Bug 754849
| Summary: | as7: connections fail, as auth is now enabled by default | ||
|---|---|---|---|
| Product: | [Other] RHQ Project | Reporter: | Heiko W. Rupp <hrupp> |
| Component: | Plugins | Assignee: | Libor Zoubek <lzoubek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.2 | CC: | hrupp, theute |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-01 19:19:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 707223 | ||
19097edb5d591dae5ae6fdf7565b682cd5b1506c in master the as server resource now has an operation "installRhqUser" that installs a user with password into as7 that meets the requirements of the authentication defaults. Of course, the user can also just enable the admin user in as7 by any other means and then go to the connection properties and and give the new credentials there. verified on Version: 4.3.0-SNAPSHOT, Build Number: 74fe0df, EAP6 DR8. New Operation works as expected, plugin connects to both secured and non-secured EAP. I do not know what I did (just reinstalled server and agents, having same version), but now installRHQUser does not work anymore. This is what I get as an operation status java.lang.Exception: / (Is a directory) at org.rhq.core.pc.operation.OperationInvocation.run(OperationInvocation.java:278) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:636) So, exception from comment #3 is raised only when EAP is unsecured, i. e. configuration looks like: <management-interfaces> <native-interface> <socket-binding native="management-native"/> </native-interface> <http-interface> <socket-binding http="management-http"/> </http-interface> </management-interfaces> I know, when EAP is unsecured this way, we do not know which security realm should be used. I am not sure whether EAP team will produce more zips like it was before eap-XXX.zip and eap-XXX-noauth.zip. If they will, we should support both. Or .. once we switch to DMR, there is no need to deal with credentials anymore. EAP server is able to detect whether client is local process and has read access to EAP6 home dir. Did you try that in domain mode? Please try again with the latest code base. *** Bug 708306 has been marked as a duplicate of this bug. *** Works for me,can not reproduce Bulk closing of BZs that have no target version set, but which are ON_QA for more than a year and thus are in production for a long time. |
In current versions of as7.1, the management ports are now a) protected by the need to authenticate <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> </management> The plugin does already look for the (hardcoded) file mgmt.users.properties - but this needs now be determined from the above xml b) the actual password is no longer in clear text, but hashed, as described in the mgmt-users.properties file # By default the properties realm expects the entries to be in the format: - # username=HEX( MD5( username ':' realm ':' password)) so it needs to be determined what to exactly send to the server. workaround is to remove the security-realm attribute on the management port definitions above.