DataStage 7.x 权限控制
stenny | 14 二月, 2008 01:07
一般情况下在安装DataStage的时候都会创建一个dstage组,和dsadm帐号,后来的DataStage用户都需要属于dstage组,这样 任意用户都可以访问该DS Server下所有的project。如何控制使得特定的用户只能访问特定的project? IIS8是可以用WAS的权限控制,猜想应该比较简单明了,下面找到的文章是说明如何在DS7.x里面进行组级别的权限控制...
Configuring DataStage for use by Multiple Users.
When you install DataStage, the software directories are created and configured automatically for secure and proper operation of the software. You should never change the permissions or owners of the files in any of the software directories, except for the project directories, unless told to do so by Ascential Software support. This document is intended as a supplement to those instructions given in the “DataStage Install and Upgrade Guide.”
File Ownership and Permission for Project Directories.
When the install creates the projects, the files are assigned ownership to the dsadm user, and the dsadm user’
s primary group. To allow users other than the dsadm user to properly use DataStage, you need to do the following steps. For these steps, we will assume that the dsadm user’
s primary group is ‘dstage’.
1. For each user id, make sure it is a member of the group ‘dstage’.
2. As the root user, edit the ds.rc file in the DSEngine/sample directory, find the line near the top of the file which reads #umask 002 and edit this line to remove the comment character ‘#’. After making this change, the root user needs to stop the DataStage engine and restart it.
3. As the dsadm user, go to each project directory and set its SGID bit, which forces files created in that directory to have the same group id as the directory in which they were created. This can be done with the following UNIX command:
chmod
g+
s dirpath where dirpath is the absolute path of the DataStage project directory.
Once these steps are complete, DataStage is ready to use in a multiple user environment. If there has been user activity in the DataStage project prior to these steps being done, you may also need to reassign the group id and permissions of the files in the project directory. This can be done with the following UNIX commands:
chgrp –R dstage dirpath
chmod –R
g+w dirpath
In these commands, ‘dstage’ is the dsadm user’
s primary group and ‘dirpath’ is the absolute path of the project directory.
Limiting User access to DataStage projects.
The permissions documented above are required for the software to function properly. If you wish to control access at a project level, this will require one UNIX group per project in addition to the single UNIX group to which the software itself is assigned. Consider the following scenario as an example:
The ACME Company has a UNIX server with DataStage installed on it. They want to have a test project and a production project on the same machine. They do not want the test users to be able to edit the jobs in production, and they do not want the production users to be able to edit the jobs in the test project.
When they installed DataStage, they created the dsadm user with the primary group of ‘dstage’. During the install they created a project called ‘prod’ and second project called ‘test’. After the install, all the files in both projects are owned by the dsadm user, and the group is dstage.
First, the superuser (root) must create two new UNIX groups, one called ‘dstest’ and one called ‘dsprod’. Next, the superuser must a make the dsadm user a member of BOTH of these new groups. Next, the superuser must make all the test users a member of both the dstage group and the dstest group, and make the production users a member of the dstage group and the dsprod group. Finally, the superuser must complete step 2 from the instructions above.
Once the superuser’
s tasks are finished, the dsadm user can now change the group of all the files in the test project so that their group is now ‘dstest’. Next, the dsadm user would change the group of all the files in the production project so that their group is now ‘dsprod’. Finally, the dsadm user should complete step 3 above on both the test and prod projects.