The Curity Identity Server provides a way to run scripts when a configuration transaction has been committed. This can be useful to run administrative tasks, such as logging, backup or sending external events.
Put the scripts in <IDSVR_HOME>/usr/bin/post-commit-cli-scripts and <IDSVR_HOME>/usr/bin/post-commit-scripts (see details below); no reload or restart is required for the Curity Identity Server to pick them up. The log file <IDSVR_HOME>/var/log/post-commit-scripts.log contains the output of the scripts and audit-data about running or skipped scripts.
<IDSVR_HOME>/usr/bin/post-commit-cli-scripts
<IDSVR_HOME>/usr/bin/post-commit-scripts
<IDSVR_HOME>/var/log/post-commit-scripts.log
Note
Both types of scripts have access to the environment variables the Curity Identity Server has access to. For the .cli scripts, $EPOCH_TIMESTAMP is also available, with value the epoch timestamp of the script’s execution.
.cli
$EPOCH_TIMESTAMP
CLI commit hook scripts can be very useful for exporting the current configuration. They take advantage of the Command Line Interface.
The Curity Identity Server executes all .cli files in <IDSVR_HOME>/usr/bin/post-commit-cli-scripts within the command-line-interface context when a configuration change has been committed.
Example: Export a full config backup in xml:
show configuration | display xml | save /tmp/config-backup.${EPOCH_TIMESTAMP}.xml
Example: Create a json file with the current active nodes:
show environments environment services runtime-service | display json | save /tmp/runtime-service.${EPOCH_TIMESTAMP}.json
Example: export the configuration into multiple xml files:
show configuration profiles profile <authentication-profile-id> | display xml | save /tmp/authentication-profile-backup.${EPOCH_TIMESTAMP}.xml show configuration profiles profile <token-service-profile-id> | display xml | save /tmp/token-service-profile-backup.${EPOCH_TIMESTAMP}.xml show configuration facilities | display xml | save /tmp/facilities-backup.${EPOCH_TIMESTAMP}.xml show configuration processing | display xml | save /tmp/processing-backup.${EPOCH_TIMESTAMP}.xml show configuration aaa | display xml | save /tmp/aaa-backup.${EPOCH_TIMESTAMP}.xml show configuration nacm | display xml | save /tmp/nacm-backup.${EPOCH_TIMESTAMP}.xml
CLI scripts that contain the commit command are ignored as they could cause a cyclic behavior.
commit
The Curity Identity Server executes all executable files under <IDSVR_HOME>/usr/bin/post-commit-scripts when a configuration change has been committed.
Example: Send an email to notify of a configuration change.
#!/bin/bash T=`date +%s` ADMIN_EMAIL="admin@example.com" echo "Sending email to ${ADMIN_EMAIL}" mail -s "Configuration updated" ${ADMIN_EMAIL} << EOF AutoGenerated email from Curity Identity Server Current timestamp: ${T} EOF
Example: Use the idsh command to export all the procedures and format them to javascript.
idsh
Warning
Be careful when using idsh within a post-commit script. Accidentally commiting a (non-idempotent) change here could cause an infinite loop.
#!/bin/bash T=`date +%s` TARGET=/tmp/${T} mkdir -p ${TARGET} function _export_procedures() { type=$1 procedures=$(idsh <<< "show configuration processing procedures $type | display-level 1") while IFS= read -r procedure do procedure=$(echo $procedure | sed 's/\;//g') name=$(echo $procedure | awk '{split($0, column, " "); print column[2]}') echo "Exporting procedure $type $name" b64_script=$(idsh <<< "show configuration processing procedures $type $name script") b64_script=$(echo $b64_script | sed 's/.*script \(.*\);.*/\1/') mkdir -p $TARGET/$type echo $b64_script | base64 -D > $TARGET/$type/$name.js done <<< "$procedures" } function _export_procedures_with_subtype() { type=$1 procedures=$(idsh <<< "show configuration processing procedures $type | display-level 1") while IFS= read -r procedure do procedure=$(echo $procedure | sed 's/\;//g') name=$(echo $procedure | awk '{split($0, column, " "); print column[2]}') subtype=$(echo $procedure | awk '{split($0, column, " "); print column[3]}') echo "Exporting token procedure $type $name" b64_script=$(idsh <<< "show configuration processing procedures $type $name $subtype script") b64_script=$(echo $b64_script | sed 's/.*script \(.*\);.*/\1/') mkdir -p $TARGET/$type/$subtype echo $b64_script | base64 -D > $TARGET/$type/$subtype/$name.js done <<< "$procedures" } _export_procedures_with_subtype token-procedure _export_procedures filter-procedure _export_procedures transformation-procedure _export_procedures event-listener-procedure _export_procedures validation-procedure
Since post-commit scripts are run when a transaction has been committed, but before any locks have been released, it is advisable not to run tasks with long durations.