JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • get-account

    • Returns information about the indicated account or all accounts if the --account option is not specified. 

    • Accounts can be filtered:
      • The --enabled switch will filter results to active accounts
      • The --disabled switch will filter results to inactive accounts.
      • The --blocked switch will filter results to accounts that are blocked. The switch cannot be used with the --enabled and --disabled switches.
  • store-account
    • Stores an account to the Identity Service. 
      • An existing role can be assigned using the --role option.
      • The password can be specified using the --account-password option. Consider to use secure input from the commandline using the -a switch. If no password is specified then the initial password is assigned. If a password is specified or the initial password is used, then JOC Cockpit will challenge the user to specify a new password on next login.
      • The --force-password-change switch can be used to make JOC Cockpit challenge the user to specify a new password on next login. The operation is available for existing accounts that hold a password. For new accounts and for accounts assigned a new password users are automatically challenged to specify a new password on next login.
      • The --disabled switch can be used to deactivate an account when it is created. For later enabling/disabling of existing accounts see enable-account and disable-account commands.
    • Handling of passwords allows the API user to specify passwords for other accounts. However, for the affected accounts users will have to change the password on next login.
  • rename-account
    • Renames the indicated account.
  • remove-account
    • Removes the indicated account from the Identity Service.
  • get-account-permission
    • Returns the list of permissions per role assigned the given account.
  • set-account-password
    • Sets the password for the indicated account. Consider to use secure input from the commandline using the -a switch.
    • The user will be challenged to specify a new password on next login.
  • reset-account-password
    • Resets the account's password to the initial password.
    • The user will be challenged to specify a new password on next login.
  • enable-account
    • Activates the account which allows login to JOC Cockpit.
  • disable-account
    • Deactivates the account which denies login to JOC Cockpit.
  • block-account
    • Adds the account to the blocklist. The account will be denied login to JOC Cockpit.
    • A comment can be specified to indicate the reason for blocking the account.
  • unblock-account
    • Removes one or more accounts from the blocklist. The accounts will be allowed login to JOC Cockpit if they are activated/enabled.

Roles

  • get-role
    • Returns the indicated role if the --role option is used and otherwise returns all roles.
  • store-role
    • Stores a role from its name to JOC Cockpit. Default permissions will be applied to new roles.
    • The --ordering option can be used to specify the position of the role in the list of roles available for the given Identity Service.
  • rename-role
    • Renames an existing role.
  • remove-role
    • Removes the indicated role from the Identity Service.

...

  • get-permission
    • Returns permissions of the indicated role.
  • set-permission
    • Assigns a role one or more permissions that are specified from permission identifiers using the --permission option. If more than one permission identifier is used, then they are separated by comma, for example --permission='sos:products:controller:view','sos:products:controller:agents:view'. Use of single quotes or double quotes is recommendedis recommended.
    • Permissions can be preceeded a minus to indicate that the permission is denied, for example: --permission='-sos:products:controller:view'. This corrresponds to use of the --excluded switch, but allows to allow/deny permissions individually.
    • If the --excluded switch is used, then indicated permissions are denied. This applies to JOC Cockpit and to all Controllers for which the indicated permissions will be denied.
    • The Controller ID can be specified using the --controller-id option to limit permissions to the given Controller.
  • rename-permission
    • Switches an existing permission to a different permission.
  • remove-permission
    • Removes the indicated permissions from the role. One or more permissions can be specified separated by comma.

...

Folder permissions are used to apply permissions to certain folders in the JOC Cockpit inventory and to limit user access to folders. If no folder permissions are specified, then users have access to all inventory folders.

For default permissions and permission identifiers see JS7 - Default Roles and Permissions.

...

  • get-service
    • If the --service option is used, returns the indicated Identity Service and otherwise returns the list of Identity Services.
  • store-service
    • Stores the indicated Identity Service.
    • The following options and switches can be used: 
      • The --service-type option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
      • The --required switch specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
      • The --disabled switch can be used to deactivate an Identity Serivce which denies login by any accounts using the Identity Service.
      • The --ordering option can be used to specifiy the position of the Identity Service in the list of Identity Services.
      • The --second-service option specifies a second Identity Service for multi-factor authentication. Use of this option implicitly specifies the --authentication-scheme=TWO-FACTOR option.
      • The --authentication-scheme option allows to specify the following values: SINGLE-FACTOR, TWO-FACTOR.
        • Single-factor authentication specifies that the Identity Service is used as a single factor for authentication.
        • The --single-factor-certificate switch is used for the JS7 - Certificate Identity Service to specify that a certificate acts as the single factor for authentication.
        • The --single-factor-password switch is used to specify that a password is used as the single factor for authentication.
        • Two-factor authentication specifies that a second Identity Service is used and that successful authentication with both Identity Services is required. For example an Identity Serivce using the LDAP service type can use FIDO as a second factor. This implies that secrets are stored on different media: the LDAP password is stored with the user's brain while the FIDO secret is stored on the user's device, for example on a USB key or in an authenticator application on a smartphone. 
  • rename-service
    • Renames the indicated Identity Service.
  • remove-service
    • Removes the indicated Identity Service and related objects such as roles, permissions, folder permissions and accounts recursively.
    • Users should check that after removal an Identity Service remains that allows to login. To restore access to JOC Cockpit consider JS7 - Rescue in case of lost access to JOC Cockpit.
  • get-service-settings
    • Returns settings from an Identity Service. For example, the LDAP, OIDC and FIDO Identity Services hold confiugration items with their service settings.
    • Settings are returned in JSON format and can be stored to environment variables or to files, for example
      • settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
      • ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > /tmp/ldap.settings.json
  • store-service-settings
    • Stores Identity Service settings that have previously been retrieved using the get-service-settings command.
    • Settings are expected in JSON format from the value of the --settings option. If settings have previously been stored to a file, then they can be assigned like this:
      • settings=$(cat ./examples/ldap-settings.json)
      • ./deploy-identity-service.sh get-service-settings ... --settings="$settings"

...

Code Block
languagebash
titleExamples for Creating and Updating Identity Services
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# store Identity Service
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=OIDC

# store Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR --single-factor-password

# store Identity Service using two-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=FIDO-Service --service-type=FIDO
./deploy-identity-service.sh store-service "${request_options[@]}" --service=LDAP-Service --service-type=LDAP \
                                           --authentication-scheme=TWO-FACTOR

...

Code Block
languagebash
titleExamples for Setting up JOC Identity Service
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=JOC \
                                           --authentication-scheme=SINGLE-FACTOR --single-factor-password

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

...

Code Block
languagebash
titleExample for Setting up LDAP Identity Service
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR --single-factor-password

# get settings from an existing Identity Service
#     store settings to an environment variable
# settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
#     store settings to a file
# ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > ./examples/ldap-settings.json
#     read settings from a file
# settings=$(cat ./examples/ldap-settings.json)
 
# store Identity Service settings
./deploy-identity-service.sh store-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP --settings="$settings"

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

...