| Author |
Message
|
| ruimadaleno |
 Posted: Thu Jan 26, 2017 8:37 am Post subject: access shared folder in windows environment with fileinputno |
 |
|
Master
Joined: 08 May 2014
Posts: 274
|
Hi experts,
we are running broker 8.0.0.7 on windows and we are building a message flow that gets files from a shared folder , do some stuff (transform/enrich) and move the resulting file to another folder.
Folder A (windows) ----> FileInputNode --> Mapping --> enrich ---> fileoutput Node --> Folder Z (windows)
On windows we can see that the dataflowengine.exe operating system process is running under some security context, the dataflowengine is configured with a specific user that exists in the active directory.
So, a message flow deployed in the execution group (materialized in operating system as a process with dataflowengin.exe name and running with a specific username - security context) that uses a fileinputnode will try to connect to shared folder A using that security context ? the same for recording the file through fileoutputnode ?
Best regards
Rui Madaleno
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jan 26, 2017 9:10 am Post subject: Re: access shared folder in windows environment with fileinp |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ruimadaleno wrote: |
| So, a message flow deployed in the execution group (materialized in operating system as a process with dataflowengin.exe name and running with a specific username - security context) that uses a fileinputnode will try to connect to shared folder A using that security context ? the same for recording the file through fileoutputnode ? |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Thu Jan 26, 2017 9:19 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
ok , nice.
Now suppose this scenario 
Folder A (windows) ----> FileInputNode --> Mapping --> enrich ---> fileoutput Node --> Folder Z (windows).
But the security in Folder A forces the message flow to connect to folder using a security context that is distinct of the security context attached to the operating system process that materializes the execution group (dataflownegine.exe).
Folder A [read and write permission to user DOMAIN\userxpto]
Dataflowengine.exe [running under MBadmzzzz user]
can the message flow connect to a shared folder using another security context ? can this securit context be configurable (maybe via udp ?)?
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 26, 2017 9:27 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ruimadaleno wrote: |
| can the message flow connect to a shared folder using another security context ? |
| ruimadaleno wrote: |
| can this securit context be configurable (maybe via udp ?)? |
The only time a security context can be defined (via a configurable service) is if the File node is using ftp. Not with the local file system (and a shared folder in Windows looks like the local file system to any application, not just IIB)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Thu Jan 26, 2017 9:45 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
what about if broker is installed with security context "localSystem". We just cannot add localsystem to security definitions in folder A 
so, if the broker is not installed to "run" under a security context that is not listed under the domain (example: installed to run under the localsystem security context) we cannot access shared folders via fileinput/fileoutp
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 26, 2017 9:49 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ruimadaleno wrote: |
| what about if broker is installed with security context "localSystem". We just cannot add localsystem to security definitions in folder A |
Which is why you shouldn't install a Windows broker that way. It causes problems.
| ruimadaleno wrote: |
| so, if the broker is not installed to "run" under a security context that is not listed under the domain (example: installed to run under the localsystem security context) we cannot access shared folders via fileinput/fileoutp |
Because "localSystem" isn't a real id (in the sense that that it doesn't exist as a local or shared domain id with a SID) then no, you can't use it in the way you describe. And if you can get it to work, you shouldn't because you just authorized everything else running with that context.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 26, 2017 11:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The windows secuirty context a broker runs in is not set at install time... I mean, it is, but it's a windows service, yeah?
So you can just change the id the service uses to log in with.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 26, 2017 11:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| So you can just change the id the service uses to log in with. |
I didn't suggest that because I've had poor experiences with it in the past. In theory I agree with you 100%, in practice where I've tried this, weird contact admin started happening and I had to reinstall to get broker running correctly again. Others may have more luck, and you can't use this method to attach to 2 shared folders that require 2 different contexts.
Windoze. Always coming up with new ways to ruin your day.
Top tip - do not use a domain id to run IIB or anything else. Sooner or later Windoze will try and start IIB before the Domain service has finished connecting and synchronizing with the domain controller. At this point IIB will be unable to start because its running id can't be authenticated and it will crash.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 26, 2017 11:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Before @mqjeff says something like:
| Quote: |
| Make the IIB service dependent on the Domain service - there's a tab for that in the Services window |
That just means that the Domain service must start successfully before Windoze attempts to start IIB. It doesn't mean that the Domain service must start, contact the domain controller and be ready for business before Windoze attempts to start IIB (which in my view it should mean). IIB can easily try to start before the Domain service is ready if the network is having a bad day.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jan 26, 2017 9:12 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
Before @mqjeff says something like:
| Quote: |
| Make the IIB service dependent on the Domain service - there's a tab for that in the Services window |
That just means that the Domain service must start successfully before Windoze attempts to start IIB. It doesn't mean that the Domain service must start, contact the domain controller and be ready for business before Windoze attempts to start IIB (which in my view it should mean). IIB can easily try to start before the Domain service is ready if the network is having a bad day. |
And I thought that was what "Late or deferred Start" was for... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jan 27, 2017 5:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Vitor wrote: |
Before @mqjeff says something like:
| Quote: |
| Make the IIB service dependent on the Domain service - there's a tab for that in the Services window |
That just means that the Domain service must start successfully before Windoze attempts to start IIB. It doesn't mean that the Domain service must start, contact the domain controller and be ready for business before Windoze attempts to start IIB (which in my view it should mean). IIB can easily try to start before the Domain service is ready if the network is having a bad day. |
And I thought that was what "Late or deferred Start" was for... |
Yeah, you'd think that wouldn't you? I certainly did.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
