Making IRIS Calls externally via scripting - Security
We currently have a couple of Shell scripts we have written to EnableConfigItem from a Unix (Red Hat) command line, so we can control when a Service/Operation is running via the cron in Unix. We do this by calling
:>iris session xxxxxBashBashusing _system user.
During our Security audit it was mentioned that we need to lock down some of the cache users.
- So, has others written scripts to make IRIS calls via command line?
- If so, what is the consensus of using a Cache user vs using say a LDAP service account?
- Or what have you used in the past to ensure that the password is not hardcoded anywhere?
Product version: IRIS 2022.1
By the way, Python Embedded supports to be executed without entering any passwords, you can use environment variables for that.
An easy way is setup Operating System–Based Authentication
in %sys
^SECURITY
12) System parameter setup
2) Edit authentication options
Allow O/S authentication? Yes
This allows scripts like this
iris session ${INST} -U %sys << EOF
w "stopping the mirror 1 is sucess: " zw ##class(SYS.Mirror).StopMirror("MIRROR") h
EOF
Once an IRIS LDAP account exists it does not appear to be different local account.
You can do this too:
iris session [instance] -U [namespace] tag^routine
While thinking about this, I am wondering if using an encryption key might be a possible solution as well that way there is limited access to the password, and the key would just have to be regulated to be updated every so often. With using a AD service account, the password still needs to be updated or kept up to date, and still needs to be passed into the shell script for Terminal to open.
I have submitted the following IDEA...
https://ideas.intersystems.com/ideas/DPI-I-466