Starting Talend JobServer with sudo

Start Talend JobServer with sudo to grant it the permissions required for privileged operations, such as accessing specific resources or using restricted ports.

Important: If you have already started Jobs from this server, it is recommended to remove the directory <jobserver_path>/TalendJobServerFiles before restarting the server with sudo. This helps avoid unexpected authorizations on already deployed Jobs or cached files.

Procedure

Set directory permissions for the trusted users:
1. Add each user (for example, a user called subuser) allowed to execute tasks to the root group and the group of the user (for example, a user called myuser) owning the parent directories of Talend JobServer:
  Example
```
> sudo usermod -a -G myuser_group subuser
> sudo usermod -a -G root subuser           
```
2. Grant execute permissions to the group in all required directories by executing chmod g+rx /<directory_path>:
  Example
```
chmod g+rx /opt
chmod g+rx /opt/talend
chmod g+rx /opt/talend/Talend-JobServer
chmod g+rx /opt/talend/Talend-JobServer/TalendJobServersFiles
chmod g+rx /opt/talend/Talend-JobServer/TalendJobServersFiles/cache
chmod g+rx /opt/talend/Talend-JobServer/TalendJobServersFiles/cache/lib               
```
  The parent folders of the Talend-JobServer folder in this example are for demonstration purposes only. They highlight the necessity of granting the execute permission at each level of the directory structure to ensure correct functioning.
  Information noteNote: The read permissions for the group are only required for deployed files.
Configure umask for the user launching Talend JobServer to control file permissions.

The term umask is the short way to call a user-file-creation-mask command. This setting controls default file and directory permissions when new files or directories are created.
1. Set the user's profile with the following umask command:
  Example
```
umask u=rwx,g=rx,o=
```
  This is equivalent to umask 0027.
  This configuration ensures:
  - Directories have group authorization r-x.
  - Files have group authorization r--.
  - No authorizations for others.
Start Talend JobServer using the following command:
Example
```
sudo sh start_rs.sh
```
Information noteImportant: If you do not use sudo, Jobs will stop responding because a password prompt will be required on the JobServer side.

Starting Talend JobServer with pre-configured sudo privileges

To avoid the need for repetitive sudo commands, configure the system’s sudoers file to automate permissions for specific commands required by Talend JobServer.

Procedure

Change the sudoers file on the machine that runs Talend JobServer, using the sudo visudo command.
Edit the sudoers file to specify user and command aliases.
Example
```
# ...
# User alias specification
User_Alias JOB_SERVER = jerry
                        
# Cmnd alias specification
Cmnd_Alias RUN_JOB = /bin/ps, /usr/bin/java, /bin/sh, /bin/grep, /bin/kill
                        
# ...
# Add after the line: %sudo	ALL=(ALL:ALL) ALL
JOB_SERVER      ALL=(jules,jim) NOPASSWD: RUN_JOB
```
In this example, user jerry starts Talend JobServer. Tasks must run under the permissions of existing users, jules and jim.

The Talend JobServer process started by jerry is allowed to execute the following commands as jules or jim:
```
/bin/ps
/usr/bin/java
/bin/sh
/bin/grep
/bin/kill
```
For security reasons, do not allow more commands.

Results

User jerry can start Talend JobServer by running sh start_rs.sh instead of sudo sh start_rs.sh.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here