Authorizations

Table of Contents

Location path
Overview

Location path

The path in the container

The path in the container
`/var/lib/era/files/syncroot/domains/<MASTER_DOMAIN>/cmd/permissions.json`

/var/lib/era/files/syncroot/domains/<MASTER_DOMAIN>/cmd/permissions.json

Overview

Defines authorizations for the use of various resources.

When there is no file or key for some application, that application behaves according to its default behavior.

By default, there is no file.

Format:

{
  "allowed_nodes": [
    {
      "node": str,
      "cookie": str
    },
    ...
  ],
  "exec_perm": {
    "user": "root" | "domain" | "custom"
    "commands": array<str>,
    "domains": array<object>
  }
}

allowed_nodes

Cwill contain a list of nodes that should be allowed to connect directly. Each of them is given an erlang cookie value, which is set for the specified node beforehand.

exec_perm

Contains a permissions object to directly start OS (console) processes and applications via an absolute path from scripts by component "Start process".

By default, execution of external commands is prohibited.

"user" – contains the name of the mode, which sets the name of the user from which allowed applications will be run. The default is "domain". Value options:
- "root" – the application is executed as the "root" user. Unless otherwise specified in the properties of a particular domain in the following list "domains".
- "domain" – the application is executed from a user with a name that matches the name of the domain in which the script is executed. Unless otherwise specified in the domain properties in the list of "domains".
- "custom" – the application is executed on behalf of a user defined in the properties of a particular domain in the domains list. In this case, each domain in which the specified applications are allowed to execute must be specified in the domains list, and it must have a value set in the field "user".
"commands" – contains a set of commands allowed to run (the essence of applications). By default, the list is empty - nothing is allowed to run by the "Process Startup" component".
"domains" – contains a set of domains and their individual properties. The default is an empty list. If the domain in which the script is executed is found in the list of domains, the list from the commands field of the domain is taken as the list of commands (applications) allowed for execution. And as the user on behalf of which the application is executed - the value from the "user" field of the domain, and if it is empty, the value from the common section.

The format of the item in the domain list:

{
  "name": "DOMAIN_NAME",
  "user": "USER_NAME",
  "commands": array<str>
}

name – domain name.
user – OS user name.
commands – a set of commands that are allowed to be executed.

Examples of items in the list of allowed commands:

[
  "echo",
  "myprogram1",
  "/bin/myprogram2",
  ":SYNC/common/cmd/echo.sh",
  ":GLOBALSHARE/common/cmd/myprogram3"
]

You can specify a macro path or any path in the script. The macro path is linked to the common macro, other paths remain unchanged. The result must necessarily be contained in the list of allowed commands. You can also specify the path via the 'bash' command, e.g. 'bash :GLOBALSHARE_COMMON/cmd/myprogram3.sh'. In this case, you should not mention bash in the allowed commands, but you should mention the given path to the bash script itself.'