14 Replies Latest reply on Aug 29, 2013 8:47 PM by Bill Robinson

    Setting Depot and Job object permissions via script

      I have searched for this but not found anything.


      Does anyone have a script that can be used for setting permisisons on an entire branch of the Depot and Jobs areas in Bladelogic.  I am using 8.2.01.281 running on Windows 2008 and SQL 2005.

       

      I also need to be able to generate a report which shows the state of permissions in a particular tree.

       

      We are restructuring these areas and creating and permissioning new roles and then moving folders and objects.  When you move a folder/object it just takes its ACL with it.  There is no way of inheriting from new location.

       

      Any know if therea are there any plans to introduce permissions inheritance to the product?  It is desparately needed.  The current situation is impossible when you have lots of objects.  The GUI permissions updates are very slow and somewhat limited.

        • 1. Re: Setting Depot and Job object permissions via script
          Jim Wilson

          Moved to Server Automation Scripting in the hope of getting a response

           

          Thanks & Regards,

          Jim

          • 2. Re: Setting Depot and Job object permissions via script
            Bill Robinson

            what you want is a 'bulkUpdate' but that does not exists for the job and depot folder spaces so you'll need to list all the items in the group and then run the explicit acl application.

             

            something like:

             

            blcli_execute JobGroup groupNameToId "/some/group"

            blcli_storeenv groupId

            blcli_execute Job findAllHeadersByGroup ${groupId}

            blcli_execute Utility storeTargetObject jobHeaders

            blcli_execute Utility listLength

            blcli_storeenv listLength

            for i in {0..$((${listLength}-1))}

            do

            blcli_execute Utility setTargetOjbect jobHeaders

            blcli_execute Utility listItemSelect ${i}

            blcli_execute Utility setTargetObject

            blcli_execute SJobHeader getDBKey

            blcli_storeenv jobKey

            blcli_execute Job addPermission or applyAclTemplate, etc

            done

             

            you can pretty much swap out Job for DepotObject in the above commands.

             

            not sure about plans for inheritance, create an Idea on this community for that.

            • 3. Re: Setting Depot and Job object permissions via script

              Hi, Jim.

               

              If you wish to set the same permissions on all objects within an entire branch of the Depot and/or Jobs folder hierarchies, you could remove the current ACL Policy after first setting the ACL Policy which contains all the appropriate Role-Permission pairings and apply that, periodically, to the uppermost folder level in the hierarchy that requires those permissions.

               

              That way, your script would merely need to be triggered to apply the (probably already existing) ACL Policy (or Policies) on the uppermost folder and the object will have those permissions applied (as all object in the hierarchy below that folder will also inherit the ACL policy). Then, remove the current ACL Policy (or Policies) from the moved object.

               

              Either you write a script to be executed as an NSH Script Job avery 30-60 minutes or you "trigger" the script whenever a move of objects is performed.

               

              The BLCLI Commands to look for are: applyAclPolicy and removeAclPolicy

              1 of 1 people found this helpful
              • 4. Re: Setting Depot and Job object permissions via script

                Thanks for your reponse Jeff.  But are you suggesting that just applying the ACL policy cause it to be inherited down the tree?   That was not my understanding.  As Bill mentions above, there are no plans for inheritance that he is aware of.

                • 5. Re: Setting Depot and Job object permissions via script
                  Bill Robinson

                  if you do what jeff is suggesting, that means that all the objects in the folder at the time of applying the acl policy would get that acl policy applied.  going forward you could then update that policy w/ whatever permissions you want and all the objects it's associated with would be updated.  however, if you add objects into the folder, they would not automatically inherit the acl policy, nor would removing an object from the folder remove the acl policy.

                   

                  there's an 'idea' posted about inheritance - you should upvote/comment on that.  but as it is now there is no inheritance of permissions.

                  • 6. Re: Setting Depot and Job object permissions via script

                    Thanks Bill.

                     

                    Is there a way in blcli to Replace Permissions with ACL Policies and recurse down a tree, like you can from the GUI?

                    • 7. Re: Setting Depot and Job object permissions via script
                      Bill Robinson

                      Group bulkApplyBlAcl[Policy|Template]ByGroup

                       

                      it's an unreleased command:

                       

                       

                      This command bulk applies an ACL policy to all objects in a group. You must provide the fully qualified name of the group and the name of the ACL policy. You must also provide a string describing the type of group. The following is a list of all valid group type strings:

                       

                          Job Group: JOB_GROUP

                          Smart Job Group: SMART_JOB_GROUP

                          Server Group: STATIC_SERVER_GROUP

                          Smart Server Group: SMART_SERVER_GROUP

                          Depot Group: DEPOT_GROUP

                          Smart Depot Group: SMART_DEPOT_GROUP

                          Template Group: TEMPLATE_GROUP

                          Smart Template Group: SMART_TEMPLATE_GROUP

                          Component Group: STATIC_COMPONENT_GROUP

                          Smart Component Group: SMART_COMPONENT_GROUP

                          System Package Group: SYSTEM_PACKAGE_GROUP

                       

                      Command Input :

                      Variable Name    Variable Type    Description

                      groupName     String     Name of the group or folder.

                      modelType     String     Internal model type of group or folder.

                      policyName     String     Name of the ACL policy.

                      recursive     Boolean     Flag to control whether policy should apply to objects in sub-groups.

                      replace     Boolean     Flag indicating whether or not you want to replace all ACL entries (true/false).

                      1 of 1 people found this helpful
                      • 8. Re: Setting Depot and Job object permissions via script

                        Hello

                         

                        I finally got round to testing this.  It ran OK on some smaller folder structures without many objects, but when I ran it on one of our big structures with many objects, it ran for 2 hours then failed with this:

                         

                        Command execution failed. com.bladelogic.om.infra.mfw.util.BlException: Unexpected exception while handling request.com.bladelogic.om.infra.model.rbac.BulkAclModifierService_bulkApplyAclPolicy(int, int, boolean, boolean): com.bladelogic.om.infra.common.BeanException: No job found with id : 122374: com.bladelogic.om.infra.mfw.util.NotFoundException: No job found with id : 122374

                         

                        No object ACLs have been updated.

                         

                        I guess it works out all the objects that need to be updated up front and then updates them all at the end...

                         

                        It would be good if it would continue on errors and just report them instead of failing completely.


                        Anyone had much experience with this unreleased command?

                        • 9. Re: Setting Depot and Job object permissions via script
                          Bill Robinson

                          did that job happen to get deleted while the acl application was running ?  i don't know of any way to have that particular command ignore the error...

                          • 10. Re: Setting Depot and Job object permissions via script

                            No.  This test is being run on a staging system with only 2 users.  Also I have checked the DB and there is no job with id 122374 marked as deleted.

                             

                            I ran it on another large branch and it ran ok.


                            Trying the original one again.

                            • 11. Re: Setting Depot and Job object permissions via script

                              Ran it again and saw the same issue with same job_id...  This job does not exist.  Where is it getting the job_id from?

                               

                              Annoying.

                              • 12. Re: Setting Depot and Job object permissions via script
                                Bill Robinson

                                not sure - can you run:

                                 

                                select * from job where job_id = '<id>';

                                 

                                ?

                                • 13. Re: Setting Depot and Job object permissions via script

                                  Did that already.  Job does not exist in the DB at all.

                                  • 14. Re: Setting Depot and Job object permissions via script
                                    Bill Robinson

                                    what kind of jobs are in this group ? also, can you try setting the blcli to do debug logging (in $HOME/.bladelogic/blcli-log.cf or %APPDATA%\BladeLogic\blcli-log.cf) on your client system and post that ?