Adding Users to WildFly Security Realms

From NovaOrdis Knowledge Base
Jump to: navigation, search

External

Internal

Add a User to the Application Realm

This is an example of how to add a user to the application realm with add-user.sh.

C:\runtime\jboss-eap-6.0\bin>add-user.bat

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) :
Username : test
Password :
Re-enter Password :

Note that for various JBoss version, the script asks next about "roles" or "groups". As far as I can tell, the term can be used interchangeably:

What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: guest
About to add user 'test' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'test' to file 'C:\runtime\jboss-eap-6.0\standalone\configuration\application-users.properties'
Added user 'test' to file 'C:\runtime\jboss-eap-6.0\domain\configuration\application-users.properties'
Added user 'test' with roles guest to file 'C:\runtime\jboss-eap-6.0\standalone\configuration\application-roles.properties'
Added user 'test' with roles guest to file 'C:\runtime\jboss-eap-6.0\domain\configuration\application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller?
yes/no? no
Press any key to continue . . .

The script modifies the following files:

${JBOSS_HOME}/standalone/configuration/application-users.properties
${JBOSS_HOME}/standalone/configuration/application-roles.properties
${JBOSS_HOME}/standalone/domain/configuration/application-users.properties
${JBOSS_HOME}/standalone/domain/configuration/application-roles.properties

A WildFly process is not required to be present in order for the operation to succeed.

Add a User to the Management Realm

This is an example of how to add a user to the management realm with add-user.sh.

The procedure can be used for both adding node users or users corresponding to identities subordinate host controllers use when connecting to the domain controller.

If this user will be used only for node access and it does not correspond to a subordinate host controller, answer "no" to "Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls." below.

Note that no group is necessary to be specified if adding authentication for subordinated host controller.

nombp1:bin ovidiu$ ./add-user.sh 

What type of user do you wish to add? 
 a) Management User (mgmt-users.properties) 
 b) Application User (application-users.properties)
(a): a

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : novaordis.management.user
Password requirements are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password must not be one of the following restricted values {root, admin, administrator}
 - The password must contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
 - The password must be different from the username
Password : 
Re-enter Password : 
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
About to add user 'novaordis.management.user' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'novaordis.management.user' to file '/Users/ovidiu/runtime/jboss-eap-6.3/standalone/configuration/mgmt-users.properties'
Added user 'novaordis.management.user' to file '/Users/ovidiu/runtime/jboss-eap-6.3/domain/configuration/mgmt-users.properties'
Added user 'novaordis.management.user' with groups DomainManagement to file '/Users/ovidiu/runtime/jboss-eap-6.3/standalone/configuration/mgmt-groups.properties'
Added user 'novaordis.management.user' with groups DomainManagement to file '/Users/ovidiu/runtime/jboss-eap-6.3/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process? 
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="bm9tdTEyMyE=" />

The script modifies the following files:

$JBOSS_HOME/standalone/configuration/mgmt-users.properties
$JBOSS_HOME/domain/configuration/mgmt-users.properties
$JBOSS_HOME/standalone/configuration/mgmt-groups.properties
$JBOSS_HOME/domain/configuration/mgmt-groups.properties

A WildFly process is not required to be present in order for the operation to succeed.

For more details about the secret, see:

Server Identity Secret

Add a User to WildFly Isolated Self-Contained Standalone Profiles

When attempting to add users to Isolated Self-Contained Standalone Profiles, make sure you use the script provided with the profile, and NOT the $JBOSS_HOME/bin script, because is you use the $JBOSS_HOME/bin script, the users won't be added to the profile's user files, but to the default user files.

Add a User to the Management Realm as part of an Automated Procedure

add-user.sh: Add a User to the ManagementRealm as part of an Automated Procedure