WebSphere Enterprise Service Bus, Version 6.2.0 Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows


Granting write permission of files and directories to non-root users for profile creation

The product installer (who can be a root/Administrator or non-root user) can grant write permission to the appropriate WebSphere® ESB files and directories to other non-root users. The non-root users can then create profiles. Alternatively, the product installer can create a group for users who are authorized to create profiles or give individual users the authority to create profiles. The following example task shows how to create a group that is authorized to create profiles.

For i5/OS operating system Restriction: The tasks described in this topic are not supported on i5/OS®.
Throughout this text, the terms "installer" and "product installer" refer to the user ID that installed WebSphere ESB.
Restriction: WebSphere ESB does not support changing ownership of existing profiles from the product installer to other non-root users. Thus, profile augmentation by non-root users of profiles owned by another user is not supported.

Non-root users create their own profiles so that they can manage their own environments. Typically, they manage environments for development purposes.

Non-root users must store their profiles in their private directory structure, not in the install_root/profiles directory of the product.

Restriction: An ease-of-use limitation exists for non-root users who create profiles. Mechanisms within the Profile Management Tool that suggest unique names and port values are disabled for non-root users. The non-root user must change the default field values in the Profile Management Tool for the profile name, node name, cell name, and port assignments. The product installer can assign non-root users a range of values for each of the fields, and assign responsibility to the non-root users for adhering to their assigned value ranges and for maintaining the integrity of their own definitions.

Steps the product installer must perform to grant appropriate permissions

The installer can perform the following steps to create the profilers group and give the group appropriate permissions to create a profile.
  1. Log on to the WebSphere ESB system as the product installer. (The product installer can be a root/Administrator or non-root user.)
  2. Using operating system commands, do the following:
    • Create a group named profilers, which will contain all users who can create profiles.
    • Create a user named user1, who can create profiles.
    • Add users product_installer and user1 to the profilers group.
  3. For Linux operating systemFor UNIX operating system Log off and log back on as the installer to pick up the new group.
  4. Create the following directories as the installer:
    • For Linux operating systemFor UNIX operating system Create the install_root/logs/manageprofiles directory:
      mkdir install_root/logs/manageprofiles
      For Windows operating system Create the install_root\logs\manageprofiles directory by following instructions in the Windows® documentation. For this example procedure, the directory is:
      install_root\logs\manageprofiles
    • For Linux operating systemFor UNIX operating system Create the install_root/properties/fsdb directory:
      mkdir install_root/properties/fsdb
      For Windows operating system Create the install_root\properties\fsdb directory by following instructions in the Windows documentation. For this example procedure, the directory is:
      install_root\properties\fsdb
  5. As the installer, follow directions for your operating system to create the profileRegistry.xml file. For this example, the file paths are:
    For Linux operating systemFor UNIX operating system
     install_root/properties/profileRegistry.xml
    For Windows operating system
    install_root\properties\profileRegistry.xml
    Follow instructions for your operating system to add the following information to the profileRegistry.xml file. The file must be encoded as UTF-8.
    <?xml version="1.0" encoding="UTF-8"?>
    <profiles/>
  6. As the product installer, use operating system tools to change directory and file permissions.
    For Linux operating systemFor UNIX operating system The following example assumes that the variable $WASHOME is the WebSphere ESB root installation directory /opt/IBM/WebSphere/ESB.
    export WASHOME=/opt/IBM/WebSphere/ESB
    echo $WASHOME
    echo "Performing chggrp/chmod per WAS directions..."
    chgrp profilers $WASHOME/logs/manageprofiles
    chmod g+wr  $WASHOME/logs/manageprofiles
    chgrp profilers $WASHOME/properties
    chmod g+wr  $WASHOME/properties
    chgrp profilers $WASHOME/properties/fsdb
    chmod g+wr  $WASHOME/properties/fsdb
    chgrp profilers $WASHOME/properties/profileRegistry.xml
    chmod g+wr  $WASHOME/properties/profileRegistry.xml
    chgrp -R profilers $WASHOME/profileTemplates
    For HP-UX operating system Issue the following additional command where profile_template_name is default, dmgr, or managed, respectively:
    chmod -R g+wr $WASHOME/profileTemplates/profile_template_name/documents
    The ownership of files is preserved when the files are copied to the profile directory during profile creation. You granted write permission to the profile directory so that files copied to the profile directory can be modified as part of the profile creation process. Files that are already in the profileTemplatedirectory structure prior to the start of profile creation are not modified during profile creation.
    For Linux operating system Issue the following additional commands:
    chgrp profilers $WASHOME/properties/Profiles.menu
    chmod  g+wr $WASHOME/properties/Profiles.menu
    For Windows operating system The following example assumes that the variable $WASHOME is the WebSphere ESB root installation directory C:\Program Files\IBM\WebSphere\ESB. Follow instructions in the Windows documentation to give the profilers group read and write permission to the following directories and their files:
    @WASHOME\logs\manageprofiles
    @WASHOME\properties
    @WASHOME\properties\fsdb
    @WASHOME\properties\profileRegistry.xml

    You might have to change the permissions on additional files if the non-root user encounters permission errors. For example, if the product installer authorizes a non-root user to delete a profile, then product installer might have to delete the following file:

    For Linux operating systemFor UNIX operating system install_root/properties/profileRegistry.xml_LOCK

    For Windows operating system install_root\properties\profileRegistry.xml_LOCK

    Give write access to the non-root user for the file to authorize the user to delete the file. If the non-root user still cannot delete the profile, then the product installer can delete the profile.

Result

The installer created the profilers group and gave the group proper permissions to certain directories and files to create profiles. These directories and files are the only ones in the installation root of WebSphere ESB to which a non-root user needs to write to create profiles.

What to do next

The non-root user that belongs to the profilers group can create profiles in a directory that the non-root user owns and to which the non-root user has write permission. However, the non-root user cannot create profiles in the installation root directory of the product.

A non-root user ID can manage multiple profiles. The same non-root user ID can manage an entire profile, whether it is the deployment manager profile, a profile that contains the servers and the node agent, or a custom profile. A different user ID can be used for each profile in a cell, whether global security or administrative security is enabled or disabled. The user IDs can be a mix of root and non-root user IDs. For example, the root user might manage the deployment manager profile, while a non-root user might manage a profile that contains servers and the node agent, or vice versa. However, typically, a root user or a non-root user can manage all profiles in a cell.

The non-root user can use the same tasks to manage a profile that the root user uses.


topic Topic topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.doc/doc/iins_nonrootprofile.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).