Granting write permission of files and directories to a non-root user for profile creation
The installer can grant write permission of the appropriate files and directories to a non-root user. The non-root user can then create the profile. The installer can create a group for users who are authorized to create profiles, or the installer can give individual users the ability to create profiles. The following example task shows how to create a group that is authorized to create profiles. This task assumes a basic familiarity with system commands.This task uses the following terms:
- Root users refers to:
- Root users
Administrators
- Non-root users refers to
- Non-root users
Non-administrators
- Installer refers to a root user or a non-root user.
Overview
The steps that you follow to grant write permission of files and directories to a non-root user for profile creation depends on whether a profile was previously created.
If at least one profile was created prior to implementing the following steps, certain directories and files were created. Because these directories and files were created, skip the steps that create these directories and files. If no profile was previously created, implement the steps to create the required directories and files. In most cases, a profile has been created previously.
Have the installer perform the following steps to create the profilers group and give the group proper permissions to create a profile.
Procedure
- Log on as the installer to the system that has WAS installed.
- Create the profilers group used to to create profiles.
- Create a user named user1 to create profiles.
- Add the installer and user1 to the profilers group.
- Log off and back on as the installer to pick up the new group.
- Create the following directories as the installer, if no profile was previously created:
- Create the app_server_root/logs/manageprofiles directory:
mkdir app_server_root/logs/manageprofilesCreate the app_server_root\logs\manageprofiles directory by following instructions in the Windows documentation. For this example procedure the directory is:
app_server_root\logs\manageprofiles
- Create the app_server_root/properties/fsdb directory:
mkdir app_server_root/properties/fsdbCreate the app_server_root\properties\fsdb directory by following instructions in the Windows documentation. For this example procedure the directory is:
app_server_root\properties\fsdb
- As the installer, create the profileRegistry.xml file and add the proper information, if no profile was previously created:
Follow directions for your operating system to create the profileRegistry.xml file. For this example, the file paths are:
app_server_root/properties/profileRegistry.xml
app_server_root\properties\profileRegistry.xmlFollow instructions for your operating system to add the following information to the profileRegistry.xml file. The file must be encoded as UTF-8.<?xml version="1.0" encoding="UTF-8"?> <profiles/>
- As the installer, use operating system tools to change directory and file permissions. The following example assumes that the installation root directory is /opt/IBM/WAS/AppServer .
chgrp profilers /opt/IBM/WAS/AppServer/logs/manageprofiles chmod g+wr /opt/IBM/WAS/AppServer/logs/manageprofiles chgrp profilers /opt/IBM/WAS/AppServer/properties chmod g+wr /opt/IBM/WAS/AppServer/properties chgrp profilers /opt/IBM/WAS/AppServer/properties/fsdb chmod g+wr /opt/IBM/WAS/AppServer/properties/fsdb chgrp profilers /opt/IBM/WAS/AppServer/properties/profileRegistry.xml chmod g+wr /opt/IBM/WAS/AppServer/properties/profileRegistry.xml chgrp -R profilers /opt/IBM/WAS/AppServer/profileTemplatesIf you create a cell profile, additionally issue the following commands:chmod -R g+wr /opt/IBM/WAS/AppServer/profileTemplates/cell/default/documentschmod -R g+wr /opt/IBM/WAS/AppServer/profileTemplates/cell/dmgr/documentsIf you create an appserver profile, a deployment manager profile, or a custom profile, additionally...chmod -R g+wr /opt/IBM/WAS/AppServer/profileTemplates/profile_template_name/documentswhere profile_template_name is default, dmgr, or managed, respectively.The ownership of files is preserved when the files are copied to the profile directory during profile creation. You granted write permission to the profile directory so that files copied to the profile directory can be modified as part of the profile creation process. Files that are already in the profileTemplate directory structure prior to the start of profile creation are not modified during profile creation.
chgrp profilers /opt/IBM/WAS/AppServer/properties/Profiles.menu chmod g+wr /opt/IBM/WAS/AppServer/properties/Profiles.menuThe following example assumes that the installation root directory is C:\Program Files\IBM\WebSphere\AppServer . Follow instructions in the Windows documentation to give the profilers group read and write permission to the following directories and their files:
C:\Program Files\IBM\WebSphere\AppServer\logs\manageprofiles C:\Program Files\IBM\WebSphere\AppServer\properties C:\Program Files\IBM\WebSphere\AppServer\properties\fsdb C:\Program Files\IBM\WebSphere\AppServer\properties\profileRegistry.xmlYou might have to change the permissions on additional files if the non-root user encounters permission problems. For example, if you allow a non-root user to delete a profile, the user might have to delete the following file:
app_server_root/properties/profileRegistry.xml_LOCK
app_server_root\properties\profileRegistry.xml_LOCK
- Give write access to the non-root user for the file to allow the user to delete the file. If the non-root user still cannot delete the profile, the installer can delete the profile.
Results
The installer created the profilers group and gave the group proper permissions to certain directories and files to create a profile. These directories and files are the only ones in the installation root of WAS to which a non-root user needs to write to create a profile. These directories and files are the only ones in the installation root of WebSphere Application Server to which a non-root user needs to write to create and augment a profile.
What to do next
Have the non-root user that belongs to the profilers group create a profile in a directory that the non-root user owns and to which the non-root user has write permission, but not in the installation root directory of the product.
manageprofiles command