DX Application Performance Management

  • Private Community

  • 1.  APM agent log permissions

    Posted Aug 29, 2016 02:09 AM

    Hey All,

     

    Have an interesting issue where two different applications on the same host, running as the same application user are creating logs with different permissions. One is setting them as 644 and the other 640. The issue for us is that our user for the log with lower perms won't allow us to read it.

     

    Does anyone know how the log permissions get set by the agent? Have had a look through the weblogic.profile, but can't see anything that refers to permissions. Not sure if this is somehow set by the agent?

     

    Thanks!



  • 2.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 29, 2016 02:15 AM

    Make sure each managed app account has RW on the ./logs.



  • 3.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 29, 2016 02:26 AM

    If you wanted to get really tight about the security, here's how I do it with my deployment script for *nix:

     

    if [ $ACCESS == tight ]; then # wily group can read, other can't

      # read

      find wily -perm -u+r | xargs -I {} chmod -h g+r "{}"

      chmod -h -R o-r wily

      # write

      chmod -h -R go-w wily

      # execute

      find wily -perm -u+x | xargs -I {} chmod -h g+x "{}"

      chmod -h -R o-x wily

    else  # wily group can write, other can read

      # read

      find wily -perm -u+r | xargs -I {} chmod -h go+r "{}"

      # write

      find wily -perm -u+w | xargs -I {} chmod -h g+w "{}"

      chmod -h -R o-w wily

      # execute

      find wily -perm -u+x | xargs -I {} chmod -h go+x "{}"

    fi



  • 4.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 29, 2016 02:27 AM

    Here's another variation due to security setting in Solaris:

     

    chown -R $USER:$GROUP wily

     

    if [ $ACCESS == tight ]; then # $GROUP group can read, others can't; all can write to logs

        if [ $OS_VERSION = "SunOS" ]; then

            find wily -perm -u+r | xargs -I {} chmod g+r {}

            chmod -R o-r wily

            chmod -R go-w wily

            chmod -R o+w wily/logs

            find wily -perm -u+x | xargs -I {} chmod g+x {}

            chmod -R o-x wily

        else

            find wily -perm -u+r | xargs -I "{}" chmod g+r "{}"

            chmod -R o-r wily

            chmod -R go-w wily

            chmod -R o+w wily/logs

            find wily -perm -u+x | xargs -I "{}" chmod g+x "{}"

            chmod -R o-x wily

        fi

    else  # $GROUP group can write, others can read; all can write to logs

        if [ $OS_VERSION = "SunOS" ]; then

            find wily -perm -u+r | xargs -I {} chmod go+r {}

            find wily -perm -u+w | xargs -I {} chmod g+w {}

            chmod -R o-w wily

            chmod -R o+w wily/logs

            find wily -perm -u+x | xargs -I {} chmod go+x {}

        else

            find wily -perm -u+r | xargs -I "{}" chmod g+r "{}"

            find wily -perm -u+w | xargs -I "{}" chmod g+w "{}"

            chmod -R o-w wily

            chmod -R o+w wily/logs

            find wily -perm -u+x | xargs -I "{}" chmod go+x "{}"

        fi

    fi



  • 5.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 29, 2016 10:22 AM

    Hi Daniel:

       Please let us know if the script approach that Hiko suggests is helpful in moving forward on the log permissions issue that you are having. Or does the approach suggested not address your concerns?

     

    Thanks

    Hal German



  • 6.  Re: APM agent log permissions

    Posted Aug 29, 2016 07:36 PM

    Thanks guys.

     

    We have full 777 permissions on the logs directory (it is also owned by the APM service account and group) . The application user has the ability the write the logs without any problem, but the issue we are having is with the permissions it writes the individual log files as. 

     

    If we change the permissions, at the next log rollover, it just reverts back to the same 640 permissions, and our APM user can't read the log files.

     

    Does that make sense?



  • 7.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 29, 2016 07:39 PM

    I should have asked this first, but what version is the agent and WebLogic?



  • 8.  Re: APM agent log permissions
    Best Answer

    Broadcom Employee
    Posted Aug 29, 2016 07:47 PM

    Hi Daniel,

    It sounds like the umask setting for the "creating userid" would be causing the change to 640 which I believe corresponds to a umask of 0027.

     

    Regards,

     

    Lynn



  • 9.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 30, 2016 03:47 AM

    Dear Daniel:

    Thank you for explaining the issue with more details. Was Lynn's last suggestion on the umask helpful? Please let us know

    Thanks

    Hal German



  • 10.  Re: APM agent log permissions

    Broadcom Employee
    Posted Aug 31, 2016 07:35 AM

    Dear Daniel:

       Lynn's last response provides one method to resolve the issue once and for all. There has been no further responses or follow-up questions after a given period of time. So I am marking this as answered. You are welcome to provide details on how the solution worked or not as well as follow up questions

     

    Thank you

    Hal German