IBM Streams 4.2.1

Linux users and IBM Streams jobs

To determine which Linux user has the authority to run the jobs for an IBM® Streams instance, you must first determine which user is running the domain controller services for your domain. The security implications of the instance.runAsUser and instance.canSetPeOSCapabilities property settings also need to be considered.

Identifying which Linux user runs IBM Streams jobs

When you use SSH to start domain controller services, they run as the user that starts the domain.
When resources are individually installed and domain controller services are running as system services, the domain controller services run as the user that was specified when registering the domain controller services as system services.
Note: A domain might contain a mixture of resources, for example, resources with domain controller services started by using SSH and resources with domain controller services started as system services.

Understanding user authority to run IBM Streams jobs

If the instance.runAsUser property is not specified, the instance services and PE processes run as the domain controller service user. If this occurs, PE processes on different systems might be running as different users even for the same job.

If instance.runAsUser=operating_system_user is specified, instance services and PE processes run as the operating_system_user on all instance resources. If instance.canSetPeOSCapabilities=true is specified, the PE processes in the IBM Streams instance can run with special operating system capabilities. These settings are only valid when domain controller services are running as system services.

Important: Using the instance.runAsUser=operating_system_user or instance.canSetPeOSCapabilities=true setting allows PEs to run as a specified user or with special operating system capabilities. These settings have implications for system security in a domain. In addition, an IBM Streams application bundle file (.sab file) or toolkit operator model might contain capability specifications that allow the PEs to run with capabilities such as increased operating system user privileges. If you are using these settings:

Only a root user can register a resource to run as a system service.
Any IBM Streams user who can create an instance in a domain can set the instance.runAsUser and instance.canSetPeOSCapabilities properties. By default, this is a user with DomainAdmistrator role.
Any IBM Streams user that can set instance properties can set the instance.runAsUser property. By default this is a user with the DomainAdmistrator or the InstanceAdministrator role.
Any IBM Streams user who can set domain properties can set the instance.canSetPeOSCapabilities property for an instance. By default, this is a user with the DomainAdmistrator role.
Any IBM Streams user that can submit a job to an instance with the instance.runAsUser and instance.canSetPeOSCapabilities properties set can have a job run on a resource with increased operating system user privileges. By default, this is a user with the DomainAdmistrator, InstanceAdministrator, or InstanceUser role.
It is important to use sufficient file system permissions on an IBM Streams application bundle (.sab) file that is submitted to an instance with the instance.runAsUser and instance.canSetPeOSCapabilities properties set. Ensure that the file system permissions restrict which users can provide or modify application bundle files.