| Author |
Message |
seanc217
Joined: 23 May 2007
Posts: 272
|
|
 Password best practices |
 |
Hi there,
Is it possible to setup and use a global variable that can be used as a password when running scripts using the run as option?
I can see this being a maintenace nightmare if the password is changed.
What's the best way to handle this?
Thanks.
|
|
| Tue Jan 08, 2008 11:41 am |
  |
 |
SysOp
Site Admin
Joined: 26 Nov 2006
Posts: 7969
|
|
| |
|
Unfortunately there is no such feature available as to store passwords globally. Each remote job has its own user/password set.
As a workaround consider running a separate instance of the agent for each required user. starting the agent using that user's account. The idea here is to avoid user authentication and switching all together so that you don't need to deal with passwords. Setup each instances in a separate directory so that they don't share the config files. Configure each instance to listen on different port numbers – this way you can run them concurrently. You can edit preferences.xml file and specify port value there or use the GUI if you want. On the agent side, for each instance, modify auth.pl and runner.pl files and comment out or remove user authentication and user switching code. If you are not sure what to comment out, I can help you with that.
On the scheduler side, create a separate connection profile for each agent instance. Use different profiles for different jobs as required. In job properties for the password value specify any dummy, for example, "none" – the value is required for the job, but isn't going to be used.
|
|
| Tue Jan 08, 2008 12:17 pm |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
Do I have to specify a run as user or since the scheduler and all it's instances are running as root can the jobs run as root also?
Thanks
|
|
| Tue Jan 08, 2008 12:22 pm |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
OK since I am only going to use one account to run all of our jobs, I like your idea.
Can you send me some documentation on how to do this?
Right now my schedulers run as root what are the specific steps I would need to do to change this?
If you have any documentation can you send it to me?
My e-mail is seanwconway@nospam.yahoo.com
remove nospam.
Thanks for your help.
|
|
| Tue Jan 08, 2008 12:29 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006
Posts: 7969
|
|
| |
|
If this is just one account, then you don't need to use root at all. Root is only needed to run jobs using multiple user accounts so that it can switch users for job runs.
Here is what you should do.
1. Change directory and files ownership of the directory where the agent is installed to the required user, or just give the user or the group permissions to execute, read, write and modify files in that directory.
2. Shutdown the agent, and login to the system as the required user.
3. Edit auth.pl file in any text editor and leave only the following 2 lines
 |
|
#!/usr/bin/perl
print "OK"; |
Edit runner.pl and file in any text editor and leave only the following 2 lines
|
|
#!/usr/bin/perl
exec $ARGV[1]; |
4. Start agent
-----------------
Now, out of curiosity… why do you need the agent? If all jobs run under the same user account and all are submitted from the same remote scheduler, why not to run the scheduler directly on that computer using the required user account? In that case, you don't need to modify anything. You don't even need to specify passwords, just set jobs to run locally without entering a specific user account. In this case they are going to run using the account of the scheduler. No need to deal with any passwords.
|
|
| Tue Jan 08, 2008 1:20 pm |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
Thanks,
The reason for running remotely is because I have certain dependencies on 2 or more remote boxes. So for example I have a backup job that has to shut down services on box a and box b before backups can begin. Therefore I let the master scheduler on another box handle the shut down of those services.
Hope that makes sense.
Thanks for the help.
|
|
| Tue Jan 08, 2008 1:27 pm |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
Hi there I'm having issues now.
Here's what I get in the agent log:
8-Jan-2008 02:22:35 PM 2 null 47 02_archive_eftall Remote job started.
8-Jan-2008 02:22:35 PM 2 null 47 02_archive_eftall Job started.
8-Jan-2008 02:22:38 PM 3 null 47 02_archive_eftall User authentication failed. null
8-Jan-2008 02:22:38 PM 3 null 47 02_archive_eftall User authentication failed. null
Please advise.
Thanks.
|
|
| Tue Jan 08, 2008 3:25 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006
Posts: 7969
|
|
| |
|
Not sure why you are getting this. The auth.pl has been modified to always accept connections from anyone.
Please enable the tracing option and take a look at debug.log file. If you see any exceptions recorded there, please let us know what they say. Those exceptions may shed the light on the user authentication issue.
|
|
| Wed Jan 09, 2008 10:36 am |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
Here's what showed up in the trace:
2008-01-09 10:15:04,416 [main] DEBUG com.softtreetech.jscheduler.JSchedulerStarter - main(...) : start
2008-01-09 10:15:04,423 [main] DEBUG com.softtreetech.jscheduler.JSchedulerStarter - startup() : start
2008-01-09 10:15:05,401 [main] DEBUG com.softtreetech.jscheduler.JSchedulerStarter - startup() : creating business objects
2008-01-09 10:15:05,487 [main] DEBUG com.softtreetech.jscheduler.JSchedulerStarter - startup() : creating UI controller
2008-01-09 10:15:05,622 [main] DEBUG com.softtreetech.jscheduler.JSchedulerStarter - startup() : initializing business objects
2008-01-09 10:15:05,627 [main] DEBUG com.softtreetech.jscheduler.business.preferences.AbstractPrefDatabase - Creating backup for preferences file preferences.xml
2008-01-09 10:15:05,629 [main] DEBUG com.softtreetech.jscheduler.business.preferences.AbstractPrefDatabase - Preferences file has been copied to preferences.bak
2008-01-09 10:15:59,769 [Job #45 - 01_check_dasall] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runJob(): start
2008-01-09 10:16:02,150 [Job #45 - 01_check_dasall] DEBUG com.softtreetech.jscheduler.business.runner.security.SecurityService - authNativeUser: srv_etl login ok
2008-01-09 10:16:02,161 [Job #45 - 01_check_dasall] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner - checkJobSecurity
com.softtreetech.jscheduler.common.SchedException
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.if(Unknown Source)
at com.softtreetech.jscheduler.business.runner.ProgramJobRunner.runJob(Unknown Source)
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.do(Unknown Source)
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.Ã00000(Unknown Source)
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.execute(Unknown Source)
at com.softtreetech.jscheduler.business.runner.JobExecutorImpl.execute(Unknown Source)
at com.softtreetech.jscheduler.business.agent.remote.RemoteAgentImpl.executeJob(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
at sun.rmi.transport.Transport$1.run(Transport.java:148)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:534)
2008-01-09 10:16:02,276 [Job #45 - 01_check_dasall] ERROR com.softtreetech.jscheduler.business.runner.JobExecutorImpl - Job errors: User authentication failed.
null
|
|
| Wed Jan 09, 2008 11:18 am |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
Hi there any idea why this is not working?
Thanks.
|
|
| Thu Jan 10, 2008 12:00 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006
Posts: 7969
|
|
| |
|
You may need to change one more file.
In runas.pl please change the text to the following
|
|
#!/usr/bin/perl
# runner.pl <user> <cmdline> <dir>
# on succes returns process output & process exitcode
# on error:
# !! if something goes wrong
# script should die with exitcode -77
# & write message to the default output, starting with "ERROR4234"
exec ($ARGV[1]);
$! = -77;
die "ERROR4234 Can't exec $ARGV[1]\n"; |
-----
Please let us know if this helps or if the trace something different after this change.
|
|
| Thu Jan 10, 2008 12:45 pm |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
I changed the file, but I continue to receive the same error:
Here's the trace info:
2008-01-10 11:52:08,425 [Job #53 - test_script.ksh] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runJob(): start
2008-01-10 11:52:10,808 [Job #53 - test_script.ksh] DEBUG com.softtreetech.jscheduler.business.runner.security.SecurityService - authNativeUser: srv_etl login ok
2008-01-10 11:52:10,810 [Job #53 - test_script.ksh] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner - checkJobSecurity
com.softtreetech.jscheduler.common.SchedException
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.if(Unknown Source)
at com.softtreetech.jscheduler.business.runner.ProgramJobRunner.runJob(Unknown Source)
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.do(Unknown Source)
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.Ã00000(Unknown Source)
at com.softtreetech.jscheduler.business.runner.AbstractJobRunner.execute(Unknown Source)
at com.softtreetech.jscheduler.business.runner.JobExecutorImpl.execute(Unknown Source)
at com.softtreetech.jscheduler.business.agent.remote.RemoteAgentImpl.executeJob(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
at sun.rmi.transport.Transport$1.run(Transport.java:148)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:534)
2008-01-10 11:52:10,899 [Job #53 - test_script.ksh] ERROR com.softtreetech.jscheduler.business.runner.JobExecutorImpl - Job errors: User authentication failed.
null
|
|
| Thu Jan 10, 2008 12:54 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006
Posts: 7969
|
|
| |
|
The source of the error is not very clear to me. I will do more research on this issue.
|
|
| Thu Jan 10, 2008 1:00 pm |
|
|
seanc217
Joined: 23 May 2007
Posts: 272
|
|
| |
|
OK thanks.
Just an fyi if I put the proper password in, the job runs OK.
Thanks.
|
|
| Thu Jan 10, 2008 1:12 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006
Posts: 7969
|
|
| |
|
I guess that changes in .PL files had no effect because the agent is currently configured to use FTP authentication method. Please change the authentication method to PAM. If the agent is running in nogui mode, edit preferences.xml in vi or other editor, search for references to FTP value and replace it with PAM. Restart the agent.
|
|
| Thu Jan 10, 2008 5:16 pm |
|
|
|
