Use impersonation to run processes

This topic explains how to set up user impersonation for Deployment Automation agents on Windows and UNIX/Linux.

Overview

Deployment Automation enables you to use impersonation when an agent must run a command for which it may not have permission, or when a specific user must be employed for a given process.

For example, to run a database update script, an agent may need to be the oracle user. However, to update the application, the agent needs to be the websphere user. By using impersonation, the same agent can run the script and update the application as part of a single process.

To set up user impersonation:

  • Windows: Use a utility program provided by Deployment Automation.

  • UNIX/Linux: Use the ssh, sudo, or su commands.

Note: User impersonation in processes is not supported for z/OS agents.

Back to top

Use impersonation on Windows

For agents running on Windows platforms, Deployment Automation provides a program that handles impersonation.

You implement impersonation for Windows-based agents when configuring a process step. In the step's properties, you specify the credentials to use for logging in on the agent when the step is processed. This is a different user than the user under which the agent normally runs.

To set up impersonation:

  1. In Deployment Automation, open or create a process. For details, see Create and design component processes.
  2. In the process designer, in the design space, add a process step, or select an existing one to view its properties.
  3. In the Properties pane, select the Use Impersonation option. Additional fields are displayed.
  4. Enter the username and password of the user to impersonate.
  5. Click Save .

Requirements for running process steps on a Windows agent:

  • You must have a username and password stored on the target agent computer.
  • You must be a part of the Administrators group.

  • You need, at a minimum, the following privileges:

    Constant Privileges
    SE_INCREASE_QUOTA_NAME Adjust memory quotas for a process.
    SE_ASSIGNPRIMARYTOKEN_NAME Replace a process-level token.
    SE_RESTORE_NAME Restore files and directories.
    SE_BACKUP_NAME Back up files and directories.
    SE_TCB_NAME Act as part of the operating system. Required for Windows Vista and later.

    In addition, they must have at least one of the following logon permissions:

    Constant Permissions
    SE_INTERACTIVE_LOGON_NAME Log on locally.
    SE_SERVICE_LOGON_NAME Log on as a service.
    SE_BATCH_LOGON_NAME Log on as a batch job.

Back to top

Use impersonation on UNIX/Linux

For agents running on UNIX/Linux platforms, you can provide the agents with the user impersonation capability when you configure a process step.

Select from these options: ssh (secure shell), sudo (superuser "doer"), and su (superuser).

When a process step has impersonation configured, the ssh, sudo, or su command runs the step as the impersonated user.

Note: You need to configure each process step with user impersonation independently.

Process steps can be considered individual shells. The ssh, sudo, or su command enables you to start a shell as another user.

To set up impersonation:

  1. In Deployment Automation, open or create a process. For details, see Create and design component processes.
  2. In the process designer, in the design space, add a process step, or select an existing one to view its properties.
  3. In the Properties pane, select the Use Impersonation option. Additional fields are displayed.

  4. Specify the following information:

    Field Description
    User The username to authenticate as during impersonation.

    Password

    The password to use during impersonation:

    • SSH. Enter the password of the user to impersonate.

    • SU. Leave the Password field empty.

    • SUDO. Enter the password of the user that the agent is running under, if required.
    *nix Impersonation Type
    SSH Select to use SSH authentication to perform impersonation. You must install, configure, and start the SSH daemon on your agent machines.
    SUDO

    Before you can use this option, you must provide impersonation privileges:

    • Password Required. Impersonation privileges must be defined in the /etc/sudoers file along with grant privileges to run scripts from the agent's temp directory, for example:

      User1<>ALL=(User2)/home/User1/agent/var/temp/*

      Grants User1 the privilege to impersonate User2 and run plugin steps as User2.

      Defaults:X!requiretty
      X ALL=(Y)

      where X and Y are usernames, and user X can run any command as user Y.

    • No Password Required. Impersonation privileges must be defined in the /etc/sudoers file, for example:

      Defaults:X!requiretty
      X ALL=(Y) NOPASSWD: ALL

      where X and Y are usernames, and user X can run any command as user Y without supplying a password.
    SU You can use this option only on agents running under the root account.

  5. Save the process.

For more information on configuring ssh, sudo, or su, see the UNIX/Linux documentation.

Back to top

Use passwordless SSH impersonation on UNIX/Linux

For agents running on UNIX/Linux platforms, you can set up passwordless SSH impersonation using either default SSH keys or SSH keys with a non-default name or location.

Limitations:

  • SSH Protocol version 1 is not supported.
  • Passwordless SSH impersonation on Windows agents is not supported.
  • Deployment Automation only reads SSH keys and is not responsible for their delivery and maintenance.

The following table explains how to use both methods:

Method How to

Use default SSH keys

You need:

  • A successful SSH connection using the console client without specifying an identity file.
  • SSH key default location and name without additional configurations, for example: ~/.ssh/id_rsa
Use non-default SSH keys

Specify the location and name of the keys in one of these configuration files:

/etc/ssh/ssh_config
<agent_user_home>/.ssh/config

For example:

Host 127.0.0.1
    IdentityFile ~/.ssh/key_file_123

where IdentityFile is the path to the secret key.

Guidelines:

  • Only the IdentityFile configuration parameter is supported. Other parameters are ignored.
  • The value for the User parameter is taken from the impersonation settings.
  • For details about the configuration file format, enter man ssh_config in the terminal of any UNIX/Linux system that has SSH installed.
  • Host must be 127.0.0.1, not localhost.

Back to top

See also: