User Impersonation on UNIX/Linux

For agents running on UNIX/Linux platforms, when you configure a process step you can provide the agents with the user impersonation capability.

You can select ssh, sudo, or su options.

Note: ssh, sudo, and su are short for secure shell, super user "doer", and super user respectively.

When a process step runs that has user impersonation configured, the ssh, sudo, or su command runs the step as the impersonated user.

Process steps can be considered individual shells; the ssh, sudo, or su command enables a user to start a shell as another user.

Note: Each process step that needs user impersonation must be configured independently.

To configure impersonation:

  1. In the Process Editor, in the process step's Properties, select Use Impersonation.
  2. Enter the following information:
    Field Description

    User

    The username to authenticate as during impersonation.

    Password

    The password to use during impersonation.

    • For *nix impersonation types:

      • SSH: The password of user to impersonate.

      • Sudo: The password of user that the agent is running under (if required).

      • Su: The password should be blank.

    • For Windows: The password of user to impersonate.

    *nix Impersonation Type

    Select ssh, sudo, or su.

    If you select ssh, SSH authentication will be used to perform impersonation. You must install, configure, and start the SSH daemon on your agent machines if you want to use this option.

    If you select su, it can be used only on agents running under the root account.

    If you select sudo, before it can be used, you must provide impersonation privileges as follows:

    • Password Required. Impersonation privileges must be defined in the /etc/sudoers file along with grant privileges to run scripts from the agent .temp folder. For example:

      User1<>ALL=(User2)/home/User1/agent/var/temp/*
      

      Grants User1 the privilege to impersonate User2 to run plugin steps as User2.

      Defaults:X!requiretty
       X ALL=(Y) 

      where X and Y are user names, and user X can run any command as user Y.

    • No Password Required. Impersonation privileges must be defined in the /etc/sudoers file. For example:

       Defaults:X!requiretty
       X ALL=(Y) NOPASSWD: ALL 

      where X and Y are user names, and user X can run any command as user Y without supplying a password.

    See the UNIX/Linux documentation for more information on configuring ssh, sudo, and su.