the appserver to connect and do an initial creation of the ACL files, all connections from the appserver should send across the role and user of the person trying to act on the target and those actions would be mapped to a local user.
for most actions against a target - like patching, compliance checking, etc you need to be root.
during the initial install it asks you to setup a mapping so that you will be able to do the initial acl push to the target, after that the role mappings will take precedence over the host mapping that was initiall setup.
thanks for your explanation. It made the whole scenario much more clearer.
So, if I'm installing BSA AppServ on a Linux box, I need to install RSCD Agent to enable communication with the file server, and I can simply modify the exports to allow only BLAdmin to be able to make config changes and apply patches on my BSA Server.
Thank you again,
NSH Is part of the appserver install and it is what talks to the file server agent, not RSCD.
is your file server on your appserver or on another system?
It's on the appserver.
so this is a special case.
typically we recommend that you use the agent on the file server for only managing the file server files. to do this you don't want to map everyone to root. you want to map everyone (actually just all connections from the appserver) to a non-privledged account that owns all the file server files. if you map only a few roles to root and everyone else to some other account you will have file permission problems on the back end if in the front end the roles can share content. if you map everyone to root on the file server agent, then anyone can do stuff to the file server OS.
so if you need to both have a system be the file server agent and manage the OS of that system you need to install two RSCD agents on that host, one for the file server and one to manage the OS.
i will try and pm you a pdf that describes how to setup multiple agents on a single host.