Page History
...
- Directories
- The installation directory tree includes files that are executed to start a JS7 component.
- The configuration directory tree includes files for which read access is required. In addition write access is required for example for log files in this directory tree.
- Accounts
- Deployment Account
- The account performs deployment, i.e. it transfers the tarballs created during JS7 - Deployment Packaging to the target host and extracts related tarballs.
- Home Owner Account
- The account owns the installation directory of the JS7 component.
- Data Owner Account
- The account owns the configuration directory of the JS7 component.
- Run-time Account
- The account runs the JS7 component service.
- The account requires access to read and to execute files in the installation directory.
- The account requires access to read and to write files in the configuration directory.
- Deployment Account
Accounts are specified from the JS7 - Deployment Descriptor like this:
| Deployment Account | Home Owner Account |
|---|
...
| Data Owner Account | Run-time Account | |||
|---|---|---|---|---|
| Deployment Descriptor Element | .target.authentication.user | .installation.homeOwner | .installation.dataOwner | .installation.runUser |
Setting up ownership is fairly simple straightforward if a single account is used, for example, a non-root account or root account, that deploys, owns and runs both the installation and configuration directories. For more complex scenarios see the following sections.
User Account Deployment and Ownership
...
by User Account
This scenario applies if the Deployment Account that performs the installation of the JS7 component is the same as the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | installation.homeOwner: "sos" | installation.dataOwner: "sos" | installation.runUser: "sos" |
| Deployment Descriptor | .target.authentication.user: "sos" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user element with the value of the user account, for example sos.
The following prerequisites apply:
- The user account is the owner of the parent directory to which JS7 components are installed.
- The directory tree includes the executable permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
...
Limited Use of sudo for Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 component is the different from the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | installation.homeOwner: "sos1" | installation.dataOwner: "sos2" | installation.runUser: "sos2" |
| Deployment Descriptor | .target.authentication.user: "sos" | installation.homeOwner: "sos1" | installation.homeOwner: "sos2" | (not specified) |
The following prerequisites apply:
- Use of
sudois limited- to the parent directory of the installation and configurations directories,
- to the commands:
mkdir,rm,chown.
- The user account is the owner of the parent directory to which JS7 components are installed.
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have adjust group permissions to allow the
- If not Run-time Account is specified then the Data Owner is automatically assumed for the Run-time account.
Deployment will be performed like this:
- Any file system operations such as
mkdir,rm,ln,tarare performed using sudo. - Ownership of the installation and configuration directories is assigned the related user accounts.
Unlimited Use of sudo for Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 component is the different from the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | Force sudo |
|---|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | installation.homeOwner: "sos1" | installation.dataOwner: "sos2" | installation.runUser: "sos2" | .target.forceSudo: true |
| Deployment Descriptor | .target.authentication.user: "sos" | installation.homeOwner: "sos1" | installation.homeOwner: "sos2" | (not specified) | .target.forceSudo: true |
The following prerequisites apply:
- The Deployment Account
- The user account is the owner of the parent directory to which JS7 components are installed.
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have adjust group permissions to allow the
- If not Run-time Account is specified then the Data Owner is automatically assumed for the Run-time account.
Deployment will be performed like this:
- Any file system operations such as
mkdir,rm,ln,tarare performed using sudo. - Ownership of the installation and configuration directories is assigned the related user accounts.
Root Account Deployment and Ownership by Root Account
This scenario applies if the Deployment Account that performs the installation of the JS7 component is the same as the Home Owner Account, Data Owner Account and Run-time Account_
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "root" | .installation.dataOwner: "root" | .installation.runUser: "root" |
| Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user element with the value root.
This scenario generally is not recommended as it
- allows direct root access by SSH connections to target host.
- operates the JS7 component from the root account which includes higher privileges than required.
Root Account Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 component is the same as the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "sos" | .installation.dataOwner: "root | .installation.runUser: "root" |
| Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user element with the value root.
This scenario generally is not recommended as it
- allows direct root access by SSH connections to target host.
Resources
...
Overview
Content Tools