JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 21

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleExamples for Renaming and Removing AccountsSetting up JOC Identity Service
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=JOC \
                                           --authentication-scheme=SINGLE-FACTOR --single-factor-password

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

...

  • The Identity Service is created. For use with Identity Services such as LDAP, OIDC, FIDO the related service settings have to be provided from .json files. Such files can be created by reading Identity Service settings.

    Code Block
    languageyml
    titleExample for LDAP settings in JSON Format
    linenumberstrue
    collapsetrue
    {
  "simple": {
    "iamLdapHost": "openldap-2-4",
    "iamLdapHostNameVerification": null,
    "iamLdapPort": 636,
    "iamLdapProtocol": "SSL"
  },
  "expert": {
    "iamLdapGroupNameAttribute": "cn",
    "iamLdapGroupRolesMap": {
      "items": [
        {
          "ldapGroupDn": "js7admjs7dev",
          "roles": [
            "alldeveloper"
          ]
        },
        {
          "ldapGroupDn": "js7usrjs7ops",
          "roles": [
            "business_useroperator"
          ]
        }
      ]
    },
    "iamLdapGroupSearchBase": "dc=sos-berlin,dc=com",
    "iamLdapGroupSearchFilter": "(memberUid=%s)",
    "iamLdapSearchBase": "",
    "iamLdapServerUrl": "ldaps://openldap-2-4:636",
    "iamLdapUseStartTls": false,
    "iamLdapUserDnTemplate": "uid={0},ou=users,ou=sales,o=sos,dc=sos-berlin,dc=com",
    "iamLdapUserNameAttribute": "",
    "iamLdapUserSearchFilter": ""
  }
}
  • Roles for developers and operators are created.
  • Roles are assigned frequently used permissions. For permission identifiers see JS7 - Default Roles and Permissions.
  • Accounts are created that are assigned the initial password. On next login users are challenged to change password.

Code Block
languagebash
titleExamples for Renaming and Removing AccountsExample for Setting up LDAP Identity Service
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR

# get settings from an existing Identity Service
#     store settings to an environment variable
# settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
#     store settings to a file
# ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > ./examples/ldap-settings.json
#     read settings from a file
# settings=$(cat ./examples/ldap-settings.json)
 
# store Identity Service settings
./deploy-identity-service.sh store-service-settings "${request_options[@]}" --service=My-Service --settings="$settings" --service-type=LDAP

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

Resources

...