WildFly 10.0.0 RBAC Custom roles - wildfly

In my project I need to create custom role for WildFly Management as the roles that are predefined are not enough for me. We are using WildFly 10.0.0 in standalone mode (using standalone-full.xml configuration file). Server is running on CentOS Linux 7.
What I need to make is to allow a certain role to manage configuration (e.g. changing logging level) but managing deployments should be restricted. So far I have enabled rbac on server and tried different roles but none of them meets my requirements. I have digged a little bit in the internet and have not found any solution yet. So my question is is there any way to achieve this with the current state (standalone mode, no LDAP)? And if yes, how to do this?

Wildfly supply two way to authrioze, simple and rbac and deafult is simple, so if you want to use rbac, firstly you should configure some role on simple mode, then swith rbac, otherwise you will not login wildfy management web ui:
Bellow is my example configure:
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
<role name="Administrator">
<include>
<user realm="ManagementRealm" name="admin"/>
<user realm="ApplicationRealm" name="sample"/>
</include>
</role>
<role name="Auditor"/>
<role name="Monitor"/>
<role name="Operator"/>
<role name="Deployer">
<include>
<group realm="ApplicationRealm" name="common"/>
<user realm="ApplicationRealm" name="sample"/>
<user realm="ManagementRealm" name="deployer"/>
</include>
</role>
</role-mapping>
</access-control>
you can configure role at management ui: "Access Control" tab
enter image description here
Notice: Please make sure, you have added user by "user-add.sh"

Related

DB2 driver settings in Websphere Liberty

I have application running in Websphere Liberty and uses DB2 in Z/oS. I have set the db2 driver proerties in DB2JCCConfiguration.properties .How can make sure that the server has picked up properties I have set .I am not sure how to verify the trace to see if the properties are applied to server
To configure a datasource (for any backend DB) with Liberty, you can add configuration like this to your server.xml:
<featureManager>
<feature>jdbc-4.2</feature>
</featureManager>
<library id="driver-library">
<fileset dir="/path/to/driver/dir" includes="*.jar"/>
</library>
<dataSource id="DefaultDataSource" jndiName="jdbc/myDB">
<jdbcDriver libraryRef="driver-library"/>
<properties.db2.jcc serverName="example.db.hostname.com" portNumber="50000"
databaseName="myDB"
user="exampleUser"
password="examplePassword"
currentSchema="xyz"
fullyMaterializeInputStreams="true"/>
</dataSource>
To test if your configuration is correct and that your Liberty server can connect to your DB2 database, add the following configuration:
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>restConnector-2.0</feature>
<feature>jdbc-4.2</feature>
</featureManager>
<!-- Any security mechanism can be used, <quickStartSecurity> is the simplest -->
<quickStartSecurity userName="admin" userPassword="admin"/>
And then go to: https://localhost:9443/ibm/api/validation/dataSource/DefaultDataSource
(this assumes your <dataSource> id is DefaultDataSource)
For more info, see this cheat sheet: https://aguibert.github.io/openliberty-cheat-sheet/#_ibm_db2

Glassfish4 JMX Configuration using asadmin

I have Glassfish4 and want make JMX to listen only to localhost and diable TLS and Security via asaadmin.
I can do the same via Admin Web UI, but not sure how to do that via asadim.
The below command updates the jmx-connecter property under admin-config but I need a similar change under default-config.
asadmin set server.admin-service.jmx-connector.system.security-enabled=false
The above update the domain.xml under
<config name="server-config">
.....
<admin-service system-jmx-connector-name="system" type="das-and-server">
<jmx-connector address="localhost" port="8686" name="system" auth-realm-name="admin-realm" security-enabled="false">
<ssl tls-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" client-auth="want" cert-nickname="server"></ssl>
</jmx-connector>
<property name="adminConsoleContextRoot" value="/admin"></property>
<property name="adminConsoleDownloadLocation" value="${com.sun.aas.installRoot}/lib/install/applications/admingui.war"></property>
<property name="ipsRoot" value="${com.sun.aas.installRoot}/.."></property>
<das-config></das-config>
</admin-service>
....
</config>
I need to update values under default-config like this
<config name="default-config">
.....
<admin-service system-jmx-connector-name="system">
<jmx-connector address="localhost" port="${JMX_SYSTEM_CONNECTOR_PORT}" name="system" auth-realm-name="admin-realm" security-enabled="false">
<ssl ssl3-enabled="false" tls-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" client-auth="want" cert-nickname="glassfish-instance"></ssl>
</jmx-connector>
<property name="adminConsoleDownloadLocation" value="${com.sun.aas.installRoot}/lib/install/applications/admingui.war"></property>
<das-config></das-config>
</admin-service>
....
</config>
Please, guide me on how to do this via CLI using asadmin.
If this helps: Top update the same from the Admin UI --> Configurations --> default-config --> JMX Connector / SSL.
thanks
After reading a lot, found out.
asadmin set configs.config.default-config.admin-service.jmx-connector.system.address=localhost
asadmin set configs.config.default-config.admin-service.jmx-connector.system.security-enabled=false

Spring XD - Mail source configuration - how to provide password

I created a mailstream with following command -------
stream create --name mailstream --definition "mail --host=imap.gmail.com --username=yyyyyyyy12#gmail.com --password=my password | file --dir=/tmp/gmailData" --deploy
Refer -http://docs.spring.io/spring-xd/docs/1.0.0.BUILD-SNAPSHOT/reference/html/#modules
But in the xd-singletone console I get -
Caused by: javax.mail.AuthenticationFailedException: failed to connect, no password specified?
How to resolve this issue.
Also --password=secret - how to keep my password invisible or secret in the XD shell
/shankha
You need to escape "#" with "%40" for both username and password and to specify --port=993 for gmail. Also, it may be possible not to work with the default settings as GMail requires SSL for imap and this needs to be configured as well.
So, I would suggest the following (basically, creating a new source module):
Go to spring-xd-1.0.0.M6\xd\modules\source and make a copy of mail folder and name this copy gmail
Go to spring-xd-1.0.0.M6\xd\modules\source\gmail\config and rename both mail.properties and mail.xml to gmail.properties and gmail.xml respectively
Inside gmail.xml replace everything with:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/integration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:file="http://www.springframework.org/schema/integration/file"
xmlns:int-mail="http://www.springframework.org/schema/integration/mail"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/integration/mail http://www.springframework.org/schema/integration/mail/spring-integration-mail.xsd
http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<channel id="output" />
<int-mail:mail-to-string-transformer
charset="${charset}" input-channel="transform" output-channel="output" />
<beans:beans profile="use-polling">
<int-mail:inbound-channel-adapter
store-uri="${protocol}://${username:}:${password:}#${host}:${port}/${folder}"
channel="transform" should-mark-messages-as-read="${markAsRead}"
should-delete-messages="${delete}" java-mail-properties="javaMailProperties">
<poller fixed-delay="${fixedDelay}" time-unit="SECONDS">
<advice-chain>
<beans:bean
class="org.springframework.xd.dirt.module.support.ThreadContextClassLoaderSetterAdvice" />
</advice-chain>
</poller>
</int-mail:inbound-channel-adapter>
</beans:beans>
<beans:beans profile="use-idle">
<int-mail:imap-idle-channel-adapter
store-uri="${protocol}://${username:}:${password:}#${host}:${port}/${folder}"
channel="transform" auto-startup="true" mail-filter-expression="${expression}"
should-mark-messages-as-read="${markAsRead}"
should-delete-messages="${delete}" java-mail-properties="javaMailProperties">
</int-mail:imap-idle-channel-adapter>
</beans:beans>
<beans:beans profile="default">
<util:properties id="javaMailProperties">
<beans:prop key="mail.imap.socketFactory.class">javax.net.ssl.SSLSocketFactory</beans:prop>
<beans:prop key="mail.imap.socketFactory.fallback">false</beans:prop>
<beans:prop key="mail.store.protocol">imaps</beans:prop>
<beans:prop key="mail.debug">false</beans:prop>
</util:properties>
</beans:beans>
</beans:beans>
4. In XD shell now you will use something like the following to create your stream:
stream create --name myGmailStream --definition "gmail --host=imap.gmail.com --username=yyyyyyyy12%40gmail.com --password=my_password --port=993 | file --dir=/tmp/gmailData" --deploy
Here, please note the following:
I added --port=993
the username contains "%40" instead of "#"
the definition of the stream starts with "gmail
if your password contains "#" you need to replace that with "%40" as well
What I've done above is to, basically, create a new custom module (a source) which is kind of easy (more details about this you can find in the documentation). The XD single node or the XD Shell doesn't even need to be restarted. Give it a try and let me know how it goes.
Regarding the password that you don't want to appear as part of the stream definition, you can provide it as part of your mail module options, as described here: http://docs.spring.io/spring-xd/docs/1.0.0.BUILD-SNAPSHOT/reference/html/#_module_configuration
ie
<xd_home>/config/modules/source/mail/mail.properties:
password: yourpassword

403 error while deploying with tomcat client deployer

I have some trouble using Tomcat Client Deployer (TCD) with a local Tomcat installation. Specifically, I get a 403 error while trying to deploy a simple helloworld web application which leads me to the conclusion that something is not quite right with my tomcat-users.xml.
I just cannot see what it is.
here's the relevant build.xml snippet:
<!-- Configure the folder and context path for this application -->
<property name="webapp" value="helloworld"/>
<property name="path" value="/helloworld"/>
<!-- Configure properties to access the Manager application -->
<property name="url" value="http://localhost:8080/manager/text"/>
<property name="username" value="deploymgr"/>
<property name="password" value="s3cret"/>
tomcat-users.xml:
</tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="tomcat"/>
<user username="deploymgr" password="s3cret" roles="manager-script"/>
<user username="tomcat" password="tomcat" roles="tomcat, manager-gui, manager-jmx, manager-status"/>
</tomcat-users>
deployer.properties:
build=D:/apache-tomcat-7.0.16-deployer/work
webapp=D:/apache-tomcat-7.0.16-deployer/helloworld/
path=/helloworld
url=http://localhost:8080/manager
username=deploymgr
password=s3cret
and when I try to deploy the application, I get the following error message:
D:\apache-tomcat-7.0.16-deployer>ant deploy
Buildfile: D:\apache-tomcat-7.0.16-deployer\build.xml
Trying to override old definition of datatype resources
deploy:
[echo] name: deploymgr, pass: s3cret, url: http://localhost:8080/manager
BUILD FAILED
D:\apache-tomcat-7.0.16-deployer\build.xml:92: java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/manager/deploy?path=%2Fhelloworld&update=true
only thing I find weird is that the error message URL contains a "%2F" instead of a forward slash... could it be that the user configuration is actually correct, I get the 403 simply because of the URL escape code? (I'm working under Windows Vista)
Can someone help me out on this? Oh, and of course the application deploys flawlessly through the user interface :-1
Thanks very much in advance.
perhaps an update on this issue... I've made a mistake in the deployer.properties file. The parameter "url" has to be the same as in build.xml above.
deployer.properties correctly:
build=D:/apache-tomcat-7.0.16-deployer/work
webapp=D:/apache-tomcat-7.0.16-deployer/helloworld/
path=/helloworld
url=http://localhost:8080/manager/text
username=deploymgr
password=s3cret
now it works!

Deploying a datasource w/ JAAS login module as a .sar in jboss

Does anyone have experience bundling a datasource (-ds.xml) definition + login-config.xml as a service archive in jboss? I've been fighting with this for awhile to no avail. I'm just looking for some pointers on how I should be laying the .sar out. I want the .sar to ultimately live in a .ear. Any pointers greatly appreciated!
This is relatively straightforward task.
Your EAR file needs to have following layout:
my-app.ear
|+ META-INF
|+ applications.xml and jboss-app.xml
|+ myapp.war
|+ myapp.jar
|+ lib
|+ my-ds.xml
|+ my-login-module-service.xml
where my-ds.xml contains datasource definition as usual. my-login-module-service.xml defines MBean based on the DynamicLoginConfig class. These modules are then referenced within jboss-app.xml (custom JBoss deployment descriptor) as demostrated here:
<jboss-app>
<module>
<service>my-login-module-service.xml</service>
</module>
<module>
<service>my-ds.xml</service>
</module>
</jboss-app>
Easiest way how to create Login Module definition is to use support for embedded XML documents as attributes values. Such a config (my-login-module-service.xml) will looks like this:
<server>
<mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
name="jboss:service=DynamicLoginConfig">
<attribute name="PolicyConfig" serialDataType="jbxb">
<jaas:policy xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd" xmlns:jaas="urn:jboss:security-config:4.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<jaas:application-policy name="userinrole">
<jaas:authentication>
<jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required">
<jaas:module-option name="my-policy-123">
<ur:users xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd" xmlns:ur="urn:jboss:user-roles:1.0">
<ur:user name="admin" password="admin123">
<ur:role name="MyUserRole"></ur:role>
<ur:role name="AdminUser"></ur:role
</ur:user>
</ur:users>
</jaas:module-option>
<jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
</jaas:login-module>
</jaas:authentication>
</jaas:application-policy>
</jaas:policy>
</attribute>
<depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends>
<depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
</mbean>
</server>
You can verify successful deployment using JNDIVIew bean (java:/jaas/my-policy-123 in this example).
For deployment including custom classes it's better to choose SAR archive deployment together with custom code. In such a case you can separate MBean definition and Login Module config (META-INF/jboss-service.xml) :
<server>
<mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig">
<attribute name="AuthConfig">META-INF/login-config.xml</attribute>
<depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends>
<depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
</mbean>
</server>
META-INF/login-config.xml will then contain your policy configuration.
I'm using this approach on JBoss AS 4.x.