Migrating Objects

Using CA AppLogic › Grid Administration Guide › Role-Based Access Control › Migrating Objects

Migrating Objects

RBAC impacts how object migration is authorized and how the newly migrated object ACLs are created.

The migrate operation relies on SSH to execute commands on a remote grid. CA AppLogic migrates with the --import option from the remote grid to the local grid. When a user migrates with the --export option, then CA AppLogic SSHs to the remote grid and executes the migratewith the --import option.

From the above it follows that if an object is migrated –-import, then the resulting new object is owned by that user who executes the migrate command on the local grid, and that user has full access level rights on the resulting object. Alternatively, if an object is migrated --export, then that user on the remote grid who executes the migrate command --import on the remote grid owns the new object and has full access level rights.

Object migration relies on a trust relationship established between two grids. There are two different methods of establishing such trust:

Grid L (the local grid) has a user whose public key is that of grid R (the remote grid), and grid R has a user whose public key is that of grid L. In this case, the grid public/private key pairs are used to execute remote commands via SSH during the migrate operation. This is the most common trust relationship and is always required when migrating an object using the CA AppLogic GUI.
Grid L and grid R each have a user whose public key corresponds to the private key used in SSH forwarding in a shell opened by the executing user on the local grid. In this case, the migrate operation relies on SSH forwarding (for example, in a PuTTY session) to execute remote commands during the migrate operation.

The table below displays the several different migrate scenarios, their pre-conditions and their results. For the purposes of explanation the table refers to the following example users:

User A on grid L - this is the user on the local grid L who executes the migrate command
User B on grid R - this is a user on the remote grid R with the same public key as that of user A
User TA on grid L - this user has the public key of remote grid R and is used to establish trust between the grids
User TB on grid R - this user has the public key of local grid L and is used to establish trust between the grids

Migrate Operation	Pre-Conditions	Results
Migrate --import using SSH key forwarding	User A has app_developer or grid_administrator access level rights on grid L. User B has app_developer or grid_administrator access level rights on grid R User B has configure or full access level rights on the application.	The resulting application created on grid L is owned by user A, and that user has full access level rights on the application.
Migrate --import using the trust relationship established by the grid public/private key pairs	User A has app_developer or grid_administrator access level rights on grid L. User TB has app_developer or grid_administrator access level rights on grid R User TB has configure or full access level rights on the application.	The resulting application created on grid L is owned by user A, and that user has full access level rights on the application.
Migrate --export using SSH key forwarding	User A has app_developer or grid_administrator access level rights on grid L. User A has configure or full access level rights on the application. User B has app_developer or grid_administrator access level rights on grid R	The resulting application created on grid R is owned by user B, and that user has full access level rights on the application.
Migrate --export using the trust relationship established by the grid public/private key pairs forwarding	User A has app_developer or grid_administrator access level rights on grid L. User A has configure or full access level rights on the application. User TA has configure or full access level rights on the application. User TB has app_developer or grid_administrator access level rights on grid R	The resulting application created on grid R is owned by user TB, and that user has full access level rights on the application.