Comments (9)
bjwschaap
commented on September 23, 2024
@jairojunior @biemond Question: how would I go about creating wildfly::util::resource in batch mode? I need to do something like:
batch
/core-service=management/security-realm=LDAPrealm/authorization=ldap:add(connection="LDAPrealm-LDAPConnection")
/core-service=management/security-realm=LDAPrealm/authorization=ldap/username-to-dn=username-filter:add(base-dn="cn=users,ou=services,o=myorg,c=nl",attribute="uid",user-dn-attribute="dn")
/core-service=management/security-realm=LDAPrealm/authorization=ldap/group-search=group-to-principal:add(group-name="SIMPLE",group-name-attribute="cn",base-dn="cn=groups,ou=services,o=myorg,c=nl",search-by="DISTINGUISHED_NAME",principal-attribute="member",recursive="true")
run-batch
Individual wildfly::util::resource calls result in:
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:"=>{"Operation step-1"=>"WFLYDM0074: Configuration for security realm 'LDAPrealm' does not contain any group-search resource within the authorization=ldap resource."}}
This is because Wildfly wants the authorization=ldap and group-to-principal mapping added in one (batch) operation..
Any ideas/suggestions?
from puppet-wildfly.
biemond
commented on September 23, 2024
That makes sense, now puppet will start an separate/edit sessions of every resource entry.
I am curious how your puppet manifest code will look like?
Can you keep the cli session open and how will check the current state when you run it twice or do you only check if the ldap entry exists and don't care about the properties.
But @jairojunior is the expert and he will know more about the impact or overhead of this change.
cheers Edwin
from puppet-wildfly.
jairojunior
commented on September 23, 2024
@bjwschaap Can you check if issue #28 contain a solution for your problem?
There you'll find more information related to how the module internals handle this - and how we are trying to improve this - but for know, all you need to know is that Management API equivalent to JBoss-CLI Batch is a composite operation.
wildfly_resource supports composite operations using recursive (true|false) flag (introduced by @TronPaul), wildfly_deploy performs a composite operation in order to achieve it's job, but we still don't have this concept in wildfly_cli.
Therefore, we have two options:
- Use wildfly_resource to describe your "complex resource".
- Extend wildfly_cli to support composite (i.e. batch) commands.
I really think you should use the first alternative, since Puppet works with the concept of resources, and a LDAP Security Domain is clearly a resource. Leave wildfly_cli for actual commands, like restart, shutdown, enable, disable, etc.
from puppet-wildfly.
bjwschaap
commented on September 23, 2024
@jairojunior Thanks for the info. I am currently using the wildfly_resource approach, and didn't consider wildfly_cli. I understand it's a composite operation, but can't get it to work with recursive either. I'm probably doing something wrong. Is there an example use of a 'recursive' wildfly::util::resource in the module?
These should be 'merged' into one composite:
wildfly::util::resource { "/core-service=management/security-realm=${realm_name}/authorization=ldap":
content => {
'connection' => "${realm_name}-LDAPConnection",
},
} ->
wildfly::util::resource { "/core-service=management/security-realm=${realm_name}/authorization=ldap/username-to-dn=username-filter":
content => {
'base-dn' => 'cn=users,ou=services,o=myorg,c=nl',
'attribute' => 'uid',
'user-dn-attribute' => 'dn',
},
} ->
wildfly::util::resource { "/core-service=management/security-realm=${realm_name}/authorization=ldap/group-search=group-to-principal":
content => {
'group-name' => 'SIMPLE',
'group-name-attribute' => 'cn',
'base-dn' => 'cn=groups,ou=services,o=myorg,c=nl',
'search-by' => 'DISTINGUISHED_NAME',
'principal-attribute' => 'member',
'recursive' => 'true',
}
}
from puppet-wildfly.
bjwschaap
commented on September 23, 2024
@TronPaul Could you provide/add some documentation on how to use recursive resources?
from puppet-wildfly.
bjwschaap
commented on September 23, 2024
The split_resources function is a b$!%ch to reverse engineer, but finally figured it out...
wildfly::util::resource { "/core-service=management/security-realm=${realm_name}/authorization=ldap":
content => {
'connection' => "${realm_name}-LDAPConnection",
'group-search' => {
'group-to-principal' => {
'group-name' => 'SIMPLE',
'group-name-attribute' => 'cn',
'base-dn' => 'cn=groups,ou=services,o=myorg,c=nl',
'search-by' => 'DISTINGUISHED_NAME',
'principal-attribute' => 'member',
'recursive' => 'true',
}},
'username-to-dn' => {
'username-filter' => {
'base-dn' => 'cn=users,ou=services,o=myorg,c=nl',
'attribute' => 'uid',
'user-dn-attribute' => 'dn',
}},
},
recursive => true,
}
Which results in the following composite:
{ :address=>[],
:operation => :composite,
:steps => [
{:address=> [
{"core-service"=>"management"},
{"security-realm"=>"LDAPrealm"},
{"authorization"=>"ldap"}],
:operation=>:add,
"connection"=>"LDAPrealm-LDAPConnection"
},
{:address=> [
{"core-service"=>"management"},
{"security-realm"=>"LDAPrealm"},
{"authorization"=>"ldap"},
{"group-search"=>"group-to-principal"}],
:operation=>:add,
"group-name"=>"SIMPLE",
"group-name-attribute"=>"cn",
"base-dn"=>"cn=groups,ou=services,o=myorg,c=nl",
"search-by"=>"DISTINGUISHED_NAME",
"principal-attribute"=>"member",
"recursive"=>"true"
},
{:address=> [
{"core-service"=>"management"},
{"security-realm"=>"LDAPrealm"},
{"authorization"=>"ldap"},
{"username-to-dn"=>"username-filter"}],
:operation=>:add,
"base-dn"=>"cn=users,ou=services,o=myorg,c=nl",
"attribute"=>"uid",
"user-dn-attribute"=>"dn"
}]
}
Thanx @jairojunior @TronPaul @biemond for your insights and great work on this module.
from puppet-wildfly.
biemond
commented on September 23, 2024
Nice,
👍
Is this the complete ldap example? if not can you provide me the whole example with the ldap-connection then I will add this to the readme of this module.
Cheers
from puppet-wildfly.
bjwschaap
commented on September 23, 2024
I will do a pull request with a wildfly::security::ldap_security_realm defined type. This will provide a nice way for users to add a LDAP security realm to their wildfly. This will take some time I guess, since I need to figure out on how to rspec (beaker) test this as well...
Next thing to add is a security domain / login-module as well for application security (JAAS).
from puppet-wildfly.
jairojunior
commented on September 23, 2024
Glad you did and sorry I couldn't help you sooner. 👍
from puppet-wildfly.
Related Issues (20)
- JBOSS-EAP with **systemctl start jboss-eap** don't works from another machine just locally HOT 1
- where the log file is stored on Puppet Agent by this module HOT 1
- on SUSE Linux /etc/init.d/jboss-eap: line 13: /etc/init.d/functions: No such file or directory HOT 1
- wildfly_restart functionality issues
- how to install und build multiple standalone instances in the same machine
- Need a way to install module with multiple jar files as source HOT 1
- Transfer this module to voxpupuli HOT 22
- wildfly::jgroups::stack::tcpping fails with "No resource definition" HOT 1
- Update test environment for Ruby 3, Puppet 7, and related Gems HOT 1
- Add parameters to domain.conf variables PROCESS_CONTROLLER_JAVA_OPTS and HOST_CONTROLLER_JAVA_OPTS
- Replace MaxPermSize with MaxMetaspaceSize in domain.conf template HOT 1
- `wildfly::host::server_config` with `ensure => absent` in already absent server tries to stop it and fails with timeout
- Include support for CLI API for actions currently performed via HTTP API HOT 2
- Multiple calls to defined type wildfly::host::server_config cause "Duplicate resource" error HOT 3
- class wildfly::setup hardcodes subsystem when setting up remote user HOT 2
- Installer download fails because install_cache_dir doesn't exist
- Module configures service only as sysvinit, regardless of actual init system, when $version < 10 HOT 1
- Update Wildfly download URL for version >= 25
- Support for Wildfly 31.0.0 HOT 1
- Missing template when using jboss-eap as distribution
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-wildfly.