In regards to user level trust, you are right that submitting a CREATE
HANDLE NAME request to the HANDLE service requires trust level 5. However,
there's an important note in the STAF User's Guide, section "8.5.2
CREATE", sub-section "Security", that says:
Note: This command is only valid if submitted to the local machine, not to
remote machines.
So, since you can only create a STAF handle on your local machine (e.g.
STAF local HANDLE CREATE HANDLE NAME ...), and since the local machine
always has trust level 5 to itself, this isn't an issue. Then you can use
this handle to submit STAF service requests (like a PROCESS START request)
to other machines.
--------------------------------------------------------------
Sharon Lucas
IBM Austin, luc...@us.ibm.com
(512) 286-7313 or Tieline 363-7313
agou <a...@talktalk.net>
01/20/2009 11:44 PM
To
Sharon Lucas/Austin/i...@ibmus
cc
staf <staf-users@lists.sourceforge.net>
Subject
Re: [staf-users] Trust?
Hi Sharon,
Thanks for helping me!
I've got the machine level security working now, but I want to be able
to seperate things better. My users fall mostly in 5 categories -
administrators, developers, QA, support, and everybody else. They have
some access to all machines, and my idea is to use STAF not only to run
SW tests, but to offer different subsets of services to different user
groups.
So, you say that the way to use userlevel trust they need to first
create a handle and then use that in other service requests? But handle
creation requires level 5 trust as well, doesn't it? Is the way forward
that I as admin create a number of static handles for people to use?
/jan
Sharon Lucas wrote:
> The USERNAME variable for for a PROCESS START request says to start a
> process as another user (the username specified). It has absolutely
> nothing to do with STAF trust. You don't need to specify a USERNAME
> option on a PROCESS START request unless you need to run a process as a
> different user that the user that was logged on when STAFProc was
started.
>
> STAF trust is determined by the machine/user that is submitting a STAF
> service request. I recommend that you first use machine trust and get
> familiar with it before trying to use user trust. Machine trust uses
> TCP/IP hostnames (e.g. client1.company.com) or IP addresses. So, in
order
> for machine client1.company.com to be able to submit a STAF PROCESS
START
> request on machine client2.company.com, machine client2.company.com must
> give trust level 5 to machine client1.company.com. For example, machine
> client2.company.com's STAF.cfg file would need to have the following
entry
> :
>
> TRUST LEVEL 5 MACHINE client1.company.com
>
> User trust is a more advanced topic and requires that you have an
> authenticator for your users registered in the STAF.cfg file on all
> machines using STAF. STAF provides a sample user authenticator which
you
> could use. User trust requires that you authenticate the STAF handle
that
> you use to submit service requests to STAF services (like a PROCESS
START
> request). You can authenticate a STAF handle using the HANDLE service's
> AUTHENTICATE request and specifying the user and its credentials and the
> authenticator you're using.
>
> --------------------------------------------------------------
> Sharon Lucas
> IBM Austin, luc...@us.ibm.com
> (512) 286-7313 or Tieline 363-7313
>
>
>
>
> agou <a...@talktalk.net>
> 01/20/2009 09:33 AM
>
> To
> staf <staf-users@lists.sourceforge.net>
> cc
>
> Subject
> [staf-users] Trust?
>
>
>
>
>
>
> I have just started on learning how to use staf, and one of the first
> questions I have is about trust. I understand I can set trust on
> userlevel etc, but how do I actually do something under a given user? I
> tried the process service like:
>
> process start command xxx username uuu password ppp
>
> - but the response tells me that I need to have trust level 5 to access
> the process service. I have already set up trust level 5 for the user,
> so I must have done it wrong:
>
> trust level 5 user uuu
>
> Am I just being stupid?
>
> /jan
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> staf-users mailing list
> staf-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/staf-users
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
staf-users mailing list
staf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/staf-users
