Clearcase Server Version - 8.0.1.19
OS – Centos - 7.6.1810 (Core)
Problem: Created new VOB, Mounted the VOB then created dynamic view on server successfully. From VOB root directory ls command shows below error.
ls: reading directory .: Permission denied
total 0
I have executed below protect commands.
cleartool protectvob -f -chown ccadmin -chgrp testvob-grp /vobstg/testvob.vbs
cleartool protect -chown ccadmin -chgrp testvob-grp -chmod 775 -r .
[root#VOB-Server /]# cleartool desc -l vob:/vobstg/testvob
versioned object base "/vobstg/testvob"
created 2019-11-21T09:01:57+05:30 by ccadmin.testvob-grp#VOB-Server
"This is test VOB."
protected by rolemap: "DefaultRolemap"
effective access for user "root": rmelem,Read
VOB family feature level: 8
VOB storage host:pathname "VOB-Server:/vobstg/testvob.vbs"
VOB storage global pathname "/net/VOB-Server/vobstg/testvob.vbs"
database schema version: 80
modification by remote privileged user: allowed
atomic checkin: disabled
srfm: disabled
evil twin detection: disabled
VOB ownership:
owner ccadmin
group testvob-grp
minimum client feature level: 8
ACLs feature level: 8
Attributes:
FeatureLevel = 8
View owner has rwx (all) permission. So in newer version of Clearcase do I need to enable configuration for even root id and VOB-owner ID?
I am using default config spec
element * CHECKEDOUT
element * /main/LATEST
Dynamic view created with root account. While describing the VOB tag it shows below error.
[root#VOB-Server]# cleartool desc -l /vobstg/testvob
cleartool: Error: No permission to resolve: "/vobstg/testvob".
cleartool: Error: Unable to access "/vobstg/testvob" because either it is unreadable or its containing VOB is not accessible to the current user.
Whereas with VOB Owner’s account/ID (ccadmin), I can able to describe the VOB.
First, it depends on your config spec (I will assume element * /main/LATEST)
Second, your question mentions root#VOB-Server: make sure to do the ls test as the view owner: ccadmin.testvob-grp
Still as the view owner, do a id -a to check if the primary group (or one of the secondary groups) is part of the VOB group (VOB, not view, which is correctly protected)
See "Access control for VOBs" and "About Additional Groups in the VOB's group list"
You can use the cleartool describe command to display the owner, group, and supplemental group list for a VOB.
cleartool descr -l vob:/vobs/vobtag
Whereas with VOB Owner’s account/ID (ccadmin), I can able to describe the VOB.
That is expected: only user with the primary Vob group as part of their group would be able to access the Vob. root has not testvob-grp in its groups (id -a)
Related
how to use Set-AzDataLakeStoreItemAclEntry to set ACL permission for Service Principal?
It allows me to use User as AceType with SP's ObjectID. But icon being used the ACL list will look different. It will be like
If I use:
Set-AzDataLakeStoreItemAclEntry -Account *** -Path /*** -AceType Other -Id "**********" -Permissions rwx
It will return error message "Error in modifying ACL entries other:ObjectID:rwx for path/*** MODIFYACLENTRIES failed with HttpStatus:Forbidden...."
Issue is on using the right SPN Object ID.
We shall use the Object ID from:
Azure Portal->AAD (azure active directory)->Enterprise Applications (not from app registration)->your app id -> Get the guid from the objectid column
I am trying to use Ansible to install applications across a number of existing AWS EC2 instances which use a number of different SSH keys and usernames on different Linux OSes. Because of the changing state of the existing instances I am attempting to use Ansible's Dynamic Inventory via the aws_ec2 inventory plugin as recommended.
I am able to group the hosts by key_name but now need to run the Ansible playbook against this inventory using the relevant SSH key and username according to the group, structured as the below example output from ansible-inventory -i inventory.aws_ec2.yml --graph:
#all:
|--#_SSHkey1:
| |--hostnameA
| |--hostnameB
|--#_SSHkey2:
| |--hostnameC
|--#_SSHkey3:
| |--hostnameD
| |--hostnameE
| |--hostnameF
|--#aws_ec2:
| |--hostnameA
| |--hostnameB
| |--hostnameC
| |--hostnameD
| |--hostnameE
| |--hostnameF
|--#ungrouped:
I have tried creating a separate hosts file (as per the below) using the groups as listed above, providing the path to the relevant SSH key but I am unsure how you would use this with the dynamic inventory.
[SSHkey1]
ansible_user=ec2-user
ansible_ssh_private_key_file=/path/to/SSHkey1
[SSHkey2]
ansible_user=ubuntu
ansible_ssh_private_key_file=/path/to/SSHkey2
[SSHkey3]
ansible_user=ec2-user
ansible_ssh_private_key_file=/path/to/SSHkey3
This is not explained in the official Ansible documentation here and here but should be a common use case. A lot of the documentation I have found refers to an older method of using Dynamic Inventory using a python script (ec2.py) which is deprecated and so is no longer relevant (for instance this AWS post).
I have found a similar unanswered question here (Part 3).
Any links to examples, documentation or explanations would be greatly appreciated as this seems to be a relatively new way of creating a dynamic inventory and I am finding it hard to locate clear, detailed documentation.
Edit
Using group variables as suggested by #larsks in the comments worked. Was initially caught out by the fact that the SSH key names returned from the inventory plugin prepend an underscore so the group names need to be of the form _SSHkey.
The answer was to use group variables as suggested in the comments. SSH key names returned from the inventory plugin prepend an underscore so the group names need to be of the form _SSHkey.
Have you considered using the ssh config file? ~/.ssh/config. You can put specific host connection information there. Host, hostname,user,Identityfile are the four options you need
Host ec1
Hostname 10.10.10.10
User ubuntu
IdentityFile ~/.ssh/ec1-ubuntu.rsa
Then when you ssh to 'ec1' , ssh will connect to host 10.10.10.10 as user ubuntu with the specified rsa key. 'Ec1' can be any name you like it does not have to be actual host name or ip or FQDN. Make it match your inventory name.
Warning:: make certain file permissions for the directory ~/.ssh and the files within it are all 0600 (chmod -R 0600 ~/.ssh) and that the owner is correct or ssh will give you fits. On ubuntu the /var/log/auth.log will help with troubleshooting.
I am looking into running the wso2-am in openshift.
I am trying to run AM but it keeps failing because missing permission to write to the file system.
Unable to create the directory
[/opt/wso2/wso2am-2.1.0/repository/deployment/server/webapps/am#sample#calculator#v1]
Unable to create the directory
[/opt/wso2/wso2am-2.1.0/repository/deployment/server/webapps/authenticationendpoint]
All examples I see the container is running as root but we want to avoid that and run it as USER 1010.
Can you set a value to make it write to a specified location.
Running it as user with uid 1010 will not help either. You need to set up file system permissions so that directories and files you need to write to have group root and are writable by group.
This is necessary because by default under OpenShift your application will run as an assigned uid unique to your project. This is outside of the range of what would be in the /etc/passwd file and you cannot predict what it will be in advance. Because it isn't in /etc/passwd then it falls back to running as group root, thus why you need to satisfy the requirement of file system permissions being group root and writable by group.
The shares at my company are becoming unwieldy and we have now officially ran out of letters to map shares to having exhausted A, B, H-Z. Not all of our users need access to some of these shares, but there are enough people who need access to enough different shares that we can't simply recycle letters for them which are used by other shares. At this point we're going to need to start moving shares over to network locations.
Adding a network location shortcut on My Computer isn't difficult, I right click and use the Wizard, but how do I do it through Group Policy? I don't want to have to set up 100 or so computers manually
This absolutely can be done using only existing Group Policy preferences, but it's a little tedious.
Background Info
When you create a network location shortcut it actually creates three things.
A read-only folder with the name of your network shortcut
A target.lnk within that folder with your destination
A desktop.ini file that contains the following
[.ShellClassInfo]
CLSID2={0AFACED1-E828-11D1-9187-B532F1E9575D}
Flags=2
I found this information on this Spiceworks community forum post.
How to make it happen
I figured out how to do this from a comment in the same forum post linked above.
You need to create four settings in a group policy. All of the settings are located in the group policy editor under: User Configuration>Preferences>Windows Settings
as seen in this image.
Folders Setting
Add a new folder with preference with the following settings as seen in this image.
Path: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME
Read-only checked
Ini Files Settings
There are two setting that you must make in this setting, as seen in this image.
Create one for the CLSID2 settings image
File Path: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME\desktop.ini
Section Name: .ShellClassInfo
Property Name: CLSID2
Property Value: {0AFACED1-E828-11D1-9187-B532F1E9575D}
And another for the Flags setting image
File Path: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME\desktop.ini
Section Name: .ShellClassInfo
Property Name: Flags
Property Value: 2
Shortcuts Setting
Add a new shortcut preference with the following settings image
Name: %APPDATA%\Microsoft\Windows\Network Shortcuts\SHARENAME\target
Target type: File System Object
Location: <Specify full path>
Target path: SHARETARGET
Closing Notes
This will work to create the network location using group policy. I would recommend using item level targeting to keep all of your network locations in one group policy.
It can be a handful to manage all of these separate preferences, so I created an application to help with managing the shares, and the user security group filters. Here is my application on github, you must create the first share using the settings above, but the application can handle adding more shares, deleting shares, and updating existing shares.
You can make a bat script which you can add to startup policy to run:
net use <driver letter> \\<servername>\<sharename> /user:<username> <password>
Example:
#echo off
net use w: \\server /user:Test TestPassword
And this will add on every computer a network shortcut to \\server with letter W .
And you can modify to make some this only on some computers or users.
Let's say you want only on user 'MikeS' to run this command, so you put something like that:
IF %USERNAME% == 'MikeS'(
net use w: \\server /user:Test TestPassword
)
Currently, the project we are working on has a freelance front-end developer involved. As we have never used him before we are looking for a way to limit his access to our servers and files but at the same time let him modify the view files currently on these servers.
The current project (all on one server) is compartmentalised into 6 separate mini sites, all using an MVC structure.
e.g.
Mini Site 1
-- Models
-- Views
-- Controllers
Mini Site 2
-- Models
-- Views
-- Controllers
etc
We need to limit his access to each view folder for each project but nothing else.
We are using Amazon EC2 and are using security groups with a limited IP range. We are unable to allow him to use FTP because that opens us up to more potential issues.
Also we have looked at file and group permissions but we have thousands of files on this server alone.
Any ideas on how this can be achieved with as little footprint as possible, so once he leaves we can remove his access and revert the settings etc.?
You could use chmod. I assume that your normal users can sudo and modify files at will? Or are they group based? Here are the two approaches you can pick from.
Approach 1:
If your normal employees/users can use sudo, you can chown all the folders so they are owned by root and a new group called programmers by doing chown -R root:programmers /var/www/dir/ This will make dir and everything in it owned by root and the group programmers. Then you would do chown -R 744 /var/www/dir/ . This will make it so that the root user has R/W/X permissions on dir and all folders in it (that is the 7), users in the programmers group would have Read only permissions (the 4), and all other users would have Read only permissions (the last 4).
From there you would go through and the directories you would want him to have access to you would do: chown -R 774 /var/www/dir/front-end/views/ which would give root and all users in programmers group full R/W/X permissions. If you wanted to do it per file, you could do chown 774 /var/www/dir/front-end/views/index.html
For all other users if they wanted to modify a file (let us say they are using vim), they'd need to do sudo vim /var/www/dir/front-end/views/index.html . This would let them pretend to be root and be able to edit regardless of the Other permission (which is that last 4 in the three digit octal).
Approach 2
If they are group based you could make all files owned by root and the group employees (assuming normal users are in that group). Then for the files that you want him to edit (let use say his username is frontdev), you could do chown -R frontdev:employees /var/www/dir/front-end/views/ and then chmod that directory to 774...and you can do the same for individual files. That way all your employees, including you, in the employees group would have full permissions. Root would have permissions on all files and directories...and then you could assign his user as the one-off user in control of the files/dirs you need him to have access to.
You can also look into jailing the user to only authorized directories. Jailkit is a big one. Here is a good tutorial: https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users