JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 20

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleExamples for Creating and Updating Identity Services
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# store Identity Service
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=OIDC

# store Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR --single-factor-password

# store Identity Service using two-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=FIDO-Service --service-type=FIDO
./deploy-identity-service.sh store-service "${request_options[@]}" --service=LDAP-Service --service-type=LDAP --required \
                                           --authentication-scheme=TWO-FACTOR

...

Code Block
languagebash
titleExamples for Renaming and Removing Accounts
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename account
./deploy-identity-service.sh rename-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account --new-account=test-account2                   

# remove account
./deploy-identity-service.sh remove-account "${request_options[@]}" --service=JOC-INITIAL --account=test-accountaccount2                                                 -

# remove accounts
./deploy-identity-service.sh remove-account "${request_options[@]}"  --service=JOC-INITIAL --account=test-account1,test-account2

...

  • The Identity Service is created
  • Roles for developers and operators are created.
  • Frequently Roles are assigned frequently used permissions are assigned the roles. For permission identifiers see JS7 - Default Roles and Permissions.
  • Accounts are created that are assigned the initial password. On next login users are challenged to change password.

Code Block
languagebash
titleExamples for Renaming and Removing Accounts
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)   # store Identity Service

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=JOC \
                                           --authentication-scheme=SINGLE-FACTOR --single-factor-password

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

...

  • The Identity Service is created. For use with Identity Services such as LDAP, OIDC, FIDO the related service settings have to be provided from .json files. Such files can be created by reading Identity Service settings.

    Code Block
    languageyml
    titleExample for LDAP settings in JSON Format
    linenumberstrue
    collapsetrue
    {
  "simple": {
    "iamLdapHost": "openldap-2-4",
    "iamLdapHostNameVerification": null,
    "iamLdapPort": 636,
    "iamLdapProtocol": "SSL"
  },
  "expert": {
    "iamLdapGroupNameAttribute": "cn",
    "iamLdapGroupRolesMap": {
      "items": [
        {
          "ldapGroupDn": "js7adm",
          "roles": [
            "all"
          ]
        },
        {
          "ldapGroupDn": "js7usr",
          "roles": [
            "business_user"
          ]
        }
      ]
    },
    "iamLdapGroupSearchBase": "dc=sos-berlin,dc=com",
    "iamLdapGroupSearchFilter": "(memberUid=%s)",
    "iamLdapSearchBase": "",
    "iamLdapServerUrl": "ldaps://openldap-2-4:636",
    "iamLdapUseStartTls": false,
    "iamLdapUserDnTemplate": "uid={0},ou=users,ou=sales,o=sos,dc=sos-berlin,dc=com",
    "iamLdapUserNameAttribute": "",
    "iamLdapUserSearchFilter": ""
  }
}
  • Roles for developers and operators are created.
  • Frequently Roles are assigned frequently used permissions are assigned the roles. For permission identifiers see JS7 - Default Roles and Permissions.
  • Accounts are created that are assigned the initial password. On next login users are challenged to change password.

Code Block
languagebash
titleExamples for Renaming and Removing Accounts
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)   # store Identity Service

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR

# get settings from an existing Identity Service
#     store settings to an environment variable
# settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
#     store settings to a file
# ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > ./examples/ldap-settings.json
#     read settings from a file
# settings=$(cat ./examples/ldap-settings.json)
 
# store Identity Service settings
./deploy-identity-service.sh store-service-settings "${request_options[@]}" --service=My-Service --settings="$settings" --service-type=LDAP

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

...