Re: OS layer7 user - look at /etc/passwd and /etc/shadow. The account has /bin/bash as the shell but passwd is !!, ergo no, it can not be used to log in UNLESS someone enables it by setting a password.
Re: OS root user: The Gateway is a stripped down Linux system and, as I recall, there must be a uid 0 account which is typically named "root". It has full privilege on the system, although can only be logged in via the first console or via the sudo system. The only remote access allowed to a Gateway is via ssh, and root is not allowed access (per /etc/ssh/sshd_config and /etc/ssh/sshh_allowed_users) for security reasons. Remote root access can be enabled by altering those files.
Re: MySQL Gateway user: The OS user and the MySQL user are unrelated (as Charles pointed out). The same naming is a matter of convenience. It is nothing more than the default account by which the Gateway process accesses the the database.
There is no techdoc/pdf/community-post of which I am aware that covers this, as it is pretty straight forward stuff for a Linux system and rarely comes up.
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------
Original Message:
Sent: 01-03-2020 01:07 AM
From: Pavansai C
Subject: what are the use cases of mysql accounts "gateway" and "layer7" in CA API Gateway?
Charles and JayMac,
my understanding towards this query is as follows:
1. OS Level
- gateway: The OS level gateway user is the owner of the gateway process and also has some elevated privileges (built-in user and has no option for login)
- Layer7: This is again a built-in user and has no option for login?
- root: what is the usage and privilege of this account exactly in CA API Gateway 9.2 Appliance?
2. Mysql Level
- gateway: The gateway user in MySQL is the default account that the Gateway process uses to access the database. (also this one has no option for login?)
Do we have any techdoc/pdf/community-post that clearly describes about all the accounts in CA API Gateway 9.2 (both at OS Level and Mysql Level)? so that i can have a better understanding of all accounts.
Thanks in advance!!
Original Message:
Sent: 01-02-2020 03:43 PM
From: Jay MacDonald
Subject: what are the use cases of mysql accounts "gateway" and "layer7" in CA API Gateway?
Further to Charles' comment, at the OS level the layer7 user is the "elevated privilege" user that runs the process controller. Entries in /etc/sudoers control the elevated privileges. The OS level gateway user is the owner of the gateway process and also has some elevated privileges. As Charles pointed out, the OS user and the user in MySQL are completely unrelated - the names are the same for convenience only. There SHOULD NOT be a layer7 user in mysql. If you run the command `mysql mysql -e 'SELECT User,Host FROM user' (yes, mysql is in there twice - first for the command and second to name the mysql database) you should only see gateway, root and the two mysql internal identities (mysql.sys and mysql.session). If you see any more than that then someone has manually added it. The gateway user in MySQL is the default account that the Gateway process uses to access the database, as reflected in the value of node.db.config.main.user in /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties.
Cheers!
JayMac
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
Original Message:
Sent: 01-02-2020 01:50 PM
From: Charles L
Subject: what are the use cases of mysql accounts "gateway" and "layer7" in CA API Gateway?
There is a gateway o/s user (nologin) and a gateway mysql user mysql and o/s do not share accounts.
By default there is no layer7 mysql login. But there is a layer7 user on the base o/s (also no login) I am not sure the exact question.
These are built in users and used for starting processes and scripts (as long as we are talking o/s not mysql).
Mysql gateway is the primary user to make the db connection as you would have configured.
But please keep in mind O/s and Mysql accounts are different and can have different passwords they are not the same.
Please let us know more specifics.
Original Message:
Sent: 01-02-2020 11:59 AM
From: Pavansai C
Subject: what are the use cases of mysql accounts "gateway" and "layer7" in CA API Gateway?
Hi all,
we are using CA API Gateway 9.2 OVA, I could see mysql accounts named "gateway" and "layer7".
Can you please let me know about the use cases and privileges of those accounts??
Thanks.