JBoss

Access Denied após habilitar o RBAC no JBoss EAP 6

Após criar o usuário administrador do JBoss…

[jboss@rhel7-server-1 bin]$ cd $JBOSS_HOME/bin
[jboss@rhel7-server-1 bin]$ ./add-user.sh

What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a):

Enter (a) para criar um usuário de administração.

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : admin

Após definir o nome do usuário (admin neste exemplo) defina uma senha obedecendo algus prereqs.

The username 'admin' is easy to guess
Are you sure you want to add user 'admin' yes/no? yes
Password requirements are listed below. To modify these restrictions edit the add-user.properties configuration file.
- The password must not be one of the following restricted values {root, admin, administrator}
- The password must contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
- The password must be different from the username
Password :
Re-enter Password :

Caso queira criar/associar o usuário à um grupo (ex: administradores) informe o nome do(s) grupo(s) neste momento. Ou Enter para continuar sem grupo.

What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:
About to add user 'admin' for realm 'ManagementRealm'
Is this correct yes/no? yes

Por padrão o mecanismo de autenticação (Simple) do EAP mantém usuários e grupos em arquivos texto. As senhas são codificadas usando um algoritmo Hash.

Added user 'admin' to file '/opt/redhat/jboss-eap-6.3/standalone/configuration/mgmt-users.properties'
Added user 'admin' to file '/opt/redhat/jboss-eap-6.3/domain/configuration/mgmt-users.properties'
Added user 'admin' with groups to file '/opt/redhat/jboss-eap-6.3/standalone/configuration/mgmt-groups.properties'
Added user 'admin' with groups to file '/opt/redhat/jboss-eap-6.3/domain/configuration/mgmt-groups.properties'

Este usuário será usado para chamadas remotas ou por algum Host Controller (Domain Mode)?

Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no

Você acessa a console, abre a aba Administration e vê a seguinte mensagem:

JBoss EAP 6 RBAC Auth

Ahmmm! Legal! Quero habilitar o mecanismo de autenticação RBAC para criar usuários com diferentes perfis de gerência (Administrator, Deployer, Monitor, Operator, etc)…

Aí você copia o comando, acessa a CLI e executa…

[jboss@rhel7-server-1 bin]$ ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect 192.168.122.65:9999
[standalone@192.168.122.65:9999 /] /core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@192.168.122.65:9999 /] reload

Volta na console web e tenta logar novamente ou executar alguma operação…

jboss-eap-access-denied-after-enable-rbac

Ops! :-/

Deu merda!

Sim! Quando você habilita o RBAC o JBoss troca o mecanismo de autenticação original (simple) pelo mecanismo RBAC. Por este motivo a role que antes era mapeada nos arquivos:

/opt/redhat/jboss-eap-6.3/standalone/configuration/mgmt-users.properties
/opt/redhat/jboss-eap-6.3/standalone/configuration/mgmt-groups.properties

passa a ser mapeada dentro do standalone.xml ou domain.xml.

...
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
...

Agora precisamos mapear o usuário admin (criado com o script add-user.sh) para as roles pré definidas no RBAC. Como o admin é o usuário administrador, precisamos associar ele à role SuperUser. Para isso execute o comando abaixo na CLI do JBoss.

[standalone@192.168.122.65:9999 /] /core-service=management/access=authorization/role-mapping=SuperUser/include=user-admin:add(name=admin,realm=ManagementRealm,type=USER)
{"outcome" => "success"}

Pronto!

Agora se abrir o standalone.xml irá observar que o usuário admin está associado à role Super User

...
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <user name="admin" realm="ManagementRealm"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
...

Agora o usuário admin pode ser visto na console.

jboss-eap-after-fix-rbac

😉


Ref: https://access.redhat.com/solutions/696693

Anúncios
Linux

JBoss EAP 6.x como serviço no RHEL7: Systemd

Para aqueles que já estão utilizando o RHEL 7 (ou suas derivações: Centos, OEL, Scientific Linux) perceberam que os serviços não são mais controlados pelo mecanismo SysV (adicionados através do comando chkconfig). O RHEL 7 utiliza um novo mecanismo de gerência de serviços e inicialização do sistema chamado Systemd. Para mais detalhes ou um overview do Systemd veja as referências [1] e [2].

Abaixo descrevo um passo a passo de como adicionar o JBoss EAP 6 como serviço através do Systemd.

Crie um usuário chamado jboss.

[root@rhel7-server-1 bin]# adduser jboss
[root@rhel7-server-1 bin]# passwd jboss

Instale o JBoss EAP em um diretório de sua preferência. O script original sugere o diretório: /usr/share/jboss-as.

Eu particularmente costumo instalar em /opt.

mkdir /opt/redhat
unzip /tmp/jboss-eap-6.x.zip -d /opt/redhat
chown -R jboss.jboss /opt/redhat

Crie os seguintes diretórios que serão utilizados pelo script de inicialização.

[root@rhel7-server-1 bin]# mkdir /etc/jboss-as
[root@rhel7-server-1 bin]# mkdir /var/log/jboss-as
[root@rhel7-server-1 bin]# mkdir /var/run/jboss-as
[root@rhel7-server-1 bin]# chown jboss.jboss /etc/jboss-as
[root@rhel7-server-1 bin]# chown jboss.jboss /var/log/jboss-as
[root@rhel7-server-1 bin]# chown jboss.jboss /var/run/jboss-as

Copie e altere o arquivo de configuração auxiliar do script de init

[root@rhel7-server-1 bin]# cp init.d/jboss-as.conf /etc/jboss-as/
[root@rhel7-server-1 bin]# vim /etc/jboss-as/jboss-as.conf

Remova o comentário das variáveis e adiciene novas conforme destacado no trecho abaixo.

# General configuration for the init.d scripts,
# not necessarily for JBoss AS itself.

# Path to JBoss EAP Installation
JBOSS_HOME=/opt/redhat/jboss-eap-6.3

# The username who should own the process.
#
JBOSS_USER=jboss

# The amount of time to wait for startup
#
STARTUP_WAIT=30

# The amount of time to wait for shutdown
#
SHUTDOWN_WAIT=30

# Location to keep the console log
#
JBOSS_CONSOLE_LOG=/var/log/jboss-as/console.log

# JBoss configuration file
JBOSS_CONFIG=standalone.xml

# Public IP Address where JBoss will listen
JBOSS_PUB_BIND=192.168.122.65

# Management IP Address where JBoss will listen
JBOSS_MGMT_BIND=192.168.122.65

Faça a seguinte alteração no script de init original do JBoss EAP

vim $JBOSS_HOME/bin/init.d/jboss-as-standalone.sh
if [ -z "$JBOSS_PUB_BIND" ]; then
JBOSS_PUB_BIND=127.0.0.1
fi

if [ -z "$JBOSS_MGMT_BIND" ]; then
JBOSS_MGMT_BIND=172.0.0.1
fi

JBOSS_SCRIPT="$JBOSS_HOME/bin/standalone.sh -b $JBOSS_PUB_BIND -bmanagement=$JBOSS_MGMT_BIND"

Nota: por padrão o JBoss sobe na interface de loopback (localhost – 127.0.0.1). Essa alteração é necessária para informar/parametrizar os endereços onde as interfaces pública e de gerência devem ouvir conexões externas.

Caso tenha instalado a JVM OpenJDK (Default no REHL 7), edite o arquivo abaixo.
Nota: Caso o arquivo não exista, crie!

vim /etc/java/java.conf
# System-wide Java configuration file -*- sh -*-

# Location of jar files on the system
JAVA_LIBDIR=/usr/share/java

# Location of arch-specific jar files on the system
JNI_LIBDIR=/usr/lib/java

# Root of all JVM installations
JVM_ROOT=/usr/lib/jvm

# You can define a system-wide JVM root here if you're not using the
# default one.
#
# If you have a base JRE package installed
# (e.g. java-1.6.0-openjdk):
JAVA_HOME=$JVM_ROOT/jre
#
# If you have a devel JDK package installed
# (e.g. java-1.6.0-openjdk-devel):
#JAVA_HOME=$JVM_ROOT/java

# Options to pass to the java interpreter
#JAVACMD_OPTS=

Crie o script que será adicionado ao systemd com o seguinte conteúdo:

[jboss@rhel7-server-1 init.d]$ sudo vim /etc/systemd/system/jboss-as.service
[Unit]
Description=JBoss EAP Service
After=syslog.target network.target

[Service]
ExecStart=/opt/redhat/jboss-eap-6.3/bin/init.d/jboss-as-standalone.sh start
ExecStop=/opt/redhat/jboss-eap-6.3/bin/init.d/jboss-as-standalone.sh stop
Type=forking
PIDFile=/var/run/jboss-as/jboss-as-standalone.pid

[Install]
WantedBy=multi-user.target

Execute os comandos abaixo para habilitar o serviço no systemd:

[jboss@rhel7-server-1 init.d]$ sudo chmod 644 /etc/systemd/system/jboss-as.service

[jboss@rhel7-server-1 init.d]$ sudo systemctl enable jboss-as.service
ln -s '/etc/systemd/system/jboss-as.service' '/etc/systemd/system/multi-user.target.wants/jboss-as.service'

Inicie o serviço.

[jboss@rhel7-server-1 init.d]$ sudo systemctl start jboss-as.service

[jboss@rhel7-server-1 bin]$ sudo systemctl status jboss-as.service
jboss-as.service - JBoss EAP Service
Loaded: loaded (/etc/systemd/system/jboss-as.service; enabled)
Active: active (running) since Wed 2014-11-12 22:40:58 BRST; 8s ago
Main PID: 6969 (java)
CGroup: /system.slice/jboss-as.service
├─6877 /bin/sh /opt/redhat/jboss-eap-6.3/bin/init.d/jboss-as-standalone.sh start
├─6879 runuser -s /bin/bash jboss -c ulimit -S -c 0 >/dev/null 2>&1 ; LAUNCH_JBOSS_IN_BACKGROUND=1 JBOSS_PIDFILE=/var/run/jboss-as/jboss-as-standalone.pid /opt/redha...
├─6881 bash -c ulimit -S -c 0 >/dev/null 2>&1 ; LAUNCH_JBOSS_IN_BACKGROUND=1 JBOSS_PIDFILE=/var/run/jboss-as/jboss-as-standalone.pid /opt/redhat/jboss-eap-6.3/bin/st...
├─6882 /bin/sh /opt/redhat/jboss-eap-6.3/bin/standalone.sh -b 192.168.122.65 -bmanagement=192.168.122.65 -c standalone.xml
└─6969 java -D[Standalone] -server -XX:+UseCompressedOops -verbose:gc -Xloggc:/opt/redhat/jboss-eap-6.3/standalone/log/gc.log -XX:+PrintGCDetails -XX:+PrintGCDateSta...

Nov 12 22:40:58 rhel7-server-1 systemd[1]: Starting JBoss EAP Service...
Nov 12 22:40:58 rhel7-server-1 systemd[1]: Started JBoss EAP Service.
Nov 12 22:40:58 rhel7-server-1 runuser[6879]: pam_unix(runuser:session): session opened for user jboss by (uid=0)
Nov 12 22:41:02 rhel7-server-1 jboss-as-standalone.sh[6869]: Starting jboss-as: [ OK ]

Verifique o log do serviço:

[jboss@rhel7-server-1 init.d]$ tail -f /var/log/jboss-as/console.log

22:13:13,010 INFO [org.jboss.ws.common.management] (MSC service thread 1-2) JBWS022052: Starting JBoss Web Services - Stack CXF Server 4.3.0.Final-redhat-3
22:13:13,033 INFO [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-1) JBWEB003000: Coyote HTTP/1.1 starting on: http-/127.0.0.1:8080
22:13:13,081 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-4) JBAS015012: Started FileSystemDeploymentService for directory /opt/redhat/jboss-eap-6.3/standalone/deployments
22:13:13,084 INFO [org.jboss.as.remoting] (MSC service thread 1-4) JBAS017100: Listening on 127.0.0.1:4447
22:13:13,084 INFO [org.jboss.as.remoting] (MSC service thread 1-2) JBAS017100: Listening on 127.0.0.1:9999
22:13:13,338 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]
22:13:13,465 INFO [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
22:13:13,465 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
22:13:13,466 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss EAP 6.3.0.GA (AS 7.4.0.Final-redhat-19) started in 3564ms - Started 151 of 189 services (56 services are lazy, passive or on-demand)

Veja o arquivo de PID do processo do serviço

[jboss@rhel7-server-1 init.d]$ cat /var/run/jboss-as/jboss-as-standalone.pid
5615

[jboss@rhel7-server-1 init.d]$ pstree -U -h -l -s 5615
systemd───jboss-as-standa───runuser───bash───standalone.sh───java───34*[{java}]
[jboss@rhel7-server-1 init.d]$

[1] https://access.redhat.com/articles/754933
[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/chap-Managing_Services_with_systemd.html

Linux

Instalando o Postgres 9 no RHEL 7

Recentemente precisei instalar um Postgres DB em uma VM RHEL 7 para testes. Aproveitei para compartilhar os passos seguidos aqui no Blog. Esse passo a passo deve funcionar em qualquer Distro RHEL-like: Fedora, Centos, Scientific Linux, OEL, etc.

A instalação é a mais básica possível, pois o propósito desse DB é apenas para testes e laboratórios. Nada de tuning ou personalização.
Instale os seguintes pacotes do repositório Postgresql.org oficial.

[rsoares@rhel7-server-1 ~]$ sudo yum install http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/pgdg-redhat94-9.4-1.noarch.rpm
[rsoares@rhel7-server-1 ~]$ sudo yum groupinstall "PostgreSQL Database Server 9.4 PGDG"

Inicialize o Postgres DB.

sudo /usr/pgsql-9.4/bin/postgresql94-setup initdb

Habilite e teste o serviço do Postgres.

[rsoares@rhel7-server-1 ~]$ sudo systemctl enable postgresql-9.4.service
[rsoares@rhel7-server-1 ~]$ sudo systemctl start postgresql-9.4.service
[rsoares@rhel7-server-1 ~]$ sudo systemctl stop postgresql-9.4.service

Troque para o usuário de sistema do postgres.

[rsoares@rhel7-server-1 ~]$ sudo su - postgres

Altere o pg_hba.conf (espécie de “firewall” do Postgres) para permitir o acesso externo através da rede da VM.

-bash-4.2$ vim /var/lib/pgsql/9.4/data/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD

# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 ident
host all all 192.168.122.0/24 md5

Altere o binding do serviço para aceitar conexões em qualquer endereço IP da VM.

-bash-4.2$ vim /var/lib/pgsql/9.4/data/postgresql.conf
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------

# - Connection Settings -

listen_addresses = '*' # what IP address(es) to listen on;

Logout do postgres user.

Ctrl + D no terminal

Reinicie o serviço postgres

[rsoares@rhel7-server-1 ~]$ sudo systemctl start postgresql-9.4.service
[rsoares@rhel7-server-1 ~]$ sudo systemctl status postgresql-9.4.service
postgresql-9.4.service - PostgreSQL 9.4 database server
Loaded: loaded (/usr/lib/systemd/system/postgresql-9.4.service; enabled)
Active: active (running) since Thu 2014-11-06 17:21:38 BRST; 1s ago
Process: 24832 ExecStop=/usr/pgsql-9.4/bin/pg_ctl stop -D ${PGDATA} -s -m fast (code=exited, status=0/SUCCESS)
Process: 25292 ExecStart=/usr/pgsql-9.4/bin/pg_ctl start -D ${PGDATA} -s -w -t 300 (code=exited, status=0/SUCCESS)
Process: 25286 ExecStartPre=/usr/pgsql-9.4/bin/postgresql94-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
Main PID: 25296 (postgres)
CGroup: /system.slice/postgresql-9.4.service
├─25296 /usr/pgsql-9.4/bin/postgres -D /var/lib/pgsql/9.4/data
├─25297 postgres: logger process
├─25299 postgres: checkpointer process
├─25300 postgres: writer process
├─25301 postgres: wal writer process
├─25302 postgres: autovacuum launcher process
└─25303 postgres: stats collector process

Confira o binding do serviço na porta TCP padrão so Postgres (5432)

[rsoares@rhel7-server-1 ~]$ netstat -tanp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:55970 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN -
tcp 0 0 192.168.122.65:22 192.168.122.1:39634 ESTABLISHED -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::47021 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN -

Crie um novo DB User

-bash-4.2$ createuser -d -l -P --interactive NEW_DB_USER
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

Crie um novo Data Base

-bash-4.2$ createdb -e -O NEW_DB_USER NEW_DB "New DataBase"
CREATE DATABASE "NEW_DB" OWNER "NEW_DB_USER";
COMMENT ON DATABASE "NEW_DB" IS 'New DataBase';

ref:

[1] https://wiki.postgresql.org/wiki/YUM_Installation