Comments (18)
Hi,
strange because the group index script should detect this, does it tries to create it in every puppet run. It should use the modify instead of create
and is it by the way a ldap group because I ignore this because it can be too much for the ldap server
from biemond-orawls.
Hello sir,
I am thinking.... I am collaborating with a coworker on this issue. We do use Likewise users/groups so that deals with LDAP, yes.
Let me at least let you know what I am trying to do. I am currently setting the weblogic_user and weblogic_password in a wls_settings_instances block in hiera. I wanted to be able to configure an additional user and password so that they can get console access if that makes sense.
from biemond-orawls.
Ok,
So you can use the normal internal weblogic ldap for this (DefaultAuthenticator) and this works for me also the 2nd time
maybe the Likewise ldap conflicts with this. ( also did you do a restart of the adminserver after adding a new authentication provider, this disables all security unless you do a restart) you can subscibe on wls_authentication providers changes and auto restart the adminserver
user_instances:
'testuser1':
ensure: 'present'
password: 'weblogic1'
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'my test user'
'testuser2':
ensure: 'present'
password: 'weblogic1'
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'my test user'
'testuser3':
ensure: 'present'
password: 'weblogic1'
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'my test user'
group_instances:
'TestGroup':
ensure: 'present'
authenticationprovider: 'DefaultAuthenticator'
description: 'My TestGroup'
realm: 'myrealm'
users:
- 'testuser1'
- 'testuser2'
require:
- Wls_user[testuser1]
- Wls_user[testuser2]
'SuperUsers':
ensure: 'present'
authenticationprovider: 'DefaultAuthenticator'
description: 'SuperUsers'
realm: 'myrealm'
users:
- 'testuser2'
require:
- Wls_user[testuser2]
from biemond-orawls.
I will have to try some of this and see what I can come up with ...
from biemond-orawls.
Hello, I am working with Adam on this. I am not very experienced with Puppet, so let me explain exactly what we are trying to do.
We are adding local users, so LDAP isn't involved for this. What we are trying to do is add another user (e.g. admin2) and add it to the already existing Administrators group.
I looked through the code and saw your WLST scripts for wls_user and wls_group. I don't see where wls_user is assigning the new user to a group, so my thinking was we needed to use wls_user to make sure the user exists and then use wls_group to assign the new user to the Administrators group. However, the wls_group WLST will fail if the group already exists. We don't really want to create a new group, just add a user to an existing group.
Like I said, I'm not a Puppet expert, so maybe I'm not understanding how it fits together. Would it be enough to just use:
user_instances:
'admin2':
ensure: 'present'
password: 'password2'
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'my second admin user'
group_instances:
'Administrators':
ensure: 'present'
authenticationprovider: 'DefaultAuthenticator'
description: 'Default Administrators group'
realm: 'myrealm'
users:
- 'admin2'
require:
- Wls_user[admin2]
from biemond-orawls.
Hi,
You don't need to worry about creating new groups or not , the wls resource type will detect it if it already exists and if there is a change like an extra user to a group users property. If it still want to create the group instead of changing we need to look at that ( the index script fails then). for this you can use 'puppet resource wls_group --debug --trace'
Indeed but this is a bit tricky because weblogic also belongs to this group and it can remove the weblogic from this group.
So you need to do this
user_instances:
'weblogic':
ensure: 'present'
password: 'xxxxxxxxx'
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'This user is the default administrator.'
'testuser1':
ensure: 'present'
password: 'weblogic1'
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'my test user'
group_instances:
'Administrators':
ensure: 'present'
authenticationprovider: 'DefaultAuthenticator'
description: 'Administrators can view and modify all resource attributes and start and stop servers.'
realm: 'myrealm'
users:
- 'weblogic'
- 'testuser1'
require:
- Wls_user[weblogic]
- Wls_user[testuser1]
this is working for
==> admin: Info: index wls_group
==> admin: Info: Executing: wlstScript with action index
==> admin: Info: domain found default
==> admin: Info: Executing wls-script /tmp/wlstScript20141222-6114-seu6zp.py with timeout = 120
==> admin: Info: Connecting to wls on url t3://10.10.10.10:7001
==> admin: Info: domain found plain
==> admin: Info: Executing wls-script /tmp/wlstScript20141222-6114-seu6zp.py with timeout = 120
==> admin: Info: Connecting to wls on url t3://10.10.10.10:7101
==> admin: Notice: /Stage[main]/Security/Wls_group[Administrators]/users: users changed ['weblogic'] to 'weblogic testuser1'
==> admin: Info: modify default/Administrators
==> admin: Info: Executing: wlstScript with action
==> admin: Info: Got the right domain default script, now execute WLST
==> admin: Info: Executing wls-script /tmp/wlstScript20141222-6114-1gsj54f.py with timeout = 120
from biemond-orawls.
So, we currently set the username and password for the WL console with these variables? Should we not be doing this?
wls_weblogic_user: &wls_weblogic_user "weblogic"
domain_wls_password: &domain_wls_password "weblogic_password"
orautils::wlsUserParam: *wls_weblogic_user
I am also not sure what the realm is, does this need to tie to another variable?
from biemond-orawls.
That is perfect.
but password in wls_user is a parameter and not a property of an user, the password param of wls_user will only be used in the creation of a new user ( I can't do reverse engineering to see if the password is correct) . But the weblogic user is already there, created by the domain script .
So it won't change the weblogic but I need this user else it will be removed from the administrator group.
from biemond-orawls.
Okay, so I should add the user_instances and group_instances for only the additional user (above the weblogic user), or both?
Not sure what the realm is or if the name of it matters...
from biemond-orawls.
myrealm is the default and it never changes.
yes add the weblogic user to user_instances and also add weblogic to the users attribute of the Administrators group else it will be removed from the Administrators group
from biemond-orawls.
Okay, I will try by adding the users in the user_instances and group_instances blocks you showed examples for above. I will report back when I know...
from biemond-orawls.
So, your suggestions worked, I was able to have both logins to my console. Now, what would happen if someone were to remove one of those users (say, weblogic)? Can this be done via the console?
In other words, I want both users initially, but I want someone to be able to remove those users from console access in the future. The next time puppet runs, I assume it will re-add those two users, right?
from biemond-orawls.
Indeed, the next run they will be re-created again. Yeah you can remove weblogic from the console. Don't what will happen then with the node managers etc
from biemond-orawls.
I presume we can close this, right? The code works, puppet enforces the state, etc. If we just wanted a single time user I guess we would just want to run our own WLST script to do so and not have puppet enforce that.
from biemond-orawls.
Yes, for a temporary user a wlst script is probably better
from biemond-orawls.
user_instances:
'test':
ensure: 'present'
password: *domain_wls_password
authenticationprovider: 'DefaultAuthenticator'
realm: 'myrealm'
description: 'test user'
group_instances:
'Administrators':
ensure: 'present'
authenticationprovider: 'DefaultAuthenticator'
description: 'Administrators can view and modify all resource attributes and start and stop servers.'
realm: 'myrealm'
users:
- 'test'
require:
- Wls_user[test]
Above is our hiera data to add user test into group administrators, however the wls_group resource is not the cause of the issue we are seeing. Below is our debug output as and error from your create.py.erb script.
The error is generated because we are trying to create a group that already exists.
Debug: wls:/JOETEST/serverConfig> create group: Administrators
Debug: Unexpected error: weblogic.management.utils.AlreadyExistsException
Debug: ~~~~COMMAND FAILED~~~~
Error: Could not set 'present' on ensure: command in deamon failed.
May I suggest a fix of checking to see if a group already exists before trying to create it again.
OR
Catch an already exists exception in the create.py.erb in the wls_group provider.
Thanks!
from biemond-orawls.
Submitted pull request for this: #102
from biemond-orawls.
Hi,
I will never do that because you should not be in that situation, There is probably an error or misconfiguration. I think the group index py script crashes and this will occur in every puppet run but you don't see it.
So this is not a fix , but some workaround you won't want.
from biemond-orawls.
Related Issues (20)
- change wlst_action HOT 1
- Some "get" methods still exist after replacement by "get_attribute_value"
- Issues when trying to set nodemanager_username and _password HOT 1
- Managed server not creating using wlserver
- Datasource created in WLS 12.2.1.3 appears to not display in Monitoring tab
- Upgrade to 12.2.1.4 HOT 1
- Errors when running puppet on an AIX operating system HOT 1
- Repo description doesn't match Documentation HOT 1
- FMW install in Solaris for new version fails HOT 1
- wls_opatch and multiple orainst_dir HOT 1
- opatch not being applied when doing a puppet run
- Support for 12.2.1.4
- OHS 12.2.1.4 HOT 7
- extraproperties is not idempotent HOT 1
- Odd issue that we need assistance with
- JDBC_persistence_store - get('MigrationPolicy') & get('DistributionPolicy') causes timeout
- Support for Weblogic version 14.1.1.0
- for keystores of type pkcs12, wls_authentication_provider creation fails with "Error: No domain or domain template has been read." HOT 3
- 0400 Puppet (err): Failed to apply catalog: BUG! removeinfectedconnections should have been '0' or '1' HOT 19
- Does orawls supports puppet enterprisemodules-easy_type (v2.48.3) as hajee-easy_type (v0.15.6) is been depricated?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from biemond-orawls.