How does Powerbroker work with Discovery and Service Mapping?

tompowe
Tera Expert

Has anyone used PowerBroker with Discovery or Service Mapping?  How does that even work?  In our environment, to my understanding, you use a Jump host and then use powerbroker to login to various target machines.  For Discovery and Service Mapping, everything is direct via IP address.  So, how would you tell Discovery or Service Mapping to login to a Unix jump host and use that to get to anther server? I'm guessing that is not how it works, so how does it work?  Is this assuming that every server is bring fronted by powerbroker and that Discovery and Service Mapping would use that port, and then pbrun commands to do what it needs??  

Anyone know what the architecture or flow is on this? 🙂

And Please don't reference me to the one page that Powerbroker is mentioned in Docs.....I've already seen it and it's not answering my questions. 

1 ACCEPTED SOLUTION

Dave Ainsworth
ServiceNow Employee
ServiceNow Employee

Hi,

I have never used Powerbroker although a client I worked with once were considering it. So my understanding of how this works might not be totally correct but will hopefully be enough to explain how it works with ServiceNow.

If you select pbrun as the privileged command in ServiceNow, then any command where it currently uses sudo by default (such as dmidecode), uses pbrun instead. When pbrun is used on a target device, a Powerbroker daemon connects to the Powerbroker policy server to check whether the user is allowed to run that command. If a command such as uname is run where privilege escalation is not required, the command will run as the discovery user and pbrun is not used.

Therefore you still need direct access to the servers being discovered as mentioned in the pbrun section… “The instance must be able to reach the target host via SSH”. So I don’t think it is possible to use a jump host.

Regards,

Dave

View solution in original post

1 REPLY 1

Dave Ainsworth
ServiceNow Employee
ServiceNow Employee

Hi,

I have never used Powerbroker although a client I worked with once were considering it. So my understanding of how this works might not be totally correct but will hopefully be enough to explain how it works with ServiceNow.

If you select pbrun as the privileged command in ServiceNow, then any command where it currently uses sudo by default (such as dmidecode), uses pbrun instead. When pbrun is used on a target device, a Powerbroker daemon connects to the Powerbroker policy server to check whether the user is allowed to run that command. If a command such as uname is run where privilege escalation is not required, the command will run as the discovery user and pbrun is not used.

Therefore you still need direct access to the servers being discovered as mentioned in the pbrun section… “The instance must be able to reach the target host via SSH”. So I don’t think it is possible to use a jump host.

Regards,

Dave