JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

The JS7 Agent for Unix is running runs in a specific user account and by default will execute jobs within the context and permissions of this account.

  • Running a job as a different user includes to login involves logging in as that user, optionally to load loading the user profile and to execute executing commands in this context.
  • User switching applies to Shell Jobs and is performed by the built-in sudo and su capabilities of the operating system.

This article applies to the JS7 Agent for Unix only. For Windows environments see JS7 - Running Jobs as a different User on Windows

Basics

Users can choose:

  • to

...

  • operate the Agent as a non-root run-time account:
    • This allows to the use of sudo to switch to other user accounts.
    • This requires to configure configuration of sudo permissions for switching user accounts.
  • to operate the Agent as the root run-time account:
    • This allows the Agent to execute any commands and scripts independently from of ownership.
    • This allows the Agent to switch to any user account using su.
    • It is not recommended to operate Operating the Agent as root is not recommended as this includes unlimited permissions and introduces security risks.

Using sudo from a non-root Account

To A shell job script can use sudo to allow user switching of the Agent's run-time account can use sudo like thisas follows:

Code Block
languagebash
titleExample for using how to use sudo from a non-root account
linenumberstrue
sudo -su <user>user1 <<EOF
whoami
pwd
EOF


Explanation:

  • <user> is user1 is any user account available from the operating system for which a login is performed.
  • For execution of multiline multi-line commands a Here String is used:
    • The commands between <<EOF (line 1) and EOF (line 4) are executed using sudo.
    • Instead of EOF any unique string can be used that does not match one of the commands to be executed.
    • Using <<'EOF' will prevent substitution in a Here String.
  • Executing sudo from a non-root account requires the sudo configuration to be in place. The location of the sudo configuration file depends on the operating system, for example /etc/sudo.conf or /etc/sudoers.
    • Example

      • To allow the Agent run-time account to run jobs on user accounts user1, user2 the following setting can be used in the sudo configuration file.

        • <run-time-account> ALL=(user1, user2) NOPASSWD: ALL

      • To allow the Agent run-time account to run jobs on all user accounts the following setting can be used:

        • <run-time-account> ALL=(ALL) NOPASSWD: ALL

      • The NOPASSWD setting is required to allow the account to use sudo without specifying a password.

...

If the Agent is operated from the root account it can use the following command in a Shell job script to switch to a different user account:

Code Block
languagebash
titleExample for using how to use su from the root account
linenumberstrue
su -l <user>user1 <<EOF
whoami
pwd
EOF


Explanation:

  • <user> is user1 is any user account available from the operating system for which a login is performed.
  • For execution of multiline multi-line commands a Here String is used:
    • The commands between <<EOF (line 1) and EOF (line 4) are executed using su.
    • Instead of EOF any unique string can be used that does not match one of the commands to be executed.
    • Using <<'EOF' will prevent substitution in a Here String.
  • Executing su from the root account does not require to specify the account's password.

...

A workflow can make use of Script Includes in any of the included jobs like this:


The Script Editor offers provides the folder icon to open the list of available Script Includes like this:


Users can navigate to select the desired Script Include:

...

As a result the job script holds calls to the pairing Script Includes for the begin and the end of the call to sudo like this:

Code Block
languagebash
titleExample for using how to use sudo from Script Includes
linenumberstrue
#!/bin/bash

##!include sudo-sos1
pwd
whoami
##!include sudo-end 

##!include sudo-sos2
pwd
whoami
##!include sudo-end

...

  • Use of <user> is an example for of a placeholder being used in the Script Include.
  • Any string can be considered a placeholder that which can be replaced when calling the Script Include.

...

A workflow can parameterize use of Script Includes in any of the included jobs like this:

  • The --replace argument name is used when calling the Script Include.
    • The first argument value specifies the search string in the Script Include.
    • The second argument value specifies the replacement string in the Script Include.

Code Block
languagebash
titleExample for using how to use sudo from Script Includes
linenumberstrue
#!/bin/bash

##!include sudo-begin --replace="<user>","sos1"
pwd
whoami
##!include sudo-end 

##!include sudo-begin --replace="<user>","sos2"
pwd
whoami
##!include sudo-end

...