Managing GIS Server user accounts on Linux/Solaris |
|
Release 9.3.1 |
ArcGIS Server has different levels of user accounts.
User management of ArcGIS Server on Linux/Solaris is different from ArcGIS Server on Windows at the OS level user accounts and Local GIS Server users. This chapter is focusing on these two levels.
The diagram of user accounts of ArcGIS Server on Linux/Solaris.
OS level user accounts - Accounts used by ArcGIS Server at the OS level.
The following diagram describes the OS level user accounts and Local GIS Server usersof ArcGIS Server on Linux/Solaris:
There are several reasons to require superuser privilege. The superuser/root launches the install, uninstall or ServerConfig and in the background, it completes the following procedures:
agsadmin and agsuser - These two OS user accounts are created at the time of install when you install Server Object Manager (SOM) component. The default password is "agsadmin" for agsadmin and "agsuser" for agsuser. It is strongly recommended that you change the password right after the install of ArcGIS Server.
For security and administrative reasons, any process (including ESRI) running on Linux/Solaris must be identified/associated with a specific OS Level user.
By creating these two physical OS users - agsadmin and agsuser, it allows ArcGIS Server to map the Local GIS Server users created in ArcGIS Server Manager as "virtual users" into an existing Linux/Solaris user account. In this way, the credentials of these two Linux/Solaris physical OS accounts can be used by the "virtual users" in circumstances such as the following:
For local connections, ArcGIS Server on Linux/Solaris handles requests and responses in a secure environment as described in the diagram below:
ArcGIS Server on Linux/Solaris has an embedded Sun Directory Server which gets installed with the Server Object Manager (SOM) component. The ArcGIS Server uses this directory server to maintain a repository of users that can access the ArcGIS Server over a local connection.
There are two levels of user access: user (that belongs to agsuser group) and administrative (that belongs to agsadmin group). At runtime, when a user request comes into the system, the SOM uses the directory server to authenticate the user and determine what user group the user belongs to, agsusers or agsadmin. It then maps the user to the appropriate OS-level account. The request is either accepted or denied based on the user's membership in either of these accounts.
Local GIS Server users are managed and maintained by the SOM. These are not OS-level accounts. You can manage these users through ArcGIS Server Manager.
NOTE: It is strongly recommended that you change the password for admin, agsadmin, and agsuser accounts immediately after initial setup of ArcGIS Server.
In Manager, you can manage these user accounts and assign them to either the User (agsadmin) or Administrator (agsusers) user groups for access to ArcGIS Server.
In ArcGIS Server Manager, navigate to the Local GIS Users page in Manager by clicking the GIS Server tab and clicking on Local GIS Users in the left-hand panel.
To add a new user account, click on Add Users. Here you can also define the group that the account belongs to.
To remove a user, in the User list page, click on the checkbox next to the user or users you wish to remove and click "Delete".
To edit a user account, click the Edit button for the account you wish to edit and change the password, name, and/or user group.
Note: If you edit the password/group for the user that you are logged into Manager as, you must log out of Manager and log back in again.
ArcGIS Java Server for the Linux/Solaris platform includes a Sun One Directory Server which gets installed with the Server. ArcGIS Server uses this directory server to maintain a repository of users that can use and manage ArcGIS Server over a local connection. When ArcGIS Server is uninstalled, the directory server is wiped clean and all user information gets deleted.
If you want to maintain this user list across multiple ArcGIS Server instances (or ArcGIS Server releases), you need to export your users list from ArcGIS Server into a text file. The users listed in this text file can then be imported into any deployment of ArcGIS Server for the Java Platform that has these tools available.
You can also leverage this functionality to maintain a backup of Local GIS Server users or replicate user information across several instances of the Server.
ArcGIS Server Java 9.3 for Linux/Solaris includes a tool driven by a shell script called "import_export_users.sh" located at <ArcGIS Server Installation Directory>/arcgis/scripts. This tool enables you to export Local GIS Server users to a text file. These users in a text file can then be imported into any instance of ArcGIS Server for the Linux or Solaris platform using the same tool. This tool is available only for SOM installs.
ArcGIS Server Java 9.3 includes additional utility tools that help you export users from a Windows machine into a text file (by running these additional tools on a Windows machine). The users in this text file can then be imported into ArcGIS Server for Linux or Solaris using the above mentioned "import_export_users.sh" script. The additional utility tools include a GUI-based and a console-based application to export your Windows users and is located at <ArcGIS Server Installation Directory>/arcgis/servercore/agsidsvr/import_export_users/windows
You can run the script "<ArcGIS Server Installation Directory>/arcgis/scripts/import_export_users.sh". If you run the script without any input parameters, it will print the tool usage.
NAME
SYNOPSIS
DESCRIPTION
-i
-e
-f
-w
-n
-o NEW_LOGFILE_PATH
Exporting Local GIS Server users:
ArcGIS Server users can be exported by using the '-e' option followed by the name of the file that should contain the users. The output of the tool summarizes the export. You can check the log file mentioned for more information on what users were successfully exported and if there were any errors. You can turn off the logging by using the '-n' option. By default, the logs are located at <ArcGIS Server Installation Directory>/arcgis/server/user/log. However, you can change the directory path by using the '-o' option.
Example:-
[user@machine /arcgis/scripts]# ./import_export_users.sh -e /tmp/users.dat
EXPORT SUMMARY
-------------------
5 users exported successfully.
Check log file for detailed information at /arcgis/server/user/log/import_export_Sat_Sep_29_13-24-53_2007.log
Importing Local GIS Server users:
Users that were exported by ArcGIS Server on Linux or Solaris can be imported by using the '-i' option followed by the name of the file that contains the users. The output of the tool summarizes the import. You can check the log file mentioned for more information on what users were successfully imported and if there were any errors. You can turn off the logging by using the '-n' option. By default, the logs are located at <ArcGIS Server Installation Directory>/arcgis/server/user/log. However, you can change the directory path by using the '-o' option.
Example:-
[user@machine /arcgis/scripts]# ./import_export_users.sh -i /tmp/users.dat
IMPORT SUMMARY
---------------------------
5 users imported successfully.
Check log file for detailed information at /arcgis/server/user/log/import_export_Sat_Sep_29_13-24-53_2007.log
ArcGIS Server for Linux/Solaris includes additional tools that can be used to export Windows users. These tools for windows are installed under <ArcGIS Server Installation Directory>/arcgis/servercore/agsidsvr/import_export_users/windows. Though these tools are included in the Linux/Solaris installs of ArcGIS Server, they are to be run on a Windows machine.
Copy the "windows" directory from the Linux/Solaris machine to a Windows machine. Double click the "ExportWindowsUsers" file to start the GUI application.
When the application starts up, it lists the users that can be exported. You select the user you want to export (or use the Select All check box to select all users), and browse to the file you want to export. If you choose to create a new file, you can click 'Export' and users will be exported to that file.
If you tell the application to export selected users to a file that already exists, the two check boxes i.e. 'Overwrite file' and 'Append to file' will be activated. Accordingly, you can choose to either overwrite the user information in the existing file (file will lose its previous information) or append to it.
The console-based application (run from the Windows command line) can be used when automating the export process (using the task scheduler, etc). It can be used to export a selected list of Windows users or all the users currently accessible to the system. Unlike the GUI application, the console-based application does not list available users.
To run the Application, open a command prompt on a Windows machine and call the program named 'export_win_users_console.exe'. If no options are provided to the application, it will print the usage to screen.
[D:\Projects]export_win_users_console.exe
NAME
SYNOPSIS
DESCRIPTION
/u USER1 USER2 ...
/a
/h
Example 1:- Exporting a selected list of users
Example 2:- Exporting all the available users
Example 3:- Exporting all users and appending to an existing file
The Windows users exported above can be imported into an ArcGIS Server running on Linux/Solaris by using the Server's "import_export_users.sh" script combining the import option along with the windows users option ('-iw').
Example:-
The log files are created during the import/export operation. The log maintains the users that were successfully imported or exported or any errors that occurred during these operations.
By default, the logs files are maintained at <ArcGIS Server Installation directory>/arcgis/server/user/logs. Each log file name includes a timestamp that indicates when the log file was created.
You can choose to put the log files into a different location by using the '-o' option in the 'import_export_users.sh' script.
You can turn off logging by using the '-n' option.
Log file example:-