Description of problem: When plugin executes CLI script (either within bundle:handover, operation or during patching) it uses credentials from pluginConfig and passes it to cli executable via --user and --password. In some environments customers can secure EAP native interface a bit different way than http management interface (ie they can only allow $local user for native access). AS7 plugin needs to be configurable to allow/disallow authentication, which means omitting --user and --pass parameters. Version-Release number of selected component (if applicable): JON 3.3.0 How reproducible: always Steps to Reproduce: 1. configure EAP security the way it forbids access to user managing it via plugin through native interface 2. run "execute CLI command" operation on EAP Actual results: it fails because plugin passes user/pass which is used to manage EAP over http interface Expected results: when new pluginConfig setting "Use local Authentication" is set to True, command succeeds Additional info: This can be fixed by adding new boolean pluginConfig setting which denotes whether to use or not $local authentication when plugin talks to EAP via CLI
Have you already thought about the logic to set the new flag during discovery? My immediate feeling is that it should be set to true only if we can detect in the configuration file that $local is the unique authentication mechanism for the CLI.
My initial idea was to leave it false by default. Discovery is for sure better way. I think we can detect it <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> refers to security-realm <security-realm name="ManagementRealm"> <authentication> <local default-user="$local"/> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> then we're looking for 'local' node to be the only child of 'authentication'. I'll need to take a look at the schema to make sure this is good enough.
Perfect, thanks Libor.
branch: master link: https://github.com/rhq-project/rhq/commit/b6a3b4bc3 time: 2015-06-09 15:20:44 +0200 commit: b6a3b4bc31c6c5b2ef9fb3c78d46d12a4655b4dd author: Libor Zoubek - lzoubek message: Bug 1227459 - Allow using $local authentication method when executing CLI scripts Added new pluginConfig boolean property "Native Local Authentication". This gets discovered to true only if $local authentication is the only way to access native interface. This commit also slightly refactors resource upgrade code, so we don't load standalone.xml file more than once
branch: release/jon3.3.x link: https://github.com/rhq-project/rhq/commit/de22a9a3a time: 2015-06-10 23:24:55 +0200 commit: de22a9a3a5b1c495bbc40f2d7e83b06d4273bd48 author: Libor Zoubek - lzoubek message: Bug 1227459 - Allow using $local authentication method when executing CLI scripts Added new pluginConfig boolean property "Native Local Authentication". This gets discovered to true only if $local authentication is the only way to access native interface. This commit also slightly refactors resource upgrade code, so we don't load standalone.xml file more than once (cherry picked from commit b6a3b4bc31c6c5b2ef9fb3c78d46d12a4655b4dd) Signed-off-by: Libor Zoubek <lzoubek> Conflicts: modules/plugins/jboss-as-7/src/main/java/org/rhq/modules/plugins/jbossas7/BaseProcessDiscovery.java
branch: master link: https://github.com/rhq-project/rhq/commit/a551665c8 time: 2015-06-17 11:06:21 +0200 commit: a551665c82308f466b5ac73d61ca0e677c37eb84 author: Libor Zoubek - lzoubek message: Bug 1227459 - Allow using $local authentication method when executing CLI scripts added nativeLocalAuth property for hostController branch: release/jon3.3.x link: https://github.com/rhq-project/rhq/commit/e8dc88e09 time: 2015-06-17 11:08:06 +0200 commit: e8dc88e0963024606e33ab1051ae88ee2683bfb2 author: Libor Zoubek - lzoubek message: Bug 1227459 - Allow using $local authentication method when executing CLI scripts added nativeLocalAuth property for hostController (cherry picked from commit a551665c82308f466b5ac73d61ca0e677c37eb84) Signed-off-by: Libor Zoubek <lzoubek>
Verified that $local user is used for "Execute CLI Command" operation when Native Local Authentication is enabled. This also probably solves root cause of bz1226413 When using secured http-interface it's necessary to use different security realm for native-interface which will only use local authentication. When native-interface uses the same realm as secured http-interface e.g. <security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore path="/home/hudson/as7server.jks" keystore-password="secure" alias="as7"/> </ssl> </server-identities> <authentication> <truststore path="/home/hudson/as7server.jks" keystore-password="secure"/> <local default-user="$local" skip-group-loading="true"/> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/> </authorization> </security-realm> "Execute CLI Command" hangs because the underlying jboss cli command waits for confirmation for "Accept certificate?"
To make this work properly it's necessary to set correct IP for Native Host in Connection settings. It does NOT work with this field set to 0.0.0.0
New bz is created to address problem from comment 14 - bz1246083