Question:
I have an action that I would like to run as a specific user on my Linux/Unix servers. I have configured the action (via ASAP->Action->Properties tab or ROC -> Action -> Settings tab) to use:
Set Credentials -> Use the following credentials
where I set the desired <username> and <password> that I want my action to run as. But when running the action it returns:
Error occurred during action execution: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.
Why does this error occur?
Environment:
Release Automation: All Versions
Release Automation Agent on Linux
Answer:
This article is specific to running actions on Linux. If you are receiving the message above while using the impersonation feature on Windows then review TEC1388242
There are a few scenarios that will generate this message when running it on Linux/Unix. This article will go through the known conditions for which this error is returned - one by one. For each one of these issues the standard nolio_all message is seen. Each condition described below will highlight additional log messages you can use to isolate the cause. See additional information for standards used throughout this article.
- The agent times out waiting for the sub-process to connect.
- The noliouser does not have access to execute processes on behalf of myImpersonateUserId
- The myImpersonateUserId does not have r-x access to <NolioAgentInstallDir>/jre folder/files and sub folder/files
- The myImpersonateUserId does not have access to any folders/files except <NolioAgentInstallDir>/jre
- The noliouser does not have "Defaults:noliouser !requiretty" in sudoers
- The noliouser sudoers can impersonate myImpersonateUserId but it is not configured appropriately.
- The myImpersonateUserId does not have appropriate resources.
1. Agent times out waiting for the sub-process to connect
If this is the cause for the standard user interface error then the following message is typically seen inside of the nolio_all.log:
2016-02-01 10:53:41,937 [ProcessInvoker-Server-0] DEBUG (com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker:485) - Handling remote process request...
2016-02-01 10:53:42,045 [ProcessInvoker-Server-0] INFO (com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker:495) - new user process connected: myImpersonateUserId
2016-02-01 10:53:42,045 [ProcessInvoker-Server-0] ERROR (com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker:510) - error handling remote process connection for user myImpersonateUserId
java.lang.IllegalStateException: cannot find process for user myImpersonateUserId
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.handleClient(ProcessesInvoker.java:498)
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.run(ProcessesInvoker.java:461)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2016-02-01 10:53:41,940 [main] DEBUG (root:186) - [myImpersonateUserId] connect successfully. sending username myImpersonateUserId
2016-02-01 10:54:41,914 [Thread-0] INFO (root:394) - [myImpersonateUserId] process of user myImpersonateUserId is up
2016-02-01 10:55:17,352 [HealthMonitor] DEBUG
Also, the following messages are typically logged to the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/LISAReleaseAutomationAgent/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/LISAReleaseAutomationAgent/actionslib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]NolioSocketAppender is not ready yet!
10:53:41,775 [main] DEBUG (ProcessesConfig.java:89) - remote process execution properties:{cmd.to.execute=./SudoActionsRunner.sh, max.processes=5, core.agent.instance.action.threads=10, max.process.action.threads=5, server.timeout=20000, ssh.port=22, grant.permissions=false, max.idle.time.in.seconds=900, process.timeout=20000}[NolioSocketAppender is not initialized yet] [null] remote process execution properties:{cmd.to.execute=./SudoActionsRunner.sh, max.processes=5, core.agent.instance.action.threads=10, max.process.action.threads=5, server.timeout=20000, ssh.port=22, grant.permissions=false, max.idle.time.in.seconds=900, process.timeout=20000}
10:53:41,812 [main] INFO (ProcessesConfig.java:128) - ProcessInvoker properties:processCreationTimeout-20000, serverInitializationTimeout-20000, grantPermissions-false, coreAgentInstanceActionThreads-10, maxAgentInstanceActionThreads-40, maxRemoteProcesses-5, maxRemoteProcessActionThreads-5, maxIdleTimeInSeconds-900, cmdToExe-./SudoActionsRunner.sh, sshPort-22[NolioSocketAppender is not initialized yet] [null] ProcessInvoker properties:processCreationTimeout-20000, serverInitializationTimeout-20000, grantPermissions-false, coreAgentInstanceActionThreads-10, maxAgentInstanceActionThreads-40, maxRemoteProcesses-5, maxRemoteProcessActionThreads-5, maxIdleTimeInSeconds-900, cmdToExe-./SudoActionsRunner.sh, sshPort-22ActionRunner is running
10:53:41,847 [main] INFO (ActionsRunner.java:137) - changing log configuration[NolioSocketAppender is not initialized yet] [null] changing log configuration
10:53:41,940 [main] DEBUG (ActionsRunner.java:186) - connect successfully. sending username myImpersonateUserId
10:54:41,914 [Thread-0] INFO (ActionsRunner.java:394) - process of user myImpersonateUserId is up
Resolution:
Increase the <NolioAgentInstallDir>/conf/processes.properties value for "process.timeout". By default it is 20000 (20 seconds).
2. Noliouser does not have access to execute processes on behalf of myImpersonateUserId
If this is the cause of the standard user interface error then the following message is usually seen in the myImpersonateUserId_output.log:
sudo: no tty present and no askpass program specified
You can usually confirm this by logging into myAgentMachine as noliouser and run:
sudo -u mymyImpersonateUserId echo test
Good result output:
test
Bad result:
Sorry, user noliouser is not allowed to execute '/bin/echo test' as myImpersonateUserId on myAgentMachine.
Resolution:
Add one (only one) of the following lines to the /etc/sudoers file:
noliouser ALL=(myImpersonateUserId) NOPASSWD:ALL
noliouser ALL=(ALL) NOPASSWD:ALL
noliouser ALL=(myImpersonateUserId) ALL
noliouser ALL=(ALL) ALL
3. The myImpersonateUserId does not have r-x access to <NolioAgentInstallDir>/jre folder/files and sub folder/files
When the myImpersonateUserId doesn't have r-x access to <NolioAgentInstallDir>/jre folder/files and sub folder/files the following message may be logged to the myImpersonateUserId_output.log
./ActionsRunner.sh: line 14: ./jre/bin/NolioAgent: Permission denied
Resolution:
chmod -R 755 <NolioAgentInstallDir>/jre
4. The myImpersonateUserId does not have access to any folders/files except <NolioAgentInstallDir>/jre
When the myImpersonateUserId does not have access to the files/folders (except <NolioAgentInstallDir>/jre) then the myImpersonateUserId_output.log gets created but is blank.
Resolution:
chmod -R 755 <NolioAgentInstallDir>
5. The noliouser does not have "Defaults:noliouser !requiretty" in sudoers
The following message can be seen in the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log:
sudo: sorry, you must have a tty to run sudo
Resolution:
Add the following line to your /etc/sudoers file:
Defaults:noliouser !requiretty
6. The noliouser sudoers can impersonate myImpersonateUserId but it is not configured appropriately
The following message can be seen in the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log:
sudo: no tty present and no askpass program specified
Resolution:
Add the following line to your /etc/sudoers file:
noliouser ALL = (myImpersonateUserId) /<NolioAgentInstallDir>/ActionsRunner.sh
or
noliouser ALL = (myImpersonateUserId) NOPASSWD:/<NolioAgentInstallDir>/ActionsRunner.sh
7. The myImpersonateUserId does not have appropriate resources.
The following message can be seen in the <NolioAgentInstallDir>/logs/nolio_all.log:
No privileges.
And the following message can also be seen in the <NolioAgentInstallDir>/logs/myImpersonateUserId_output.log
.../<NolioAgentInstallDir>/ActionsRunner.sh: fork: retry: Resources temporarily unavailable...
Resolution:
Compare the output of the ulimit command (run as both noliouser and myImpersonateId). Make sure that the limits for myImpersonateId are greater than or equal to the limits set for noliouser.
Additional Information:
Throughout this document it assumes the following:
- The userid that owns the NolioAgent process is: noliouser
- The userid used in the set credentials section is: myImpersonateUserId
- The agent machine name where you are trying to run an action as another user is referred to by: myAgentMachine
- "<NolioAgentInstallDir>" refers to the root directory where the Nolio Agent was installed (on the Nolio Agent machine where the actions are being run).
- The "standard nolio_all message" refers to this message found in the <NolioAgentInstallDir>/logs/nolio_all.log:
2016-02-01 10:53:39,713 [job-32769-jobServer-32769-6:Run Command Line(P12696000.F12700000.E12701000):Run Command Line] ERROR (com.nolio.platform.shared.datamodel.Action:119) - Exception caught: com.nolio.platform.shared.datamodel.execution.remote.ProcessCreationFailedException: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.
com.nolio.platform.shared.datamodel.execution.remote.ProcessCreationFailedException: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.createProcessIfNeeded(ProcessesInvoker.java:313)
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.runExecutableOnRemoteProcess(ProcessesInvoker.java:252)
at com.nolio.platform.shared.datamodel.ActionExecutionState.remoteProcessExecution(ActionExecutionState.java:286)
at com.nolio.platform.shared.datamodel.ActionExecutionState.access$400(ActionExecutionState.java:39)
at com.nolio.platform.shared.datamodel.ActionExecutionState$2.execAction(ActionExecutionState.java:109)
at com.nolio.platform.shared.datamodel.ActionExecutionState.exec(ActionExecutionState.java:343)
at com.nolio.platform.shared.datamodel.Action.run(Action.java:227)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at com.nolio.platform.shared.flowcontrol.LocalFlowController$JobBoundThreadFactory$1.run(LocalFlowController.java:788)
at java.lang.Thread.run(Unknown Source)
Caused by: java.util.concurrent.TimeoutException: [myImpersonateUserId] Process creation breach the timeout of 20000 milliseconds
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.waitForClient(ProcessesInvoker.java:407)
at com.nolio.platform.shared.datamodel.execution.remote.ProcessesInvoker.createProcessIfNeeded(ProcessesInvoker.java:297)
... 13 more - The "standard user interface error" refers to the message seen in ASAP or ROC stating:
Error occurred during action execution: Unable to run action for user myImpersonateUserId. Verify the user running Nolio agent has privileges to impersonate other users, and that user myImpersonateUserId has permissions on Nolio installation folder.