Bug 1119496 - Agent's default user group should be changed/added to group jboss to fix permission bug when used with other JBoss branded products
Summary: Agent's default user group should be changed/added to group jboss to fix perm...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: RPM
Version: JON 3.2.1
Hardware: All
OS: Linux
high
high
Target Milestone: CR01
: JON 3.3.1
Assignee: Libor Zoubek
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks: 892047
TreeView+ depends on / blocked
 
Reported: 2014-07-14 22:53 UTC by Larry O'Leary
Modified: 2018-11-30 20:17 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
JBoss ON 3.1.1 agent with AS7 plug-in installed EAP 6 domain controller installed and running from jbossas-domain-7.1.3-4.Final_redhat_4.ep6.el6.noarch RPM
Last Closed: 2015-02-27 19:58:30 UTC
Type: Bug


Attachments (Terms of Use)
jbosson-agent-groups (14.70 KB, image/png)
2015-02-17 13:03 UTC, Armine Hovsepyan
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 288873 None None None Never
Red Hat Bugzilla 917861 None None None Never

Internal Links: 917861

Description Larry O'Leary 2014-07-14 22:53:10 UTC
Original issue reported in Bug 892047 identified that JBoss EAP 6 servers could not be discovered when JBoss EAP was installed from RPM. This is because some files -- such as the configuration files and role files -- are considered sensitive and can therefore only be read by the JBoss installation's owner or group. The default user group used is "jboss". 

In the JBoss ON agent's RPM -- and perhaps in other places such as init scripts -- we assumed a group name of jbosson.

This prevents the JBoss ON agent, with out-of-the-box configuration, from working with other JBoss products using out-of-the-box configuration.

To fix this deficiency, the JBoss ON agent RPM should use a default user group of jboss.

+++ This bug was initially created as a clone of Bug #892047 +++

Description of problem:
After installing and starting EAP 6 from RPM, agent with AS7 plug-in is unable to discover it and throws the following error:

ERROR [ResourceDiscoveryComponent.invoker.daemon-1] (rhq.modules.plugins.jbossas7.HostControllerDiscovery)- Discovery of a JBossAS7 Host Controller Resource failed for process: pid=[2836], name=[/etc/alternatives/jre/bin/java], ppid=[2810] - cause: java.lang.Exception: Server configuration file not found at the expected location (/usr/share/jbossas/domain/configuration/host-slave.xml).


Version-Release number of selected component (if applicable):
4.4.0.JON311GA

How reproducible:
Always

Steps to Reproduce:
1.  On RHEL 6 system, install EAP 6 from RPM:

        # JBoss EAP RPMs
        _rhnUser=admin
        _rhnPassword=redhat
        _jbappplatform=$(rhn-channel -L -u {_rhnUser} -p ${_rhnPassword} | grep jbappplatform)
        rhn-channel --add -c ${_jbappplatform} -u {_rhnUser} -p ${_rhnPassword}
        # RPM version is very important.
        # Problem occurs starting with EAP RPM 7.1.3-4
        yum -y install yum install jbossas-domain-7.1.3-4.Final_redhat_4.ep6.el6.noarch

2.  Start EAP 6 domain service

        sudo service jbossas-domain start
        
3.  Start JBoss ON agent using a different user/group then what is being used by EAP

    You can not use root or any account that is a member of the jboss group. Such as what happens when running JON agent from RPM install and starting it as a service.
  
Actual results:
EAP6 host controller does not get discovered and the following error is logged in agent.log:

    ERROR [ResourceDiscoveryComponent.invoker.daemon-1] (rhq.modules.plugins.jbossas7.HostControllerDiscovery)- Discovery of a JBossAS7 Host Controller Resource failed for process: pid=[2836], name=[/etc/alternatives/jre/bin/java], ppid=[2810] - cause: java.lang.Exception: Server configuration file not found at the expected location (/usr/share/jbossas/domain/configuration/host.xml).

Expected results:
EAP6 host controller should be discovered and appear in the discovery queue.

Additional info:
This issue is a direct result of directory permissions used by EAP's RPM. By default, starting in 7.1.3-4, /var/lib/jbossas/domain (and other directories) are not world-readable. This means, unless the RHQ agent is started by root or a user who is a member of the jboss group, the AS7 plug-in will not be able to read the configuration files from the file system.

Prior to 7.1.3-4, directories were world-readable meaning that we would not see this unless testing with the latest RPM version released in late November 2012.

--- Additional comment from Larry O'Leary on 2013-01-08 12:32:43 EST ---

This might be as simple as JBoss ON documenting that if using the EAP 6 RPM, the user who starts the agent must be added to the OS group 'jboss'. Additionally, we might want to do this automatically with the JBoss ON agent RPM.

Comment 1 Larry O'Leary 2014-07-14 22:55:23 UTC
JBoss ON documentation for non-RPM install has already been updated to reflect this.

This BZ represents the need for the Agent RPM provided with the JBoss ON distribution to be updated to:

 - create the jboss group if not present upon installation or upgrade
 - assign the jbosson-agent user to the jboss group

Comment 2 Larry O'Leary 2014-07-14 23:02:59 UTC
Please note that jbosson may still be a valid group and should probably remain. This group should probably also remain as the default user group for the JBoss ON agent user -- jbosson-agent.

The suggestion from this BZ is to add the user jbosson-agent from the agent RPM to the group jboss and to create the group jboss if it doesn't already exist. 

The end goal is:

 - Install JBoss EAP RPM
 - Install JBoss ON agent RPM
 - Import JBoss EAP resource without error

 - Install JBoss ON agent RPM
 - Install JBoss EAP RPM
 - Import JBoss EAP resource without error

 - Install JBoss ON agent RPM
 - Install JBoss EAP from ZIP <-- perhaps JBoss EAP install guide already recommends an OS user/group?
 - Manually add JBoss ON agent user to group used for extracting JBoss EAP ZIP
 - Import JBoss EAP resource without error

Comment 5 Simeon Pinder 2015-01-19 20:52:56 UTC
Moving into CR01 target milestone as missed ER01 cutoff.

Comment 13 Simeon Pinder 2015-02-16 04:49:36 UTC
Moving to ON_QA as available to test with latest CP build:
http://download.devel.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/16/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip
*Note: jon-server-patch-3.3.0.GA.zip maps to CR01 build of jon-server-3.3.0.GA-update-01.zip.

Comment 15 Armine Hovsepyan 2015-02-17 13:03:00 UTC
Created attachment 992658 [details]
jbosson-agent-groups


Note You need to log in before you can comment on or make changes to this bug.