"Verify the user running Nolio agent has privileges to impersonate other users" error

Document ID : KB000037292
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Question: 

I have an action that I would like to run as a specific user on my Linux/Unix servers. I have configured the action (via ASAP->Action->Properties tab or ROC -> Action -> Settings tab) to use: 

Set Credentials -> Use the following credentials

where I set the desired <username> and <password> that I want my action to run as. But when running the action it returns:

Error occurred during action execution: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.

Why does this error occur? 

 

Environment:

Release Automation: All Versions

Release Automation Agent on Linux

 

Answer:

This article is specific to running actions on Linux. If you are receiving the message above while using the impersonation feature on Windows then review TEC1388242

There are a few scenarios that will generate this message when running it on Linux/Unix. This article will go through the known conditions for which this error is returned - one by one. For each one of these issues the standard nolio_all message is seen. Each condition described below will highlight additional log messages you can use to isolate the cause. See additional information for standards used throughout this article.

  1. The agent times out waiting for the sub-process to connect.
  2. The noliouser does not have access to execute processes on behalf of myImpersonateUserId
  3. The myImpersonateUserId does not have r-x access to <NolioAgentInstallDir>/jre folder/files and sub folder/files
  4. The myImpersonateUserId does not have access to any folders/files except <NolioAgentInstallDir>/jre
  5. The noliouser does not have "Defaults:noliouser !requiretty" in sudoers
  6. The noliouser sudoers can impersonate myImpersonateUserId but it is not configured appropriately. 
  7. The myImpersonateUserId does not have appropriate resources. 

 

1. Agent times out waiting for the sub-process to connect

If this is the cause for the standard user interface error then the following message is typically seen inside of the nolio_all.log:

2016-02-01 10:53:41,937 [ProcessInvoker-Server-0] DEBUG (com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker:485) - Handling remote process request...
2016-02-01 10:53:42,045 [ProcessInvoker-Server-0] INFO  (com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker:495) - new user process connected: myImpersonateUserId
2016-02-01 10:53:42,045 [ProcessInvoker-Server-0] ERROR (com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker:510) - error handling remote process connection for user myImpersonateUserId
java.lang.IllegalStateException: cannot find process for user myImpersonateUserId
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.handleClient(ProcessesInvoker.java:498)
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.run(ProcessesInvoker.java:461)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2016-02-01 10:53:41,940 [main] DEBUG (root:186) - [myImpersonateUserId] connect successfully. sending username myImpersonateUserId
2016-02-01 10:54:41,914 [Thread-0] INFO  (root:394) - [myImpersonateUserId] process of user myImpersonateUserId is up
2016-02-01 10:55:17,352 [HealthMonitor] DEBUG

Also, the following messages are typically logged to the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log:

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/LISAReleaseAutomationAgent/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/LISAReleaseAutomationAgent/actionslib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]NolioSocketAppender is not ready yet!
10:53:41,775 [main] DEBUG (ProcessesConfig.java:89) - remote process execution properties:{cmd.to.execute=./SudoActionsRunner.sh, max.processes=5, core.agent.instance.action.threads=10, max.process.action.threads=5, server.timeout=20000, ssh.port=22, grant.permissions=false, max.idle.time.in.seconds=900, process.timeout=20000}[NolioSocketAppender is not initialized yet] [null] remote process execution properties:{cmd.to.execute=./SudoActionsRunner.sh, max.processes=5, core.agent.instance.action.threads=10, max.process.action.threads=5, server.timeout=20000, ssh.port=22, grant.permissions=false, max.idle.time.in.seconds=900, process.timeout=20000}
10:53:41,812 [main] INFO  (ProcessesConfig.java:128) - ProcessInvoker properties:processCreationTimeout-20000, serverInitializationTimeout-20000, grantPermissions-false, coreAgentInstanceActionThreads-10, maxAgentInstanceActionThreads-40, maxRemoteProcesses-5, maxRemoteProcessActionThreads-5, maxIdleTimeInSeconds-900, cmdToExe-./SudoActionsRunner.sh, sshPort-22[NolioSocketAppender is not initialized yet] [null] ProcessInvoker properties:processCreationTimeout-20000, serverInitializationTimeout-20000, grantPermissions-false, coreAgentInstanceActionThreads-10, maxAgentInstanceActionThreads-40, maxRemoteProcesses-5, maxRemoteProcessActionThreads-5, maxIdleTimeInSeconds-900, cmdToExe-./SudoActionsRunner.sh, sshPort-22ActionRunner is running
10:53:41,847 [main] INFO  (ActionsRunner.java:137) - changing log configuration[NolioSocketAppender is not initialized yet] [null] changing log configuration
10:53:41,940 [main] DEBUG (ActionsRunner.java:186) - connect successfully. sending username myImpersonateUserId
10:54:41,914 [Thread-0] INFO  (ActionsRunner.java:394) - process of user myImpersonateUserId is up 

Resolution:

Increase the <NolioAgentInstallDir>/conf/processes.properties value for "process.timeout". By default it is 20000 (20 seconds).

 

2. Noliouser does not have access to execute processes on behalf of myImpersonateUserId

If this is the cause of the standard user interface error then the following message is usually seen in the myImpersonateUserId_output.log:

sudo: no tty present and no askpass program specified

You can usually confirm this by logging into myAgentMachine as noliouser and run:

sudo -u mymyImpersonateUserId echo test

Good result output:

test

Bad result:

Sorry, user noliouser is not allowed to execute '/bin/echo test' as myImpersonateUserId on myAgentMachine. 

Resolution:

Add one (only one) of the following lines to the /etc/sudoers file:
noliouser    ALL=(myImpersonateUserId)    NOPASSWD:ALL
noliouser    ALL=(ALL)    NOPASSWD:ALL
noliouser    ALL=(myImpersonateUserId)    ALL
noliouser    ALL=(ALL)    ALL

 

3. The myImpersonateUserId does not have r-x access to <NolioAgentInstallDir>/jre folder/files and sub folder/files

When the myImpersonateUserId doesn't have r-x access to <NolioAgentInstallDir>/jre folder/files and sub folder/files the following message may be logged to the myImpersonateUserId_output.log

./ActionsRunner.sh: line 14: ./jre/bin/NolioAgent: Permission denied 

Resolution:

chmod -R 755 <NolioAgentInstallDir>/jre

 

4. The myImpersonateUserId does not have access to any folders/files except <NolioAgentInstallDir>/jre

When the myImpersonateUserId does not have access to the files/folders (except <NolioAgentInstallDir>/jre) then the myImpersonateUserId_output.log gets created but is blank. 

Resolution:

chmod -R 755 <NolioAgentInstallDir>

 

5. The noliouser does not have "Defaults:noliouser !requiretty" in sudoers

The following message can be seen in the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log:

sudo: sorry, you must have a tty to run sudo 

Resolution:

Add the following line to your /etc/sudoers file:

Defaults:noliouser    !requiretty

 

6. The noliouser sudoers can impersonate myImpersonateUserId but it is not configured appropriately

The following message can be seen in the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log:

sudo: no tty present and no askpass program specified 

Resolution:

Add the following line to your /etc/sudoers file:

noliouser    ALL = (myImpersonateUserId)    /<NolioAgentInstallDir>/ActionsRunner.sh
or
noliouser    ALL = (myImpersonateUserId)    NOPASSWD:/<NolioAgentInstallDir>/ActionsRunner.sh 

 

7. The myImpersonateUserId does not have appropriate resources.

The following message can be seen in the <NolioAgentInstallDir>/logs/nolio_all.log:

No privileges.

And the following message can also be seen in the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log

.../<NolioAgentInstallDir>/ActionsRunner.sh: fork: retry: Resources temporarily unavailable...

Resolution:

Compare the output of the ulimit command (run as both noliouser and myImpersonateId). Make sure that the limits for myImpersonateId are greater than or equal to the limits set for noliouser.

 

Additional Information:

Throughout this document it assumes the following:

  • The userid that owns the NolioAgent process is: noliouser
  • The userid used in the set credentials section is: myImpersonateUserId
  • The agent machine name where you are trying to run an action as another user is referred to by: myAgentMachine
  • "<NolioAgentInstallDir>" refers to the root directory where the Nolio Agent was installed (on the Nolio Agent machine where the actions are being run).
  • The "standard nolio_all message" refers to this message found in the <NolioAgentInstallDir>/logs/nolio_all.log: 
    2016-02-01 10:53:39,713 [job-32769-jobServer-32769-6:Run Command Line(P12696000.F12700000.E12701000):Run Command Line] ERROR (com.nolio.platform.shared.datamodel.Action:119) - Exception caught: com.nolio.platform.shared.datamodel.execution.remote.ProcessCreationFailedException: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.
    com.nolio.platform.shared.datamodel.execution.remote.ProcessCreationFailedException: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.
    at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.createProcessIfNeeded(ProcessesInvoker.java:313)
    at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.runExecutableOnRemoteProcess(ProcessesInvoker.java:252)
    at com.nolio.platform.shared.datamodel.ActionExecutionState.remoteProcessExecution(ActionExecutionState.java:286)
    at com.nolio.platform.shared.datamodel.ActionExecutionState.access$400(ActionExecutionState.java:39)
    at com.nolio.platform.shared.datamodel.ActionExecutionState$2.execAction(ActionExecutionState.java:109)
    at com.nolio.platform.shared.datamodel.ActionExecutionState.exec(ActionExecutionState.java:343)
    at com.nolio.platform.shared.datamodel.Action.run(Action.java:227)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at com.nolio.platform.shared.flowcontrol.LocalFlowController$JobBoundThreadFactory$1.run(LocalFlowController.java:788)
    at java.lang.Thread.run(Unknown Source)
    Caused by: java.util.concurrent.TimeoutException: [myImpersonateUserId] Process creation breach the timeout of 20000 milliseconds
    at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.waitForClient(ProcessesInvoker.java:407)
    at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.createProcessIfNeeded(ProcessesInvoker.java:297)
    ... 13 more
  • The "standard user interface error" refers to the message seen in ASAP or ROC stating: 
    Error occurred during action execution: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.

 

 

 

Instructions:
Please Update This Required Field