Categories

ID #1085

How do I install the JSON cmgui ?

 

The standalone JSON cmgui, available in Bright 6.0 and upwards, can run on any regular desktop client machine, including on a MacOS desktop. The software requirements in Bright 6.0 are:

  • firefox 10.0 or greater on the client.
  • cmdaemon-6.0-r14750 or greater on the cluster
  • cmgui-json-6.0-r3330 or greater on the client

The latest version can be obtained via:

 

yum install cmgui-json-dist

 

This unpacks software into /cm/shared/apps/cmgui/json/ on the head node

 

The installation procedure is then as follows:

 

Set up cmdaemon to accept JSON calls

 

1. Enable the JSON interface in cmdaemon on the head node, by editing:

 /cm/local/apps/cmd/etc/cmd.conf

and setting a directive:

 EnableJSON = true

2. A restart of cmdaemon makes this change live.


[root@head ~]# service cmd restart

 

3. Verify that cmdaemon now accepts JSON calls:

 

 [root@head ~]#  wget --no-check-certificate -O json.out  https://master:8081/json

 cat json.out; rm -f json.out; echo

 

For a working JSON configuration, the output is

 

 {"json": true}


Setup cmdaemon to allow an AJAX console


The AJAX console in the JSON cmgui allows shell commands to run on the cluster.

 

1. Enable the AJAX console in cmdaemon, by editing, on the head node, the configuration file:

 /cm/local/apps/cmd/etc/cmd.conf

and setting the directive:

 EnableShellService = true

2. Restart cmdaemon to make the change live:

 [root@head ~]# service cmd restart

 

Allow the admin user to have cmgui JSON access from a user account


Due to technical reasons, cmgui can no longer use the admin.pfx certificate. Instead JSON cmgui connects with the username, password combination used by normal ssh access to the cluster. A certificate is still required to determine user credentials.

For admin users (admin has the ADMIN profile), the default admin cmsh certificate can be associated with a regular user account used by the admin. The viewability of the certificates must be restricted for security reasons. For example for the regular user account "fred", to associate it with admin privileges, the configuration could be done as follows from a bash prompt on the head node:


 user=fred
 cmsh -c "user add user $user; set password $user; commit"
 if [ -e /etc/SuSE-release ]; then
   group=users
 else
   group=$user
 fi
 mkdir -p /home/$user/.cm
 cp -r /root/.cm/cmsh /home/$user/.cm/cmsh
 chown $user:$group -R /home/$user/.cm
 chmod go= /home/$user/.cm/cmsh/admin.{pem,key}

 

Create a certificate with an associated profile for a regular user to have cmgui JSON access from a user account

 

For users who do not have an ADMIN profile, a separate certificate needs to be created. This certificate can be created in cmsh:

cert createcertificate <key-length> <common-name> <organization> <organizational-unit> <locality> <state> <country> <profile> <sys-login> <days> <key-file> <cert-file>

The certificate can also be created using the cm-create-certificate.py script:

 ./cm-create-certificate.py <profile> <user> [<user> ... ]

 

The cm-create-certificate.py script attached to this article is not supported, but can be regarded as a basis for anyone who wants to use Python.

 

A regular user associated with a non-admin certificate can then use cmgui JSON with reduced privileges, as defined by the tokens in the profile of the user certificate (see the Admin Manual, User Management section for details on profiles and tokens with certificates).

 

Allowing cmgui JSON access for root


By default root cannot use the JSON cmgui.

 

1. To enable root to use it, edit:

 /cm/local/apps/cmd/etc/cmd.conf

and add the line (or merge the AdvancedConfig definitions)

 AdvancedConfig = { "AllowJSONfromRoot=1" }

2. Restarting cmdaemon makes the change live:

 [root@head ~]# service cmd start

 

Running JSON cmgui


1. For Linux: Unzip the cmgui-json zip file into a directory of your choice:


 unzip cmgui-json-6.0-r3341.zip

 

2. For MS Windows: run the install.cmgui.json.6.0.r4100.exe (exact version number may be different) executable

from the directory of your choice.

 

3. Run cmgui. Fill in your user credentials when prompted, and then go ahead and use cmgui.

 

Warning: the password is saved as plain text, when stored in the cluster settings. Leaving the password blank will cause a prompt every time a connection to the cluster is established and the password will never be saved.

attached files: cm-create-certificate.py

Tags: -

Related entries:

You cannot comment on this entry