Application and Appliance Locking

Using CA AppLogic® › Grid User Guide › Operating Grids › Application and Appliance Locking

Application and Appliance Locking

Application and appliance locking is a new feature that is designed to protect the intellectual property (IP) contained within such entities. When an application or appliance is locked, CA AppLogic® disallows regular users from executing certain commands over the locked entities, such as export, manage volumes, edit/modify, and so on. When a regular user attempts to execute a disallowed command over a locked entity, the command fails with an 'Access Denied' message because the entity is locked.

The following commands allow grid administrators and regular users to lock applications and assemblies:

application lock
application unlock
class lock
class unlock

This section contains the following topics:

Restrictions

Supported Operations

Work flow for creating locked entities

SSH Access to Locked Appliances

Restrictions

The following describes the operations that regular users cannot perform over locked applications and appliances:

Locked Applications

Regular users cannot export the application or any singleton appliance that is contained within the application
Regular users cannot migrate the application
Regular users cannot manage, copy, move, set, or read any volumes contained within the application including instance volumes
Regular users cannot create new user volumes for the application
Users cannot view or edit the application via the CA AppLogic® editor

Locked Appliances and Assemblies

Regular users cannot export the appliance
Regular users cannot export the catalog that contains one or more locked appliances or assemblies
Regular users cannot branch the appliance or assembly instance
Regular users cannot copy, move or edit a locked singleton appliance.
Regular users cannot manage, copy, move, set, or read the volumes of the appliance class (also applies to instance volumes)
Regular users cannot view or edit the interior of an assembly
Regular users cannot retrieve descriptor of the locked entity via the get_desc command
Locked appliances and assemblies cannot exist in local application catalogs

Regular users are allowed to destroy locked applications and classes.

Supported Operations

The following operations may be performed by regular users over locked entities:

Locked Applications

Regular users may provision, configure or copy the application
Regular users may start, stop, continue, restart, build, and clean the application
Regular users may rename the application

Locked Appliances and Assemblies

Regular users may use the appliance or assembly in their application
Regular users may view the appliance boundary and may configure the appliance via the CA AppLogic® editor
Regular users may rename locked appliances and assemblies

Work flow for creating locked entities

This section describes the work flow for developing or modifying an application or appliance that contains intellectual property that is to be protected and transfer the locked entity to a user's grid.

The following describes the work flow for creating a new locked application or appliance:

Develop and test the application or appliance as you would typically.
Lock the appliance or application.
Transfer the application or appliance to another grid (optional)
- to transfer a locked application, perform the following:
  - Log into the destination grid using a user/SSH key that is an administrator on the source grid
  - Execute app migrate src locked-app to transfer the application to the grid.
- To transfer a locked appliance, perform the following:
  - Log into the destination grid using a user/SSH key that is an administrator on the source grid
  - Execute class migrate src locked-class to transfer the class to the grid.

If at a later time, you need to make some changes to the application or appliance, the following steps should be performed:

Unlock the appliance or application.
Make the necessary changes to the application or appliance and test.
Lock the appliance or application.
Transfer the modified application or appliance to users' grids as specified above (optional)

SSH Access to Locked Appliances

CA AppLogic® does not limit SSH access via the 'component ssh'/'component login' command. Any SSH access limitations should be done by the appliance builder. The following are examples of how SSH access may be restricted:

Prohibit the access altogether (That is, disable the SSH service in the appliance)
Provide a simpler shell, through the ssh forced command method, that provides access to the log and other maintenance functions that may need to be available to users. For example, ssh into a locked MySQL may bring the user into the mysql command line client.