Administering Management & Shell Users
In this section weʼll discuss two main topics:
- How to manage the authentication and authorization settings for Solace management users that can connect to a Solace router. The discussion begins in CLI User Access Levels.
- How to securely create and configure Linux shell users. Instructions can be found in Configuring Multiple Linux Shell Users.
Solace management users are users that can connect to the router to configure, manage and monitor it. There are two types.
- CLI User—A management user that connects to the router through the CLI or SolAdmin for purposes of configuring, managing, and monitoring. A CLI user can also be a management application that uses Solace Element Management Protocol (SEMP) requests over an HTTP service to manage and monitor the router. This user connection uses the Secure Shell (SSH) protocol.
- File Transfer User—A user that can remotely transfer files to and from specific directories on the Solace router using Secure File Transfer Protocol (SFTP) or Secure Copy (SCP).
Note: A client user can also monitor a router if it is a management application using the SEMP Request Over Message Bus service. However, client users are not discussed in this section. For information on clients and how to configure client authentication for a Solace router, refer to Managing Client Authentication.
This category is composed of users that can log into an applianceʼs Linux shell. The root user and default support user are in this category and are both built into the appliance. There are three other configurable user groups which were introduced to the appliance in version 8.2.0 whose use will introduce operational flexibility. For instructions on how to create and configure them, refer to Configuring Multiple Linux Shell Users. Here's a list of the available Linux shell users:
- Root User—A single, built-in user that has root privileges in the applianceʼs SolOS Linux shell.
- Sysadmin Users—These are Root-like users who can run all commands in the appliance’s Linux shell with root privileges without entering the root password by using
sudo. Sysadmin users can perform any appliance configuration procedure in these documents that note you need root access, or to be the root user, to perform. Sysadmin users are created and configured by the Root user or other Sysadmin users. There are no built-in, pre-configured Sysadmin users.
- Support User (default)—A single, default, built-in Linux user that is allowed to execute a limited set of appliance shell commands and scripts to allow for low-level router troubleshooting.
- Support Users (creatable)—These are additional support users that are created and configured by either Root or Sysadmin users. They have the same privileges as the default Support user, and are allowed to execute a limited set of appliance shell commands and scripts.
- Restricted Users—These users have read access to appliance logs, read/write access to files in their home directory, and read access to designated files owned by other users. They can execute shell commands that don’t need root access. Restricted users can be created by Root or Sysadmin users. There are no built-in Restricted users.