iDempiere Group Permission for Management
197 views
Skip to first unread message
Chuck Boecking
Jun 14, 2022, 5:15:57 AM6/14/22
to idem...@googlegroups.com
Hi Everyone,
I need multiple linux users to be able to administer an idempiere instance. This could be because users come and go or because multiple users can be assigned to the same server for maintenance or deployment.
I am emailing the group and checking my details before I put in the work. Please let me know if you agree with the plan.
Plan: iterate across all files/directories in /opt/idempiere-server and update the group permissions to match the owner. This way anyone in the idempiere group can do the same as the idempiere user itself. Adding your user to a linux group is a common practice to gain control over an application.
Does anyone have concerns or a better practice/suggestion?
One alternative is to selectively give users the ability to execute "sudo -u idempiere" in the sudoer file.
- con: I do not like this approach because it requires users to remember the sudo -u... for every command
- pro: the user already needs sudoer privileges to be able to start/stop the idempiere service.
Regards,
Chuck Boecking
512.850.6068 (office and cell)
ch...@chuboe.com
www.ChuckBoecking.com
chuck.boecking (skype)
@ChuckBoecking
muri...@devcoffee.com.br
Jun 14, 2022, 1:23:08 PM6/14/22
to iDempiere
Hi Chuck,
Managing multiple users with access to environments for administration over time is really a challenge.
The best way I've found so far to solve this, easy to maintain and control, was using Guacamole (https://guacamole.apache.org/) as a remote connection gateway for SSH.
In the case of iDempiere, we can have the following configuration:
-> In the Linux instance, I configure the users who need to run the services following the best practices of each system (idempiere user, postgres user, root user, etc);
-> For each of them I create an SSH key and configure it so that they can execute privileged commands with sudo without password (command + exact arguments). For example, to stop idempiere service, user idempiere can run "sudo systemctl start idempiere" without asking for password;
-> In Guacamole I create different connections, one for each OS/LINUX user used in the instance, always using the private keys created for each user to authenticate the session;
-> In Guacamole I create the users that will connect (support agents, developers, and others), and I assign the necessary connections for each one to perform their work, for example:
* Murilo has full access, so it only assigns him the connection to the root user created earlier;
* Chuck can access the server with OS/LINUX users idempiere and postgresql, so I assign him the two connections created earlier for each of these users;
In this way, whenever I have a new collaborator who needs to access the instance with one of these users, I create a new user inside Guacamole and assign the necessary connections to the work he will perform.
Through Guacamole's functionalities, I can adjust simultaneous connection limits settings, information about users connected to instances, connection history and session recording (history of commands executed by user), session persistence, file transfer control and other functionalities. very interesting.
In addition, I can close all the ports on the servers so that they are only accessible through the Guacamole terminal, increasing security.
I don't know if I managed to convey exactly the idea of how to use the tool, and if it can help you solve your scenario, but it's an approach that worked very well here so I wanted to share.
The best way I've found so far to solve this, easy to maintain and control, was using Guacamole (https://guacamole.apache.org/) as a remote connection gateway for SSH.
In the case of iDempiere, we can have the following configuration:
-> In the Linux instance, I configure the users who need to run the services following the best practices of each system (idempiere user, postgres user, root user, etc);
-> For each of them I create an SSH key and configure it so that they can execute privileged commands with sudo without password (command + exact arguments). For example, to stop idempiere service, user idempiere can run "sudo systemctl start idempiere" without asking for password;
-> In Guacamole I create different connections, one for each OS/LINUX user used in the instance, always using the private keys created for each user to authenticate the session;
-> In Guacamole I create the users that will connect (support agents, developers, and others), and I assign the necessary connections for each one to perform their work, for example:
* Murilo has full access, so it only assigns him the connection to the root user created earlier;
* Chuck can access the server with OS/LINUX users idempiere and postgresql, so I assign him the two connections created earlier for each of these users;
In this way, whenever I have a new collaborator who needs to access the instance with one of these users, I create a new user inside Guacamole and assign the necessary connections to the work he will perform.
Through Guacamole's functionalities, I can adjust simultaneous connection limits settings, information about users connected to instances, connection history and session recording (history of commands executed by user), session persistence, file transfer control and other functionalities. very interesting.
In addition, I can close all the ports on the servers so that they are only accessible through the Guacamole terminal, increasing security.
I don't know if I managed to convey exactly the idea of how to use the tool, and if it can help you solve your scenario, but it's an approach that worked very well here so I wanted to share.
Chuck Boecking
Jun 16, 2022, 11:54:17 AM6/16/22
to iDempiere
Wow, that is very kind and generous to take the time and share such detail. Thank you!
I would like to it back to you to ensure I understand:
I would like to it back to you to ensure I understand:
- You use guacamole as a bastion server (of sorts)
- Guacamole brokers the ssh from my machine to the iDempiere server machine
- This setup simplifies the actual server configuration to just the core os users (id, psql, etc...) and it centralizes all user management across all servers (id, vpn, metabase, psql, etc...)
#### Regarding the ownership change ####
I spent some time playing with group ownership. Here is a quick script to update the idempiere-server directory to make the group reflect the same ownership as the owner. The results were mixed. When I ran ./console-setup.sh, almost all worked as expected; however, the script's final chown statements failed. These errors did not impact the results since idempiere was still in the group and the groups had all rights. iDempiere launched successfully as expected.
ubuntu@ip-1-1-1-1:~/delme$ cat changegroup.sh
while IFS='' read -r -d '' filename; do
echo $filename ;
GroupChmod=$( stat -c "%A" $filename | cut -b 2-4 );
echo GroupChmod = "g=$GroupChmod";
sudo chmod "g=$GroupChmod" "$filename";
done < <(find $1 -print0)
while IFS='' read -r -d '' filename; do
echo $filename ;
GroupChmod=$( stat -c "%A" $filename | cut -b 2-4 );
echo GroupChmod = "g=$GroupChmod";
sudo chmod "g=$GroupChmod" "$filename";
done < <(find $1 -print0)
# to add ubuntu user to the idempiere group:
sudo usermod -a -G idempiere ubuntu
# to make the idempiere group the default owner of all newly created files:
sudo chmod -R g+s /opt/idempiere-server/
# played a bit with acl's to see if I could force idempiere user as the onwer with no success
sudo apt install aclsudo setfacl -dRm u:idempiere:rwX,g:idempiere:rwX /opt/idempiere-server/
I am sending this for future reference just in case it helps anyone. Let me know if you have any feedback.
Chuck
muri...@devcoffee.com.br
Jul 12, 2022, 1:55:52 PM7/12/22
to iDempiere
Hi Chuck,
Sorry for taking too long to answer...
"I would like to it back to you to ensure I understand:
- You use guacamole as a bastion server (of sorts)
- Guacamole brokers the ssh from my machine to the iDempiere server machine
- This setup simplifies the actual server configuration to just the core os users (id, psql, etc...) and it centralizes all user management across all servers (id, vpn, metabase, psql, etc...)"
In a short answer, yes, you got it! :)
"Is there a way for me to connect to guacamole via my terminal/console, or am I required to use the guacamole gui/tomcat to initiate the ssh session into the iDempiere ssh resources?"
AFAIK the only supported option for connecting to Guacamole is the web client ( https://guacamole.apache.org/releases/1.4.0/) . Everything runs on browser, no need to install anything on local desktop.
This (maybe) is a not so good point, because the web based terminal for some long tasks is not so dynamic as using a ssh client on local machine.... but as it's not possible to have everything, so I still prefer to choose the management facility in this case xD
BR
Reply all
Reply to author
Forward
0 new messages