7.4. Interactions with System Users for Agents and Resources
- JBoss EAP servers
- PostgreSQL databases
- Tomcat servers
- Apache servers
- Generic JVMs
Cheat Sheet for Agent and Resource Users
- No effect for monitoring and discovery.The agent user must have read/write permissions to the PostgreSQL configuration file for configuration viewing and editing.
- No effect for monitoring and discovery.The agent user must have read/write permissions to the Apache configuration file for configuration viewing and editing.
- Must use the same user or the agent can not be discovered.
- JMX server or JVM
- Different users are fine when using JMX remoting; cannot be discovered with different users and the attach API
- JBoss AS/EAP
- Different users are all right, but requires read permissions on run.jar and execute and search permission on all ancestor directories for run.jar
7.4.1. The Agent User
7.4.2. Agent Users and Discovery
- For JBoss EAP resources, the agent must have read permissions to the
run.jarfile, plus execute and search permissions for every directory in the path to the
- Tomcat servers can only be discovered if the JBoss ON agent and the Tomcat server are running as the same user. Even if the agent is running as root, the Tomcat server cannot be discovered if it is running as a different user than the agent.
- If a JVM or JMX server is running with JMX remoting, then it can be discovered if the agent is running as a different user. However, if it is running with using the attach API, it has to be running as the same user as the agent for the resource to be discovered.
7.4.3. Users and Management Tasks
- Deploying applications
- Executing scripts
- Running start, stop, and restart operations
- Creating child resources through the JBoss ON UI
- Viewing and editing resource configuration
7.4.4. Using sudo with JBoss ON Operations
- There can be no required interaction from the user, including no password prompts.
- It should be possible for the agent to pass variables to the script.
- Grant the JBoss ON agent user sudo rights to the specific script or command. For example, to run a script as the jbossadmin user:
[root@server ~]# visudo jbosson-agent hostname=(jbossadmin) NOPASSWD: /opt/jboss-eap/jboss-as/bin/*myScript*.shUsing the NOPASSWD option runs the command without prompting for a password.ImportantJBoss ON passes command-line arguments with the start script when it starts an EAP instance. This can be done either by including the full command-line script (including arguments) in the
sudoersentry or by using the sudo -u user command in a wrapper script or a script prefix.The second option has a simpler
- Create or edit a wrapper script to use. Instead of invoking the resource's script directly, invoke the wrapper script which uses sudo to run the script.NoteFor the EAP start script, it is possible to set a script prefix in the connection settings, instead of creating a separate wrapper script:
/usr/bin/sudo -u jbosson-agentFor example, for a start script wrapper,
#!/bin/sh # start-myScript.sh # Helper script to execute start-myConfig.sh as the user jbosson-agent # sudo -u jbosson-agent /opt/jboss-eap/jboss-as/bin/start-myConfig.sh
- Create the start script, with any arguments or settings to pass with the
run.shscript. For example, for
nohup ./run.sh -c MyConfig -b jonagent-host 2>&1> jboss-MyConfig.out &