Bug 1119496

Summary: Agent's default user group should be changed/added to group jboss to fix permission bug when used with other JBoss branded products
Product: [JBoss] JBoss Operations Network Reporter: Larry O'Leary <loleary>
Component: RPMAssignee: Libor Zoubek <lzoubek>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: high    
Version: JON 3.2.1CC: ahovsepy, loleary, lzoubek, mmahoney, myarboro, snegrea, spinder, theute
Target Milestone: CR01Keywords: EasyFix, Triaged
Target Release: JON 3.3.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
JBoss ON 3.1.1 agent with AS7 plug-in installed EAP 6 domain controller installed and running from jbossas-domain-7.1.3-4.Final_redhat_4.ep6.el6.noarch RPM
Last Closed: 2015-02-27 19:58:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 892047    
Attachments:
Description Flags
jbosson-agent-groups none

Description Larry O'Leary 2014-07-14 22:53:10 UTC
Original issue reported in Bug 892047 identified that JBoss EAP 6 servers could not be discovered when JBoss EAP was installed from RPM. This is because some files -- such as the configuration files and role files -- are considered sensitive and can therefore only be read by the JBoss installation's owner or group. The default user group used is "jboss". 

In the JBoss ON agent's RPM -- and perhaps in other places such as init scripts -- we assumed a group name of jbosson.

This prevents the JBoss ON agent, with out-of-the-box configuration, from working with other JBoss products using out-of-the-box configuration.

To fix this deficiency, the JBoss ON agent RPM should use a default user group of jboss.

+++ This bug was initially created as a clone of Bug #892047 +++

Description of problem:
After installing and starting EAP 6 from RPM, agent with AS7 plug-in is unable to discover it and throws the following error:

ERROR [ResourceDiscoveryComponent.invoker.daemon-1] (rhq.modules.plugins.jbossas7.HostControllerDiscovery)- Discovery of a JBossAS7 Host Controller Resource failed for process: pid=[2836], name=[/etc/alternatives/jre/bin/java], ppid=[2810] - cause: java.lang.Exception: Server configuration file not found at the expected location (/usr/share/jbossas/domain/configuration/host-slave.xml).


Version-Release number of selected component (if applicable):
4.4.0.JON311GA

How reproducible:
Always

Steps to Reproduce:
1.  On RHEL 6 system, install EAP 6 from RPM:

        # JBoss EAP RPMs
        _rhnUser=admin
        _rhnPassword=redhat
        _jbappplatform=$(rhn-channel -L -u {_rhnUser} -p ${_rhnPassword} | grep jbappplatform)
        rhn-channel --add -c ${_jbappplatform} -u {_rhnUser} -p ${_rhnPassword}
        # RPM version is very important.
        # Problem occurs starting with EAP RPM 7.1.3-4
        yum -y install yum install jbossas-domain-7.1.3-4.Final_redhat_4.ep6.el6.noarch

2.  Start EAP 6 domain service

        sudo service jbossas-domain start
        
3.  Start JBoss ON agent using a different user/group then what is being used by EAP

    You can not use root or any account that is a member of the jboss group. Such as what happens when running JON agent from RPM install and starting it as a service.
  
Actual results:
EAP6 host controller does not get discovered and the following error is logged in agent.log:

    ERROR [ResourceDiscoveryComponent.invoker.daemon-1] (rhq.modules.plugins.jbossas7.HostControllerDiscovery)- Discovery of a JBossAS7 Host Controller Resource failed for process: pid=[2836], name=[/etc/alternatives/jre/bin/java], ppid=[2810] - cause: java.lang.Exception: Server configuration file not found at the expected location (/usr/share/jbossas/domain/configuration/host.xml).

Expected results:
EAP6 host controller should be discovered and appear in the discovery queue.

Additional info:
This issue is a direct result of directory permissions used by EAP's RPM. By default, starting in 7.1.3-4, /var/lib/jbossas/domain (and other directories) are not world-readable. This means, unless the RHQ agent is started by root or a user who is a member of the jboss group, the AS7 plug-in will not be able to read the configuration files from the file system.

Prior to 7.1.3-4, directories were world-readable meaning that we would not see this unless testing with the latest RPM version released in late November 2012.

--- Additional comment from Larry O'Leary on 2013-01-08 12:32:43 EST ---

This might be as simple as JBoss ON documenting that if using the EAP 6 RPM, the user who starts the agent must be added to the OS group 'jboss'. Additionally, we might want to do this automatically with the JBoss ON agent RPM.

Comment 1 Larry O'Leary 2014-07-14 22:55:23 UTC
JBoss ON documentation for non-RPM install has already been updated to reflect this.

This BZ represents the need for the Agent RPM provided with the JBoss ON distribution to be updated to:

 - create the jboss group if not present upon installation or upgrade
 - assign the jbosson-agent user to the jboss group

Comment 2 Larry O'Leary 2014-07-14 23:02:59 UTC
Please note that jbosson may still be a valid group and should probably remain. This group should probably also remain as the default user group for the JBoss ON agent user -- jbosson-agent.

The suggestion from this BZ is to add the user jbosson-agent from the agent RPM to the group jboss and to create the group jboss if it doesn't already exist. 

The end goal is:

 - Install JBoss EAP RPM
 - Install JBoss ON agent RPM
 - Import JBoss EAP resource without error

 - Install JBoss ON agent RPM
 - Install JBoss EAP RPM
 - Import JBoss EAP resource without error

 - Install JBoss ON agent RPM
 - Install JBoss EAP from ZIP <-- perhaps JBoss EAP install guide already recommends an OS user/group?
 - Manually add JBoss ON agent user to group used for extracting JBoss EAP ZIP
 - Import JBoss EAP resource without error

Comment 5 Simeon Pinder 2015-01-19 20:52:56 UTC
Moving into CR01 target milestone as missed ER01 cutoff.

Comment 13 Simeon Pinder 2015-02-16 04:49:36 UTC
Moving to ON_QA as available to test with latest CP build:
http://download.devel.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/16/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip
*Note: jon-server-patch-3.3.0.GA.zip maps to CR01 build of jon-server-3.3.0.GA-update-01.zip.

Comment 15 Armine Hovsepyan 2015-02-17 13:03:00 UTC
Created attachment 992658 [details]
jbosson-agent-groups