WildFly Management Interfaces: Difference between revisions
(26 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
* [[WildFly]] | * [[WildFly]] | ||
* [[WildFly Networking Concepts]] | |||
=Relevance= | |||
* EAP 6 | |||
* EAP 7 | |||
=Overview= | =Overview= | ||
WildFly core management functionality is exposed via two different management interfaces (the terms ''management interfaces'' and ''management APIs'' are used interchangeably): | WildFly core management functionality is exposed in EAP 6 via two different management interfaces (the terms ''management interfaces'' and ''management APIs'' are used interchangeably): | ||
* Native API - used by the Management [[WildFly CLI|CLI]] | * Native API - used by the Management [[WildFly CLI|CLI]] and exposed over the [[WildFly_Management_Interfaces#The_Native_API_Endpoint|the native API endpoint]]. | ||
* HTTP API - used by the Management [[WildFly CLI|CLI]] and the web-based [[WildFly Management Console|Management Console]]. | * HTTP API - used by the Management [[WildFly CLI|CLI]] and the web-based [[WildFly Management Console|Management Console]], and exposed over the [[WildFly_Management_Interfaces#The_HTTP_Endpoint|the HTTP endpoint]]: | ||
<pre> | |||
<server> | |||
<management> | |||
... | |||
<management-interfaces> | |||
<native-interface security-realm="ManagementRealm"> | |||
<socket-binding native="management-native"/> | |||
</native-interface> | |||
<http-interface security-realm="ManagementRealm"> | |||
<socket-binding http="management-http"/> | |||
</http-interface> | |||
</management-interfaces> | |||
... | |||
</pre> | |||
These two interfaces offer distinct ways to access the same core management system. | These two interfaces offer distinct ways to access the same core management system. | ||
In EAP 7 standalone mode, there is just one, HTTP-based management interface, which listens on 9990: | |||
<pre> | |||
<server> | |||
<management> | |||
... | |||
<management-interfaces> | |||
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true"> | |||
<socket-binding http="management-http"/> | |||
</http-interface> | |||
</management-interfaces> | |||
... | |||
</pre> | |||
However, in EAP 7 domain mode, the domain controller still maintains a native interface, alongside the HTTP one. This is a host.xml fragment: | |||
<pre> | |||
<management-interfaces> | |||
<native-interface security-realm="ManagementRealm"> | |||
<socket interface="management" port="${jboss.management.native.port:9999}"/> | |||
</native-interface> | |||
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true"> | |||
<socket interface="management" port="${jboss.management.http.port:9990}"/> | |||
</http-interface> | |||
</management-interfaces> | |||
</pre> | |||
=Diagram= | =Diagram= | ||
[[Image:WildFlyManagementInterfacesConcepts.png| | [[Image:WildFlyManagementInterfacesConcepts.png]] | ||
=The Native API Endpoint= | |||
The Native API endpoint is the entry point for management clients that rely on the native protocol to integrate with the management layer. It uses an open binary protocol and an RPC-style API based on a small number of Java types to describe and execute management operations. It is used by the [[WildFly CLI|CLI]] management tool, but offers integration capabilities for other clients too. | |||
Note that in [[WildFly_Domain_Mode_Concepts#Domain_Mode|domain mode]], the [[WildFly_Domain_Mode_Concepts#Subordinate_Host_Controller|subordinate host controllers]] use the native API endpoint to connect to the [[WildFly_Domain_Mode_Concepts#Domain_Controller|domain controller]]. | |||
The default value for the native API endpoint port is 9999. | |||
<font color=red>TODO: Document the differences in the configuration of the native and http management endpoints for a standalone instance vs. host controller. For structure, look at: [[JMX_Access_to_Standalone_EAP_6#Server_Endpoint]] and [[JMX_Access_to_EAP_6_Host_Controller#Server_Endpoint]].</font> | |||
=The HTTP Endpoint= | |||
The default value for the native API endpoint port is 9990. | |||
=Configuration= | =Configuration= | ||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | <blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | ||
:[[WildFly Management | :[[WildFly Management API Configuration]] | ||
</blockquote> | </blockquote> | ||
=Security= | =Security= | ||
Core management authentication is responsible for securing the management | Core management authentication is responsible for securing the management interfaces. Core management authentication is built into the core management and it is enabled and configured as a [[WildFly Core Services|core service]] by default. | ||
The management APIs relies on the [[WildFly Security Realms#Management_Realm|Management Realm]] for authentication and authorization needs: in order to access the management API functionality, a user need to successfully authenticate against the Management Realm. Note that by default, no roles are required to access the management APIs, authentication is sufficient. | |||
=JMX Management Beans= | =JMX Management Beans= | ||
The management API is also exposed as JMX Management Beans. These Management Beans are referred to as ''core mbeans''. Prior to WildFly, the management functionality was primarily JMX based. With WildFly, the core management does not rely on JMX to perform operations, JMX exposed beans are now just an alternative mechanism, in addition to the native and HTTP interfaces | The management API is also exposed as JMX Management Beans. These Management Beans are referred to as ''core mbeans''. Prior to WildFly, the management functionality was primarily JMX based. With WildFly, the core management does not rely on JMX to perform operations, JMX exposed beans are now just an alternative mechanism, in addition to the native and HTTP interfaces. | ||
JMX clients can connect to the JMX Management Beans over the same native management interface. | |||
Latest revision as of 20:15, 20 March 2017
Internal
Relevance
- EAP 6
- EAP 7
Overview
WildFly core management functionality is exposed in EAP 6 via two different management interfaces (the terms management interfaces and management APIs are used interchangeably):
- Native API - used by the Management CLI and exposed over the the native API endpoint.
- HTTP API - used by the Management CLI and the web-based Management Console, and exposed over the the HTTP endpoint:
<server> <management> ... <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> ...
These two interfaces offer distinct ways to access the same core management system.
In EAP 7 standalone mode, there is just one, HTTP-based management interface, which listens on 9990:
<server> <management> ... <management-interfaces> <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> ...
However, in EAP 7 domain mode, the domain controller still maintains a native interface, alongside the HTTP one. This is a host.xml fragment:
<management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true"> <socket interface="management" port="${jboss.management.http.port:9990}"/> </http-interface> </management-interfaces>
Diagram
The Native API Endpoint
The Native API endpoint is the entry point for management clients that rely on the native protocol to integrate with the management layer. It uses an open binary protocol and an RPC-style API based on a small number of Java types to describe and execute management operations. It is used by the CLI management tool, but offers integration capabilities for other clients too.
Note that in domain mode, the subordinate host controllers use the native API endpoint to connect to the domain controller.
The default value for the native API endpoint port is 9999.
TODO: Document the differences in the configuration of the native and http management endpoints for a standalone instance vs. host controller. For structure, look at: JMX_Access_to_Standalone_EAP_6#Server_Endpoint and JMX_Access_to_EAP_6_Host_Controller#Server_Endpoint.
The HTTP Endpoint
The default value for the native API endpoint port is 9990.
Configuration
Security
Core management authentication is responsible for securing the management interfaces. Core management authentication is built into the core management and it is enabled and configured as a core service by default.
The management APIs relies on the Management Realm for authentication and authorization needs: in order to access the management API functionality, a user need to successfully authenticate against the Management Realm. Note that by default, no roles are required to access the management APIs, authentication is sufficient.
JMX Management Beans
The management API is also exposed as JMX Management Beans. These Management Beans are referred to as core mbeans. Prior to WildFly, the management functionality was primarily JMX based. With WildFly, the core management does not rely on JMX to perform operations, JMX exposed beans are now just an alternative mechanism, in addition to the native and HTTP interfaces.
JMX clients can connect to the JMX Management Beans over the same native management interface.