Reference Information › Command Line Shell Reference Guide › Application and Appliance Locking using CLI

Application and Appliance Locking using CLI

Application and appliance locking is a feature that is designed to protect the intellectual property (IP) contained within such entities. When an application or appliance is locked, CA AppLogic® disallows regular users from executing certain commands over the locked entities, such as export, manage volumes, edit/modify, and so on. When a regular user attempts to execute a disallowed command over a locked entity, the command fails with an 'Access Denied' message because the entity is locked.

The following commands allow grid maintainers and regular users to lock applications and assemblies:

• application lock
• application unlock
• class lock
• class unlock

Restrictions

The following describes the operations that regular users cannot perform over locked applications and appliances:

Locked Applications

• Regular users cannot export the application or any singleton appliance that is contained within the application
• Regular users cannot migrate the application
• Regular users cannot manage, copy, move, set, or read any volumes contained within the application including instance volumes
• Regular users cannot create new user volumes for the application
• Users cannot view or edit the application using the Infrastructure Editor

Locked Appliances and Assemblies

• Regular users cannot export the appliance
• Regular users cannot export the catalog that contains one or more locked appliances or assemblies
• Regular users cannot branch the appliance or assembly instance
• Regular users cannot copy, move or edit a locked singleton appliance.
• Regular users cannot manage, copy, move, set, or read the volumes of the appliance class (also applies to instance volumes)
• Regular users cannot view or edit the interior of an assembly
• Regular users cannot retrieve descriptor of the locked entity via the get_desc command
• Locked appliances and assemblies cannot exist in local application catalogs

Note: It must be noted that regular users are allowed to destroy locked applications and classes.

Supported Operations

The following operations may be performed by regular users over locked entities:

Locked Applications

• Regular users may provision, configure or copy the application
• Regular users may start, stop, continue, restart, build, and clean the application
• Regular users may rename the application

Locked Appliances and Assemblies

• Regular users may use the appliance or assembly in their application
• Regular users may view the appliance boundary and may configure the appliance via the editor
• Regular users may rename locked appliances and assemblies

Work flow for creating locked entities

This section describes the work flow for developing and/or modifying an application or appliance that contains intellectual property that is to be protected and transfer the locked entity to a user's grid.

The following describes the work flow for creating a new locked application or appliance:

• Develop and test the application or appliance as you would typically.
• Lock the appliance or application.
• Transfer the application or appliance to another grid (optional)
  • to transfer a locked application, perform the following:
    • Log into the destination grid using a user/SSH key that is a maintainer on the source grid
    • Execute app migrate src locked-app ... to transfer the application to the grid.
  • To transfer a locked appliance, perform the following:
    • Log into the destination grid using a user/SSH key that is a maintainer on the source grid
    • Execute class migrate src locked-class ... to transfer the class to the grid.

If at a later time, you need to make some changes to the application or appliance, the following steps should be performed:

• Unlock the appliance or application.
• Make the necessary changes to the application or appliance and test.
• Lock the appliance or application.
• Transfer the modified application or appliance to users' grids as specified above (optional)

SSH Access to Locked Appliances

does not limit SSH access via the 'component ssh'/'component login' command. Any SSH access limitations should be done by the appliance builder. The following are examples of how SSH access may be restricted:

• prohibit the access altogether (that is, disable the SSH service in the appliance)
• provide a simpler shell, through the ssh forced command method, that provides access to the log and other maintenance functions that may need to be available to users. For example, ssh into a locked MySQL may bring the user into the mysql command line client.