Adding Users to WildFly Security Realms

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Add a User to the Application Realm

This is an example of how to add a user to the application realm with add-user.sh.

C:\runtime\jboss-eap-6.0\bin>add-user.bat

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) :
Username : test
Password :
Re-enter Password :
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: guest
About to add user 'test' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'test' to file 'C:\runtime\jboss-eap-6.0\standalone\configuration\application-users.properties'
Added user 'test' to file 'C:\runtime\jboss-eap-6.0\domain\configuration\application-users.properties'
Added user 'test' with roles guest to file 'C:\runtime\jboss-eap-6.0\standalone\configuration\application-roles.properties'
Added user 'test' with roles guest to file 'C:\runtime\jboss-eap-6.0\domain\configuration\application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller?
yes/no? no
Press any key to continue . . .

The script modifies the following files:

${JBOSS_HOME}/standalone/configuration/application-users.properties
${JBOSS_HOME}/standalone/configuration/application-roles.properties
${JBOSS_HOME}/standalone/domain/configuration/application-users.properties
${JBOSS_HOME}/standalone/domain/configuration/application-roles.properties

A WildFly process is not required to be present in order for the operation to succeed.

Add a User to the Management Realm

This is an example of how to add a user to the management realm with add-user.sh.

The procedure can be used for both adding node users or users corresponding to identities subordinate host controllers use when connecting to the domain controller.

If this user will be used only for node access and it does not correspond to a subordinate host controller, answer "no" to "Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls." below.

nombp1:bin ovidiu$ ./add-user.sh 

What type of user do you wish to add? 
 a) Management User (mgmt-users.properties) 
 b) Application User (application-users.properties)
(a): a

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : novaordis.management.user
Password requirements are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password must not be one of the following restricted values {root, admin, administrator}
 - The password must contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
 - The password must be different from the username
Password : 
Re-enter Password : 
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: DomainManagement
About to add user 'novaordis.management.user' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'novaordis.management.user' to file '/Users/ovidiu/runtime/jboss-eap-6.3/standalone/configuration/mgmt-users.properties'
Added user 'novaordis.management.user' to file '/Users/ovidiu/runtime/jboss-eap-6.3/domain/configuration/mgmt-users.properties'
Added user 'novaordis.management.user' with groups DomainManagement to file '/Users/ovidiu/runtime/jboss-eap-6.3/standalone/configuration/mgmt-groups.properties'
Added user 'novaordis.management.user' with groups DomainManagement to file '/Users/ovidiu/runtime/jboss-eap-6.3/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process? 
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="bm9tdTEyMyE=" />

The script modifies the following files:

$JBOSS_HOME/standalone/configuration/mgmt-users.properties
$JBOSS_HOME/domain/configuration/mgmt-users.properties
$JBOSS_HOME/standalone/configuration/mgmt-groups.properties
$JBOSS_HOME/domain/configuration/mgmt-groups.properties

A WildFly process is not required to be present in order for the operation to succeed.

For more details about the secret, see:

WildFly Security Concepts#Secret



Add a User to the Management Realm as part of an Automated Procedure

add-user.sh: Add a User to the ManagementRealm as part of an Automated Procedure