Page History
...
Command | Category | Documentation |
---|---|---|
get-account / store-account | Accounts | |
rename-account / remove-account | ||
get-account-permission | ||
set-account-password / reset-account-password | ||
enable-account / disable-account | ||
get-role / store-role | Roles | JS7 - Management of User Accounts, Roles and Permissions JS7 - Manage Roles and Permissions JS7 - Default Roles and Permissions |
rename-role / remove-role | ||
get-permission / set-permission | Permissions | |
rename-permission / remove-permission | ||
get-folder / set-folder | Folder Permissions | |
rename-folder / remove-folder | ||
get-service / store-service | Identity Services | |
rename-service / remove-service | ||
get-service-settings / store-service-settings |
The script is offered for download and can be applied for frequently used operations:
...
Code Block | ||
---|---|---|
| ||
Usage: deploy-identity-service.sh [Command] [Options] [Switches] Commands: get-account --service [--account] [--enabled] [--disabled] store-account --service --account [--role] [--disabled] [--account-password] [--force-password-change] rename-account --service --account --new-account remove-account --service --account [--enabled] [--disabled] get-account-permission --service --account set-account-password --service --account --account-password --new-account-password reset-account-password --service --account enable-account --service --account disable-account --service --account get-role --service [--role] store-role --service --role [--ordering] rename-role --service --role --new-role remove-role --service --role get-permission --service --role [--controller-id] set-permission --service --role --permission [--excluded] [--controller-id] rename-permission --service --role --permission --new-permission [--excluded] [--controller-id] remove-permission --service --role --permission [--controller-id] get-folder --service --role [--folder] [--controller-id] set-folder --service --role --folder [--recursive] [--controller-id] rename-folder --service --role --folder --new-folder [--recursive] [--controller-id] remove-folder --service --role --folder [--controller-id] get-service [--service] store-service --service --service-type [--ordering] [--required] [--disabled] [--authentication-scheme] [--single-factor-certificate] [--single-factor-password] rename-service --service --new-service remove-service --service get-service-settings --service --service-type store-service-settings --service --service-type --settings Options: --url=<url> | required: JOC Cockpit URL --user=<account> | required: JOC Cockpit user account --password=<password> | optional: JOC Cockpit password --ca-cert=<path> | optional: path to CA Certificate used for JOC Cockpit login --client-cert=<path> | optional: path to Client Certificate used for login --client-key=<path> | optional: path to Client Key used for login --timeout=<seconds> | optional: timeout for request, default: 60 --controller-id=<id> | optional: Controller ID --account=<name[,name]> | optional: list of accounts --new-account=<name[,name]> | optional: new account names --account-password=<password> | optional: password for account --new-password=<password> | optional: new password for account --service=<name> | required: Identity Service name --service-type=<id> | optional: Identity Service type such as JOC, LDAP, LDAP-JOC, OIDC, OIDC-JOC --ordering=<number> | optional: ordering of Identity Service or role by ascending number --new-service=<name> | optional: new Identity Service name --authentication-scheme=<factor> | optional: Identity Service authentication scheme: SINGLE-FACTOR, TWO-FACTOR --settings=<json> | optional: Identity Service settings in JSON format --role=<name[,name]> | optional: list of roles --new-role=<name> | optional: new role name --permission=<id[,id]> | optional: list of permission identifiers assigned a role --new-permission=<id> | optional: new permission identifier assigned a role --folder=<name[,name]> | optional: list of folders assigned a role --new-folder=<name> | optional: new folder assigned a role --audit-message=<string> | optional: audit log message --audit-time-spent=<number> | optional: audit log time spent in minutes --audit-link=<url> | optional: audit log link --log-dir=<directory> | optional: path to directory holding the script's log files Switches: -h | --help | displays usage -v | --verbose | displays verbose output, repeat to increase verbosity -p | --password | asks for password -a | --account-password | asks for account password -n | --new-password | asks for new account password -f | --force-password-change | enforces password change on next login -e | --enabled | filters for enabled accounts -d | --disabled | filters for disabled accounts or disables Identity Services -x | --excluded | sets excluded permissions -q | --required | enforces use of Identity Service -r | --recursive | applies folder operation to sub-folders --single-factor-certificate | certificate allowed as single factor --single-factor-password | password allowed as single factor --show-logs | shows log output if --log-dir is used --make-dirs | creates directories if they do not exist see https://kb.sos-berlin.com/x/lwTWCQ |
...
get-service
- If the
--service
option is used, returns the indicated Identity Service and otherwise returns the list of Identity Services.
- If the
store-service
- Stores the indicated Identity Service.
- The following options and switches can be used:
- The
--service-type
option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix. - The
--required
switch specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication. - The
--disabled
switch can be used to deactivate an Identity Serivce which denies login by any accounts using the Identity Service. - The
--ordering
option can be used to specifiy the position of the Identity Service in the list of Identity Services. - The
--authentication-scheme
option allows to specify the following values:SINGLE-FACTOR
,TWO-FACTOR
.- Single-factor authentication specifies that the Identity Service is used as a single factor for authentication.
- The
--single-factor-certificate
switch is used for the JS7 - Certificate Identity Service to specify that a certificate acts as the single factor for authentication. - The
--single-factor-password
switch is used to specify that a password is used as the single factor for authentication.
- The
- Two-factor authentication specifies that a second Identity Service is used and that successful authentication with both Identity Services is required. For example an Identity Serivce using the LDAP service type can use FIDO as a second factor. This implies that secrets are stored on different media: the LDAP password is stored with the user's brain while the FIDO secret is stored on the user's device, for example on a USB key or in an authenticator application on a smartphone.
- Single-factor authentication specifies that the Identity Service is used as a single factor for authentication.
- The
rename-service
- Renames the indicated Identity Service.
remove-service
- Removes the indicated Identity Service.
- Users should check that there is a remaining Identity Service that allows to login. To restore access to JOC Cockpit consider JS7 - Rescue in case of lost access to JOC Cockpit.
Options
get-service-url
- Specifies the URL by which JOC Cockpit is accessible using
<http|https>://<host>:<port>
. - Example: http://centostest-primary.sos:4446
- Example: https://centostest-primary.sos:4443
settings
- Returns settings from an Identity Service. For example, the LDAP, OIDC and FIDO Identity Services hold confiugration items with their service settings.
- Settings are returned in JSON format and can be stored to environment variables or to files, for example
settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > /tmp/ldap.settings.json
- Specifies the URL by which JOC Cockpit is accessible using
store-service-settings
- Stores Identity Service settings that have previously been retrieved using the
get-service-settings
command. - Settings are expected in JSON format from the value of the
--settings
option. If settings have previousyl been stored to a file, then they can be assigned like this:settings=$(cat ./examples/ldap-settings.json)
./deploy-identity-service.sh get-service-settings ... --settings="$settings"
- Stores Identity Service settings that have previously been retrieved using the
Options
--url
- Specifies the URL by which JOC Cockpit is accessible using
<http|https>://<host>:<port>
. - Example: http://centostest-primary.sos:4446
- Example: https://centostest-primary.sos:4443
- Specifies the URL by which JOC Cockpit is accessible using
--user
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--client-cert
and--client-key
options then their common name (CN) attribute has to match the user account. - If a user account is specified then a password can be specified using the
--password
option or interactive keyboard input can be prompted using the-p
switch.
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--password
- Specifies the password used for the account specified with the
--user
option for login to JOC Cockpit. - Password input from the command line
- Specifies the password used for the account specified with the
--user
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--client-cert
and--client-key
options then their common name (CN) attribute has to match the user account. - If a user account is specified then a password can be specified using the
--password
option or interactive keyboard input can be prompted using the-p
switch.
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--password
- Specifies the password used for the account specified with the
--user
option for login to JOC Cockpit. - Password input from the command line is considered insecure. Consider use of the
-p
switch offering a secure option for interactive keyboard input.
- Specifies the password used for the account specified with the
--ca-cert
- Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
--client-cert
- Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
--client-key
- Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
--timeout
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
60
seconds.
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
--controller-id
- Specifies the identification of the Controller.
--account
- When used with commands on accounts, specifies the related account.
- When used with the
remove-account
,reset-account-password
,enable-account
anddisable-account
commands, one or more accounts can be specified separated by commea, for example::--account=user1,user2
.
--new-account
- When used with the
rename-account
command, specifies the new name of the account.
- When used with the
--account-password
- When used with the
store-account
andset-account-password
commands, specifies the account's password. - Command line input for passwords is considered insecure. Consider use of the
-p
switch offering a switch secure option for secure interactive interactive keyboard input for passwords.
- When used with the
--newca-password
- When used with the
set-account-password
commands, specifies the account's new password. - Command line input for passwords is considered insecure. Consider use of the
-n
switch for secure interactive keyboard input for passwords.
- When used with the
--service
- Specifies the name of the Identity Service.
--service-type
- The option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
--ordering
- When used with the
store-role
command, specifies the role's position in the list of roles. If the option is not used, then a newly added role will be appended. - When used with the
store-service
command, specifies the Identity Service's position in the list of Identity Services. The ordering of Identity Services specifies the sequence by which Identity Services will be triggered if more than one Identity Service is used for authentication.
- When used with the
--new-service
- When used with the
rename-service
command, specifies the new name of the Identity Service.
- When used with the
--authentication-scheme
- When used with the
store-service
command, specifies single-factor or two-factor authentication using one of the values:SINGLE-FACTOR
,TWO-FACTOR
.
- When used with the
--role
- For role-based or permission-based command specifies the name of a role.
- If more than one role is specified, then they are separated by comma, for example:
--role=administrator,business-user
.
--new-role
- When used with the
rename-role
command, specifies the new name of the role.
- When used with the
--permission
- When used with the
set-permission,
rename-permission
andremove-permission
commands, specifies the permission identifiers to be used. For available permission identifiers see JS7 - Default Roles and Permissions. - If more than one permission is used, then permission identifiers are separated by comma, for example:
--permission='sos:products:controller:view','sos:products:controller:agents:view'
.
- When used with the
--new-permission
- When used with the
rename-permission
command, specifies the new permission identifier.
- When used with the
cert
- Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
--client-cert
- Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
--client-key
- Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
--timeout
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
60
seconds.
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
--controller-id
- Specifies the identification of the Controller.
--account
- When used with commands on accounts, specifies the related account.
- When used with the
remove-account
,reset-account-password
,enable-account
anddisable-account
commands, one or more accounts can be specified separated by commea, for example::--account=user1,user2
.
--new-account
- When used with the
rename-account
command, specifies the new name of the account.
- When used with the
--account-password
- When used with the
store-account
andset-account-password
commands, specifies the account's password. - Command line input for passwords is considered insecure. Consider use of the
-a
switch for secure interactive keyboard input for passwords.
- When used with the
--new-password
- When used with the
set-account-password
commands, specifies the account's new password. - Command line input for passwords is considered insecure. Consider use of the
-n
switch for secure interactive keyboard input for passwords.
- When used with the
--service
- Specifies the name of the Identity Service.
--service-type
- The option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
--ordering
- When used with the
store-role
command, specifies the role's position in the list of roles. If the option is not used, then a newly added role will be appended. - When used with the
store-service
command, specifies the Identity Service's position in the list of Identity Services. The ordering of Identity Services specifies the sequence by which Identity Services will be triggered if more than one Identity Service is used for authentication.
- When used with the
--new-service
- When used with the
rename-service
command, specifies the new name of the Identity Service.
- When used with the
--authentication-scheme
- When used with the
store-service
command, specifies single-factor or two-factor authentication using one of the values:SINGLE-FACTOR
,TWO-FACTOR
.
- When used with the
--role
- For role-based or permission-based command specifies the name of a role.
- If more than one role is specified
--folder
- Specifies the folder to which permissions are applied and that limit user access to JOC Cockpit inventory folders.
- If more than one folder is used, then they are separated by comma, for example:
--folderrole=/accounting,/reportingadministrator,business-user
.
--new-folderrole
- When used with the
rename-folder
commandrole
command, specifies the new permission identifiername of the role.
- When used with the
--audit-message
- Specifies a message that is made available to the Audit Log.
- Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
--audit-time-spent
- Specifies the time spent to perform an operation which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--audit-link
- Specifies a link (URL) which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--log-dir
- If a log directory is specified then the script will log information about processing steps to a log file in this directory.
- File names are created according to the pattern:
operate-joc.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
operate-joc.2022-03-19T20-50-45.log
Switches
permission
- When used with the
set-permission,
rename-permission
andremove-permission
commands, specifies the permission identifiers to be used. For available permission identifiers see JS7 - Default Roles and Permissions. - If more than one permission is used, then permission identifiers are separated by comma, for example:
--permission='sos:products:controller:view','sos:products:controller:agents:view'
.
- When used with the
--new-permission
- When used with the
rename-permission
command, specifies the new permission identifier.
- When used with the
--folder
- Specifies the folder to which permissions are applied and that limit user access to JOC Cockpit inventory folders.
- If more than one folder is used, then they are separated by comma, for example
--folder=/accounting,/reporting
.
--new-folder
- When used with the
rename-folder
command, specifies the new permission identifier.
- When used with the
--audit-message
- Specifies a message that is made available to the Audit Log.
- Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
--audit-time-spent
- Specifies the time spent to perform an operation which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--audit-link
- Specifies a link (URL) which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--log-dir
- If a log directory is specified then the script will log information about processing steps to a log file in this directory.
- File names are created according to the pattern:
operate-joc.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
operate-joc.2022-03-19T20-50-45.log
Switches
-h | --help
- Displays usage.
-v | --verbose
- Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
- When used twice as with
-v -v
then curl verbose output will be displayed.
-p | --password
- Asks
-h | --help
- Displays usage.
-v | --verbose
- Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
- When used twice as with
-v -v
then curl verbose output will be displayed.
-p | --password
- Asks the user for interactive keyboard input of the password used for the account specified with the
--user
option.. - The switch is used for secure interactive input as an alternative to use of the option
--password=<password>
.
- Asks the user for interactive keyboard input of the password used for the account specified with the
-a | --account-password
- When used with the
store-account
andset-account-password
commands, asks the user for interactive keyboard input of the existing password used for the account specified with the--user
option.. - The switch is used for secure interactive input as an alternative to use of the option
--account-password=<password>
option.
- When used with the
-n a | --newaccount-password
- When used with the
store-account
andset-account-password
command commands, asks asks the user for interactive keyboard input of the existing password used for the account. - The switch is used for secure interactive input as an alternative to use of the
--account-password=<password>
option.
- When used with the
-n | --new-password
- When used with the
set-account-password
command, asks the user for interactive keyboard input of the new password used for the account. - The switch is used for secure interactive input as an alternative to use of the
--new-account-password=<password>
option.
- When used with the
-f | --force-password-change
- When used with the
store-account
command, specifies that the user will be challenged to type a new password on next login. - The switch is used for existing accounts. Use of the switch is not required in the following situations that will automatically challenge the user to specify a new password on next login:
- For new accounts using the initial passwords and for accounts assigned a password using the
--account-password
option or switch. - If the account is assigned a password using the
set-account-password
command. - If the account's password is reset to the initial password using the
reset-account-password
command
- For new accounts using the initial passwords and for accounts assigned a password using the
- When used with the
-e | enabled
- When used with the
get-account
command, filters results to enabled accounts. - When used with the
remove-account
command, filters that enabled accounts only will be removed.
- When used with the
-d | disabled
- When used with the
get-account
command, filters results to disabled accounts. - When used with the
store-account
command, specifies that the indicated account will be deactivated. - When used with the
remove-account
command, filters that disabled accounts only will be removed. - When used with the
store-service
command, specifies that the Identity Service will be deactivated.
- When used with the
-x | --excluded
- When used with the
set-permission
command, specifies that the permission will be denied. This applies to JOC Cockpit permissions and to all Controller permissions.
- When used with the
-q | --required
- When used with the
store-service
command, specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
- When used with the
-r | --recursive
- When used with the
set-folder
andrename-folder
commands, specifies that folder permissions are applied to sub-folders.
- When used with the
--single-factor-certificate
- When used with the
store-service
command, specifies that a certificate acts as a single factor for authentication.
- When used with the
--single-factor-password
- When used with the
store-service
command, specifies that a password acts as a single factor for authentication.
- When used with the
--show-logs
- Displays the log output created by the script if the
--log-dir
option is used.
- Displays the log output created by the script if the
--make-dirs
- If directories are missing that are indicated with the
--log-dir
option then they will be created.
- If directories are missing that are indicated with the
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 REST API request_options=(--url=http://localhost:4446 --user=root --password=root) # rename permission ./deploy-identity-service.sh rename-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \ --permission='sos:products:controller:deployment:manage' \ --new-permission='sos:products:controller:deployment:view' --excluded # remove permission ./deploy-identity-service.sh remove-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \ --permission='sos:products:controller:deployment:view' # remove permissions ./deploy-identity-service.sh remove-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \ --permission='sos:products:controller:deployment','sos:products:controller:agents:view' |
Setting up Identity Management
Setting up Identity Service, Roles, Permissions and Accounts
The example is used to set up an Identity Service from scratch:
- For use with Identity Services such as LDAP, OIDC, FIDO the related service settings have to be provided from .json files. Such files can be created by reading Identity Service settings.
- Roles for developers and operators are created.
- Frequently used permissions are assigned the roles. For permission identifiers see JS7 - Default Roles and Permissions.
- Accounts are created that are assigned the initial password. On next login users are challenged to change password.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 --new-permission='sos:products:controller:deployment:view' --excluded # remove permission ./deploy-identity-service.sh remove-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \ --permission='sos:products:controller:deployment:view' # remove permissionsREST API request_options=(--url=http://localhost:4446 --user=root --password=root) # store Identity Service # create Identity Service using password for single-factor authentication ./deploy-identity-service.sh removestore-permissionservice "${request_options[@]}" --service=JOCMy-INITIALService --service-roletype=business-userLDAP \ --authentication-scheme=SINGLE-FACTOR # get settings from an existing Identity Service # store settings to an environment variable # settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --permission='sos:products:controller:deployment','sos:products:controller:agents:view' |
Setting up Identity Management
Setting up Identity Service, Roles, Permissions and Accounts
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 REST API request_options=(--url=http://localhost:4446 --user=root --password=root) service=My-Service --service-type=LDAP) # store settings to a file # ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > ./examples/ldap-settings.json # read settings from a file # settings=$(cat ./examples/ldap-settings.json) # store Identity Service settings # create Identity Service using password for single-factor authentication ./deploy-identity-service.sh store-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP \ --authentication-scheme=SINGLE-FACTORsettings="$settings" --service-type=LDAP # create roles ./deploy-identity-service.sh store-role "${request_options[@]}" --service=My-Service --role=developer ./deploy-identity-service.sh store-role "${request_options[@]}" --service=My-Service --role=operator # assign permissions to roles ./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-ServicdeService --role=developer \ --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view' ./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-ServicdeService --role=operator\ --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view' # create accounts and assign to roles ./deploy-identity-service.sh store-account "${request_options[@]}" --service=My-Service --account=dev --role=developer ./deploy-identity-service.sh store-account "${request_options[@]}" --service=My-Service --account=ops --role=operator |
...
Overview
Content Tools