Adding Users to WildFly Security Realms: Difference between revisions
No edit summary |
|||
(25 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
* [[WildFly Security Realms#Adding_Users_to_Security_Realms|WildFly Security Realms]] | * [[WildFly Security Realms#Adding_Users_to_Security_Realms|WildFly Security Realms]] | ||
* [[add-user.sh]] | |||
=Add a User to the Application Realm= | |||
This is an example of how to add a user to the application realm with <tt>add-user.sh</tt>. | |||
<pre> | |||
C:\runtime\jboss-eap-6.0\bin>add-user.bat | C:\runtime\jboss-eap-6.0\bin>add-user.bat | ||
Line 34: | Line 25: | ||
Password : | Password : | ||
Re-enter Password : | Re-enter Password : | ||
</pre> | |||
Note that for various JBoss version, the script asks next about "roles" or "groups". As far as I can tell, the term can be used interchangeably: | |||
<pre> | |||
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: guest | What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: guest | ||
About to add user 'test' for realm 'ApplicationRealm' | About to add user 'test' for realm 'ApplicationRealm' | ||
Line 44: | Line 40: | ||
yes/no? no | yes/no? no | ||
Press any key to continue . . . | Press any key to continue . . . | ||
</pre> | |||
The script modifies the following files: | The script modifies the following files: | ||
<pre> | |||
${JBOSS_HOME}/standalone/configuration/application-users.properties | ${JBOSS_HOME}/standalone/configuration/application-users.properties | ||
${JBOSS_HOME}/standalone/configuration/application-roles.properties | ${JBOSS_HOME}/standalone/configuration/application-roles.properties | ||
${JBOSS_HOME}/standalone/domain/configuration/application-users.properties | ${JBOSS_HOME}/standalone/domain/configuration/application-users.properties | ||
${JBOSS_HOME}/standalone/domain/configuration/application-roles.properties | ${JBOSS_HOME}/standalone/domain/configuration/application-roles.properties | ||
</pre> | |||
A WildFly process is not required to be present in order for the operation to succeed. | |||
=Add a User to the Management Realm= | |||
This is an example of how to add a user to the management realm with | This is an example of how to add a user to the management realm with <tt>add-user.sh</tt>. | ||
The procedure can be used for both adding node users or users corresponding to identities subordinate host controllers use when connecting to the domain controller. | |||
If this user will be used only for | If this user will be used only for node access and it does not correspond to a subordinate host controller, answer "no" to "Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls." below. | ||
Note that no group is necessary to be specified if adding authentication for subordinated host controller. | |||
<pre> | |||
nombp1:bin ovidiu$ ./add-user.sh | nombp1:bin ovidiu$ ./add-user.sh | ||
Line 84: | Line 80: | ||
Password : | Password : | ||
Re-enter Password : | Re-enter Password : | ||
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: | What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: | ||
About to add user 'novaordis.management.user' for realm 'ManagementRealm' | About to add user 'novaordis.management.user' for realm 'ManagementRealm' | ||
Is this correct yes/no? yes | Is this correct yes/no? yes | ||
Line 95: | Line 91: | ||
yes/no? yes | yes/no? yes | ||
To represent the user add the following to the server-identities definition <secret value="bm9tdTEyMyE=" /> | To represent the user add the following to the server-identities definition <secret value="bm9tdTEyMyE=" /> | ||
</pre> | |||
The script modifies the following files: | The script modifies the following files: | ||
<pre> | |||
$JBOSS_HOME/standalone/configuration/mgmt-users.properties | $JBOSS_HOME/standalone/configuration/mgmt-users.properties | ||
$JBOSS_HOME/domain/configuration/mgmt-users.properties | $JBOSS_HOME/domain/configuration/mgmt-users.properties | ||
$JBOSS_HOME/standalone/configuration/mgmt-groups.properties | $JBOSS_HOME/standalone/configuration/mgmt-groups.properties | ||
$JBOSS_HOME/domain/configuration/mgmt-groups.properties | $JBOSS_HOME/domain/configuration/mgmt-groups.properties | ||
</pre> | |||
A WildFly process is not required to be present in order for the operation to succeed. | |||
For more details about the secret, see: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[WildFly Security Concepts#Server_Identity_Secret|Server Identity Secret]] | |||
</blockquote> | |||
==Add a User to WildFly Isolated Self-Contained Standalone Profiles== | |||
When attempting to add users to [[WildFly Isolated Self-Contained Standalone Profile|Isolated Self-Contained Standalone Profiles]], make sure you use the script provided with the profile, and '''NOT''' the $JBOSS_HOME/bin script, because is you use the $JBOSS_HOME/bin script, the users won't be added to the profile's user files, but to the default user files. | |||
==Add a User to the Management Realm as part of an Automated Procedure== | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[add-user.sh#Add_a_User_to_the_Management_Realm_as_part_of_an_Automated_Procedure|add-user.sh: Add a User to the ManagementRealm as part of an Automated Procedure]] | |||
</blockquote> |
Latest revision as of 18:35, 18 October 2016
External
- EAP Documentation - Add a User to a Security Realm: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Add_a_User_to_a_Security_Realm1
Internal
Add a User to the Application Realm
This is an example of how to add a user to the application realm with add-user.sh.
C:\runtime\jboss-eap-6.0\bin>add-user.bat What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): b Enter the details of the new user to add. Realm (ApplicationRealm) : Username : test Password : Re-enter Password :
Note that for various JBoss version, the script asks next about "roles" or "groups". As far as I can tell, the term can be used interchangeably:
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: guest About to add user 'test' for realm 'ApplicationRealm' Is this correct yes/no? yes Added user 'test' to file 'C:\runtime\jboss-eap-6.0\standalone\configuration\application-users.properties' Added user 'test' to file 'C:\runtime\jboss-eap-6.0\domain\configuration\application-users.properties' Added user 'test' with roles guest to file 'C:\runtime\jboss-eap-6.0\standalone\configuration\application-roles.properties' Added user 'test' with roles guest to file 'C:\runtime\jboss-eap-6.0\domain\configuration\application-roles.properties' Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller? yes/no? no Press any key to continue . . .
The script modifies the following files:
${JBOSS_HOME}/standalone/configuration/application-users.properties ${JBOSS_HOME}/standalone/configuration/application-roles.properties ${JBOSS_HOME}/standalone/domain/configuration/application-users.properties ${JBOSS_HOME}/standalone/domain/configuration/application-roles.properties
A WildFly process is not required to be present in order for the operation to succeed.
Add a User to the Management Realm
This is an example of how to add a user to the management realm with add-user.sh.
The procedure can be used for both adding node users or users corresponding to identities subordinate host controllers use when connecting to the domain controller.
If this user will be used only for node access and it does not correspond to a subordinate host controller, answer "no" to "Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls." below.
Note that no group is necessary to be specified if adding authentication for subordinated host controller.
nombp1:bin ovidiu$ ./add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): a Enter the details of the new user to add. Using realm 'ManagementRealm' as discovered from the existing property files. Username : novaordis.management.user Password requirements are listed below. To modify these restrictions edit the add-user.properties configuration file. - The password must not be one of the following restricted values {root, admin, administrator} - The password must contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s) - The password must be different from the username Password : Re-enter Password : What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: About to add user 'novaordis.management.user' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'novaordis.management.user' to file '/Users/ovidiu/runtime/jboss-eap-6.3/standalone/configuration/mgmt-users.properties' Added user 'novaordis.management.user' to file '/Users/ovidiu/runtime/jboss-eap-6.3/domain/configuration/mgmt-users.properties' Added user 'novaordis.management.user' with groups DomainManagement to file '/Users/ovidiu/runtime/jboss-eap-6.3/standalone/configuration/mgmt-groups.properties' Added user 'novaordis.management.user' with groups DomainManagement to file '/Users/ovidiu/runtime/jboss-eap-6.3/domain/configuration/mgmt-groups.properties' Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls. yes/no? yes To represent the user add the following to the server-identities definition <secret value="bm9tdTEyMyE=" />
The script modifies the following files:
$JBOSS_HOME/standalone/configuration/mgmt-users.properties $JBOSS_HOME/domain/configuration/mgmt-users.properties $JBOSS_HOME/standalone/configuration/mgmt-groups.properties $JBOSS_HOME/domain/configuration/mgmt-groups.properties
A WildFly process is not required to be present in order for the operation to succeed.
For more details about the secret, see:
Add a User to WildFly Isolated Self-Contained Standalone Profiles
When attempting to add users to Isolated Self-Contained Standalone Profiles, make sure you use the script provided with the profile, and NOT the $JBOSS_HOME/bin script, because is you use the $JBOSS_HOME/bin script, the users won't be added to the profile's user files, but to the default user files.