wls_group check if group exists about biemond-orawls HOT 18 CLOSED

Hi,

strange because the group index script should detect this, does it tries to create it in every puppet run. It should use the modify instead of create

and is it by the way a ldap group because I ignore this because it can be too much for the ldap server

from biemond-orawls.

Hello sir,

I am thinking.... I am collaborating with a coworker on this issue. We do use Likewise users/groups so that deals with LDAP, yes.

Let me at least let you know what I am trying to do. I am currently setting the weblogic_user and weblogic_password in a wls_settings_instances block in hiera. I wanted to be able to configure an additional user and password so that they can get console access if that makes sense.

from biemond-orawls.

Ok,

So you can use the normal internal weblogic ldap for this (DefaultAuthenticator) and this works for me also the 2nd time

maybe the Likewise ldap conflicts with this. ( also did you do a restart of the adminserver after adding a new authentication provider, this disables all security unless you do a restart) you can subscibe on wls_authentication providers changes and auto restart the adminserver

user_instances:
  'testuser1':
    ensure:                 'present'
    password:               'weblogic1'
    authenticationprovider: 'DefaultAuthenticator'
    realm:                  'myrealm'
    description:            'my test user'
  'testuser2':
    ensure:                 'present'
    password:               'weblogic1'
    authenticationprovider: 'DefaultAuthenticator'
    realm:                  'myrealm'
    description:            'my test user'
  'testuser3':
    ensure:                 'present'
    password:               'weblogic1'
    authenticationprovider: 'DefaultAuthenticator'
    realm:                  'myrealm'
    description:            'my test user'

group_instances:
  'TestGroup':
    ensure:                 'present'
    authenticationprovider: 'DefaultAuthenticator'
    description:            'My TestGroup'
    realm:                  'myrealm'
    users:
      - 'testuser1'
      - 'testuser2'
    require:
      - Wls_user[testuser1]
      - Wls_user[testuser2]
  'SuperUsers':
    ensure:                 'present'
    authenticationprovider: 'DefaultAuthenticator'
    description:            'SuperUsers'
    realm:                  'myrealm'
    users:
      - 'testuser2'
    require:
      - Wls_user[testuser2]

from biemond-orawls.

I will have to try some of this and see what I can come up with ...

from biemond-orawls.

Hello, I am working with Adam on this. I am not very experienced with Puppet, so let me explain exactly what we are trying to do.

We are adding local users, so LDAP isn't involved for this. What we are trying to do is add another user (e.g. admin2) and add it to the already existing Administrators group.

I looked through the code and saw your WLST scripts for wls_user and wls_group. I don't see where wls_user is assigning the new user to a group, so my thinking was we needed to use wls_user to make sure the user exists and then use wls_group to assign the new user to the Administrators group. However, the wls_group WLST will fail if the group already exists. We don't really want to create a new group, just add a user to an existing group.

Like I said, I'm not a Puppet expert, so maybe I'm not understanding how it fits together. Would it be enough to just use:

user_instances:
  'admin2':
    ensure:                 'present'
    password:               'password2'
    authenticationprovider: 'DefaultAuthenticator'
    realm:                  'myrealm'
    description:            'my second admin user'
group_instances:
  'Administrators':
    ensure:                 'present'
    authenticationprovider: 'DefaultAuthenticator'
    description:            'Default Administrators group'
    realm:                  'myrealm'
    users:
      - 'admin2'
    require:
      - Wls_user[admin2]

from biemond-orawls.

Hi,

You don't need to worry about creating new groups or not , the wls resource type will detect it if it already exists and if there is a change like an extra user to a group users property. If it still want to create the group instead of changing we need to look at that ( the index script fails then). for this you can use 'puppet resource wls_group --debug --trace'

Indeed but this is a bit tricky because weblogic also belongs to this group and it can remove the weblogic from this group.

So you need to do this

    user_instances:
      'weblogic':
        ensure:                 'present'
        password:               'xxxxxxxxx'
        authenticationprovider: 'DefaultAuthenticator'
        realm:                  'myrealm'
        description:            'This user is the default administrator.'
      'testuser1':
        ensure:                 'present'
        password:               'weblogic1'
        authenticationprovider: 'DefaultAuthenticator'
        realm:                  'myrealm'
        description:            'my test user'

    group_instances:
      'Administrators':
        ensure:                 'present'
        authenticationprovider: 'DefaultAuthenticator'
        description:            'Administrators can view and modify all resource attributes and start and stop servers.'
        realm:                  'myrealm'
        users:
          - 'weblogic'
          - 'testuser1'
        require:
          - Wls_user[weblogic]
          - Wls_user[testuser1]

this is working for

    ==> admin: Info: index wls_group
    ==> admin: Info: Executing: wlstScript with action index
    ==> admin: Info: domain found default
    ==> admin: Info: Executing wls-script /tmp/wlstScript20141222-6114-seu6zp.py with timeout = 120
    ==> admin: Info: Connecting to wls on url t3://10.10.10.10:7001
    ==> admin: Info: domain found plain
    ==> admin: Info: Executing wls-script /tmp/wlstScript20141222-6114-seu6zp.py with timeout = 120
    ==> admin: Info: Connecting to wls on url t3://10.10.10.10:7101
    ==> admin: Notice: /Stage[main]/Security/Wls_group[Administrators]/users: users changed ['weblogic'] to 'weblogic testuser1'
    ==> admin: Info: modify default/Administrators
    ==> admin: Info: Executing: wlstScript with action
    ==> admin: Info: Got the right domain default script, now execute WLST
    ==> admin: Info: Executing wls-script /tmp/wlstScript20141222-6114-1gsj54f.py with timeout = 120

from biemond-orawls.

So, we currently set the username and password for the WL console with these variables? Should we not be doing this?

wls_weblogic_user: &wls_weblogic_user "weblogic"
domain_wls_password: &domain_wls_password "weblogic_password"
orautils::wlsUserParam: *wls_weblogic_user

I am also not sure what the realm is, does this need to tie to another variable?

from biemond-orawls.

That is perfect.

but password in wls_user is a parameter and not a property of an user, the password param of wls_user will only be used in the creation of a new user ( I can't do reverse engineering to see if the password is correct) . But the weblogic user is already there, created by the domain script .
So it won't change the weblogic but I need this user else it will be removed from the administrator group.

from biemond-orawls.

Okay, so I should add the user_instances and group_instances for only the additional user (above the weblogic user), or both?

Not sure what the realm is or if the name of it matters...

from biemond-orawls.

myrealm is the default and it never changes.

yes add the weblogic user to user_instances and also add weblogic to the users attribute of the Administrators group else it will be removed from the Administrators group

from biemond-orawls.

Okay, I will try by adding the users in the user_instances and group_instances blocks you showed examples for above. I will report back when I know...

from biemond-orawls.

So, your suggestions worked, I was able to have both logins to my console. Now, what would happen if someone were to remove one of those users (say, weblogic)? Can this be done via the console?

In other words, I want both users initially, but I want someone to be able to remove those users from console access in the future. The next time puppet runs, I assume it will re-add those two users, right?

from biemond-orawls.

Indeed, the next run they will be re-created again. Yeah you can remove weblogic from the console. Don't what will happen then with the node managers etc

from biemond-orawls.

I presume we can close this, right? The code works, puppet enforces the state, etc. If we just wanted a single time user I guess we would just want to run our own WLST script to do so and not have puppet enforce that.

from biemond-orawls.

Yes, for a temporary user a wlst script is probably better

from biemond-orawls.

user_instances:
  'test':
    ensure:                 'present'
    password:               *domain_wls_password
    authenticationprovider: 'DefaultAuthenticator'
    realm:                  'myrealm'
    description:            'test user'

group_instances:
  'Administrators':
    ensure:                 'present'
    authenticationprovider: 'DefaultAuthenticator'
    description:            'Administrators can view and modify all resource attributes and start and stop servers.'
    realm:                  'myrealm'
    users:
      - 'test'
    require:
      - Wls_user[test]

Above is our hiera data to add user test into group administrators, however the wls_group resource is not the cause of the issue we are seeing. Below is our debug output as and error from your create.py.erb script.

The error is generated because we are trying to create a group that already exists.

Debug: wls:/JOETEST/serverConfig> create group:  Administrators

Debug: Unexpected error: weblogic.management.utils.AlreadyExistsException

Debug: ~~~~COMMAND FAILED~~~~

Error: Could not set 'present' on ensure: command in deamon failed.

May I suggest a fix of checking to see if a group already exists before trying to create it again.

OR

Catch an already exists exception in the create.py.erb in the wls_group provider.

Thanks!

from biemond-orawls.

Submitted pull request for this: #102

from biemond-orawls.

Hi,

I will never do that because you should not be in that situation, There is probably an error or misconfiguration. I think the group index py script crashes and this will occur in every puppet run but you don't see it.

So this is not a fix , but some workaround you won't want.

from biemond-orawls.