CLI User Authentication

Reference Information › Command Line Shell Reference Guide › Using Role Based Access Control › CLI User Authentication

CLI User Authentication

Local and global users can log in to the CA AppLogic® GUI. Local users log in using the user name and password and are authenticated using the local directory service. Global users log in using the user name prepended with the slash character "/" and the password required by the global directory service. The initial slash character instructs CA AppLogic® to perform user authentication using the global directory service. In addition, both local and global users can SSH to the grid controller. Local users authenticate using the private key corresponding to the public key set in the user's profile properties. Global users also use this key-based form of authentication with the following caveats:

When a global user opens an interactive 3tshell session, that user is required at once to authenticate with the global directory service using the user name and the password required by the global directory service.
Non-interactive SSH access is disabled for global users.

When a global user logs into CA AppLogic®, that user's global group membership is read from the global directory service. This information is cached in the local directory service. When an authorization request is made, this cached global group membership information can be used in determining whether the request is granted.

Global Users Authentication

When a user logs in to the CA AppLogic® GUI, or logs in using SSH to open a command line shell, the login consists of the following two separate operations:

Authentication uses either the local or global directory service to verify the user name and password is valid.
Authorization verifies the user has permission to log in. It is valid to have users which do not have permission to log in. For example, in the case where a global directory service is used to perform authentication, not all users maintained by the global directory service are likely to be permitted to log in to a particular grid.

For a user to be granted login permission, that user is typically added to a group which has login permission on the grid ACL. It is possible to grant the implicit local group all access level rights on the grid ACL (all such access levels include login permission). In this case, every local user and every global user is granted permission to log in. Typically, a user is added to a local or global group which is granted these rights.

In the case of a global user, the user's unique ID is not determined until the user authenticates for the first time using the global directory service. As a result, it is impossible to add a global user to a local group until that user has authenticated at least once. If the implicit local group all is not provided login permission, then the process used to provide a global user log in access to a grid is as follows:

The global user logs in to the CA AppLogic® GUI. While authentication succeeds, authorization fails because the global user does not have login permission. Because authentication has succeeded, the global user ID has been determined and the global user's global group membership has also been determined. As a result, this information has been cached in the local directory service.
The global user is added to a local group with login permission, or, a global group in which the global user is a member is provided access level rights on the grid ACL. Once this step is completed, the global user can successfully log in through the CA AppLogic® GUI or through SSH.