RE: [Nodebrain-users] Can I have the same userid on different nodes(machines)?
Rule Engine for State and Event Monitoring
Brought to you by:
trettevik
Menu
▾
▴
RE: [Nodebrain-users] Can I have the same userid on different nodes(machines)?
|
From: Trettevik, Ed A <ed....@bo...> - 2006-05-10 17:15:10
|
Hi Luc, An identity is just a name with an associated key. When you define the same identity to two or more NodeBrain processes that communicate (peers), the identity must be defined with the same key, although they are not required to both use the private form of the key---one may use the public form of the identity portrayed by the other. You not only "can" use the same identity on different nodes, you "must" define the same identity on different nodes if you want to communicate between them. You can choose how you want to map identities to machines, people, accounts on machines, and NodeBrain processes on machines. Here are two very different possibilities. Consider a single application of NodeBrain including multiple NodeBrain processes (agents and clients) on multiple machines running under multiple machine accounts. 1) Generate one identity and copy it into the read protected $HOME/.nb/private.nb of every machine account for the application that executes NodeBrain on every machine and have every NodeBrain process portray this single identity. This is the easiest to manage, and may be appropriate in some applications of NodeBrain. However, this creates a "fully trusted" relationship between the accounts on all the machines that in many cases will not provide the appropriate level of security. You must consult the security policies in your environment and your own judgment.=20 2) Generate a unique identity for every NodeBrain agent within a set that you want to communicate. Each identity's private key is defined only on the machine where the process runs, and only in the $HOME/.nb/private.nb file of the machine account (user) that runs the process. Also generate a unique identity for any other machine accounts that will execute NodeBrain as a client to these agents. For every peer (agent and client) that you want to be able to communicate with a given agent process, store the public form of the agent's identity declaration in $HOME/.nb/private.nb and use the RANK command to give them the appropriate level of authority. In the second case you will want to come up with a naming convention for your unique identity names. For client accounts you can use a combination of host name and user name. If the user name is "charlie" and the host name is "snoopy", you might use SnoopyCharlie as the identity name. For an agent identity you may want to combine the process name with the host name. For process "appmon" on machine "goofy", you could use "GoofyAppmon" as the identity name. The brain declaration would use "GoofyAppmon@goofy". If you have several agents running under that same machine account (user) and there will be no variation in access granted to them, then you can use the same identity for all of the agents. In this case, you can use an application name in place of the process names to reduce the number of identities. Say the application is WeatherMon and it has 5 NodeBrain agent processes running under the "weather" account on machine "rainy". An identity name of RainyWeatherMon could be used for all 5 agents on rainy. If the machine account "weather" is an account set up for the WeatherMon application, then you could name the agent identities like our client identity SnoopyCharlie example above---RainyWeather. If the WeatherMon application runs on three machines (rainy, sunny, and cloudy) and you are willing to establish a fully trusted relationship between these machines for the weather account, then you may want to just use weather as the identity on all three machines. Here we have relaxed to option (1) above for the agents but still follow option (2) for the clients. The brain declarations would be "weather@rainy", "weather@sunny" and "weather@cloudy" and the identity weather would have the same declaration in /home/weather/.nb/private.nb on all three machines (assuming the home directory for the weather account is /home/weather). So you see, you have a lot of choices and it is admittedly complicated.=20 =09 The NodeBrain protocol NBP is not designed to participate in a public key infrastructure. A NodeBrain identity's public key is only public within a community of administrators. NBP public and private keys are both managed as secret keys on a controlled set of machines and accounts. NodeBrain, or at least NBP, is not intended for dynamic peer-to-peer applications. I should point out that NBP was designed before I became an SSH and SSL user. In some future release of NodeBrain I expect to include additional authentication options based on open-source SSH and SSL packages to reduce the learning curve for people familiar with those protocols and simplify key management for larger applications. It is also relatively easy for developers to write a skill module (plug-in) to implement any peer-to-peer protocol for NodeBrain that is desired as an alternative to NBP. I expect you will find the NodeBrain identity scheme relatively simple once you get a simple answer to your questions. :) You can say that myid (the identity you referenced in the document) is an identity for a process, a person, a machine account (user), or a machine, depending on where you declare it with a private key, if more than one process portrays it or not, and if machine accounts are shared by multiple people or not. So you can be absolutely right if your configuration matches your concept of what myid identifies. Let me know if you have more questions. Ed Trettevik =20 =20 -----Original Message----- From: Luc Stepniewski [mailto:luc...@ad...]=20 Sent: Wednesday, May 10, 2006 3:32 AM To: nod...@li... Subject: [Nodebrain-users] Can I have the same userid on different nodes(machines)? Hello, In the Nodebrain User Guide (0.6.4), chapter 1.4 (User Account Configuration), I find that the naming of identities is a bit misleading. If I follow the examples in the chapter 1.4, I create a "user account" (you name it 'myid') on a machine (using identify), then I create a brain, which is correctly identified by myid@localhost (notice that the hostname is correctly present). But, later in the same chapter, you specify that if I want to communicate with a remote host, I have to define its identity in the same file. That declaration is exactly the same as for a local user declaration. It is not specified that it is remote (except for the second parameter which is 0). So that means that I can't have a user named foobar on two distinct machines. My conclusion is that what you call myid, should be more viewed as 'the unique machine name', and not a username on one of the machines. Am I right? Luc Stepniewski -- Luc Stepniewski <luc...@ad...> <sip:72...@fw...> Adelux - Securite, Linux Public key: <http://lstep.free.fr/pubkey.txt> Key BC0E3C2A fingerprint =3D A4FA466C68D27E46B427 07D083ED6340BC0E3C2A ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 _______________________________________________ Nodebrain-users mailing list Nod...@li... https://lists.sourceforge.net/lists/listinfo/nodebrain-users |