# Create users/roles for remote XAP (deployed on a RHEL VM)

Hi, guys

I need to create a user to secure my processing units (authentication + safe communication) deployed in a remote server (a RHEL box). As far as I see - and correct me if I'm wrong - there's no way to create/manage roles/users through gs-webui. So, the tool in case would be gs-ui, but it is a graphical interface. When opening a local gs-ui application, I don't see a way to push configuration to remote servers. I can add locators to it, so I can see and manipulate spaces, processing units, etc, but in this case I am not controlling deployment and this kind of stuff. Only thing I'd need to do is to create this user in that XAP installation.

How would I do it? How can I manage such a thing using gs-ui? Maybe there's another tool?

Cheers, Pedro

edit retag close merge delete

Sort by » oldest newest most voted

Hi Pedro, The gs-ui has a built in directory manager for managing security users/roles for a file-based security implementation. This is a simple implementation for getting started purposes. Usually users will go for the Spring based Security manager which connects to a database, ldap, etc.

If you want to use the file-based security manager, you can specify users and roles through a local gs-ui application, and copy the file (.fsm) to each of the remote hosts where Spaces are to be loaded. The default location is <xap root="">/security/gs-directory.fsm There is also an option for a URL File Service.

more

Hey Shay, Well, thanks again.You rock.

Actually, while I was waiting for an answer to this question, I've tried exactly what you've suggested: generating the file locally and copying it to the servers. I also added a security.properties file which estipulates the property com.gs.security.fs.file-service.file-path, which value is the location of the .fsm file.

It works. Deployment runs fine. But I'm seeing an exception thrown not to all the PUs I'm deploying, but 2 of them ... here it is:

2016-10-21 09:59:46,946 sample_pu.1 [2] WARNING [org.openspaces.admin.internal.space.DefaultSpace] - Failed to get runtime information; Caused by: com.gigaspaces.security.AuthenticationException: No authentication details were supplied at org.openspaces.admin.internal.admin.DefaultAdmin.login(DefaultAdmin.java:344) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getIJSpace(DefaultSpaceInstance.java:341) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getPlatformLogicalVersion(DefaultSpaceInstance.java:606) at org.openspaces.admin.internal.space.DefaultSpace$ScheduledRuntimeFetcher$1.run(DefaultSpace.java:639) at org.openspaces.admin.internal.admin.DefaultAdmin.scheduleNonBlockingStateChange(DefaultAdmin.java:771) at org.openspaces.admin.internal.space.DefaultSpace$ScheduledRuntimeFetcher.run(DefaultSpace.java:636) at org.openspaces.admin.internal.admin.DefaultAdmin$LoggerRunnable.run(DefaultAdmin.java:2093) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) It talks about a DefaultAdmin, and the problem is related to the authentication ... but I am deploying a ZIP file passing -user and -password parameters, as well as the -secured true (that wouldn't even be necessary, once I'm informing the credentials). What would be this issue related to? Any thoughts on that one? Thanks in advance! ( 2016-10-22 14:54:34 -0600 )edit You should provide user credentials when constructing the Admin via AdminFactory. ( 2016-10-22 17:30:38 -0600 )edit Hum, not sure I got it. In reality, I am deploying a bundle (zip) with all my PUs packaged. I am using a non-interactive approach, from a start script, and the command is: gs.sh -user <myuser> -password <mypwd> deploy-application -user <myuser> -password <mypwd> -secure true <my_zip.zip> I tried both with and without the first '-user/-password' pair, same result always. Because of this approach I'm taking, I am not able to visualize where this 'Admin via AdminFactory' thing can be applied. I know there's a default admin/admin principal used to manage roles/users, but I don't believe this is the user that should go in the first pair, right? Sorry if the question is so simple, it is just because I am not visualizing the solution at this point. Can you please give some further clarification on this Admin stuff? Thanks, Shay! ( 2016-10-22 18:22:02 -0600 )edit What I meant by 'non-interactive' mode is that the deployment is happening via a script, where I use gs.sh to deploy a zip. Also, there is a typo in the command line I presented above: it is not 'secure = true', but 'secured = true'. I am using it right, just put it wrong in the message. So, once I'm doing all from a script, I'm not using the API to set anything, such as credentials, in the code level. That's why I got confused when you suggested setting the credentials when constructing the Admin via Admin Factory, because I'm not doing it at all. So, in this case, what should I do? ( 2016-10-24 06:32:23 -0600 )edit Shay/guys, I think I understand it more clearly now, but still have no fix to the issue. In my understanding, now, the platform is started by invoking, from a script, the gs-agent.sh. This will start the GSA which, in turn, manages the grid services. I am calling it this way:${gs.home}/bin/gs-agent.sh gsa.global.lus 0 gsa.lus 1 gsa.gsc 1

GSA is started, then, without any security applied to it. Because of that, I have the impression that, any time GSA wants to retrieve any information from any PU, as it does not have authorization to it, I get an AuthenticationException. Makes sense?

The test I'd like to make now is to invoke gs-agent providing the security credentials. However, I could not make it. I get all the connections to the LUS rejected. I am trying the same statement I used to gs.sh, passing -user, -password, -secured parameters. Doesn't seem to be valid, doesn't seem to be recognized (although gs-agent is just a wrapper to gs.sh).

So my questions would be:

• How to start GSA securely with a command I can embed into my own script, just as I did with gs.sh?
• From my script, is it possible to invoke gs.sh in an interactive way, so that the session is shared between commands?
• If only non-interactive mode is possible from my script, how can I start XAP and deploy the application, with security enabled in both?

Thanks, guys. I'm asking after a long time trying it out. Hope we can come with a solution together!

Best regards, Pedro

more

startSecureSessionGrid.sh

./gs-agent.sh -secured true -user user -password pass gsa.global.lus 1 gsa.global.gsm 1 gsa.gsc 3

startSecureSessionSpace.sh

./gs.sh -user user -password pass deploy -cluster schema=partitioned-sync2backup total_members=3,1 -secured true -override-name mySpace -properties embed://dataGridName=mySpace ../deploy/templates/datagrid

deploySecureSessionSpace.sh

./gs.sh -user user -password pass pudeploy -secured true -user user -password pass ../examples/web/session/HttpSession.war

( 2016-10-24 15:45:34 -0600 )edit

Hi, jb. Thanks for your answer. I've been trying exactly the line you show under 'startSecureSessionGrid.sh'. But the thing is that, once I run it, I get the following:

2016-10-24 19:21:30,291 INFO [com.gigaspaces.start] - Starting ServiceGrid [user=root, command="services=GSA -secured true -user myuser -password mypwd gsa.global.lus 0 gsa.lus 1 gsa.gsc 1"] 2016-10-24 19:21:30,404 SEVERE [com.gigaspaces.start] - Error while booting system - ; Caused by: net.jini.config.ConfigurationException: Override 2: Line 1: expected fully qualified entry name, found '-secured' at net.jini.config.ConfigurationFile.oops(ConfigurationFile.java:2768) at net.jini.config.ConfigurationFile.access$100(ConfigurationFile.java:386) at net.jini.config.ConfigurationFile$Parser.oops(ConfigurationFile.java:1743) at net.jini.config.ConfigurationFile$Parser.syntax(ConfigurationFile.java:1715) at net.jini.config.ConfigurationFile$Parser.parseOverride(ConfigurationFile.java:1425) at net.jini.config.ConfigurationFile\$Parser.<init>(ConfigurationFile.java:1247) at net.jini.config.ConfigurationFile.<init>(ConfigurationFile.java:1813) at net.jini.config.ConfigurationProvider.getInstance(ConfigurationProvider.java:256) at net.jini.config.ConfigurationProvider.getInstance(ConfigurationProvider.java:142) at com.gigaspaces.start.SystemConfig.<init>(SystemConfig.java:202) at com.gigaspaces.start.SystemConfig.getInstance(SystemConfig.java:257) at com.gigaspaces.start.SystemBoot.main(SystemBoot.java:318)

When I add the same parameters in the end of the string, the exception goes away, but then I see many connection attempts to LUS refused and nothing is even started.

Any ideas? Have you ever faced this issue before?

( 2016-10-24 21:01:58 -0600 )edit

Pedro

Let me have a look at it today, I haven't used it with more recent versions. Are you using v11 or v12?

( 2016-10-25 07:52:51 -0600 )edit

Actually, we've been using 10.1 ... for a long time. Right now, we've just started jumping from this old version to 12, but it is still in the beginning. While this doesn't happen, I'm still on 10.1. These commands you've suggested are for 12? I can give it a try as well, but I'm afraid that, if it doesn't work for 10.1, things I've been doing will get blocked until I can use XAP 12 officially. :( By the way, thank you very much for the support!

( 2016-10-25 08:09:45 -0600 )edit

okay, I will test with 10.1. I asked only because I think I wrote those commands for 9.5

( 2016-10-25 08:12:49 -0600 )edit

Hi Pedro, I will try to guide you with some easy steps to get you started, because I see some confusion.

1. launch gs-ui.sh and under Security > Manage Security sign-in using admin/admin with the default configuration. This will allow you to setup an initial user. For example Create-new-user, User Name = foo, Password = bar. Make sure the user has the following Permissions checked: Monitor JVM, Monitor PU, Provision PU. Hit Create. You should see the user foo and Permissions in the table. Close this window. This should create a file named gs-directory.fsm under <xap root="">/security folder.

2. edit setenv.sh and add -Dcom.gs.security.enabled=true to the EXT_JAVA_OPTIONS to be passed to each component.

3. launch gs-agent.sh for example with gsa.global.lus 0 gsa.lus 1 gsa.gsc 1 When it loads, you should see "Security enabled for grid" in each grid component log file. This means that the property has been applied to each of the components loaded by the gs-agent

4. deploy using the cli ./gs.sh -user foo -password bar deploy-application -timeout 300000 -deploy-timeout 300000 /Users/me/tmp/myapp

The -user/-password refer to a user which has "deploy" permissions (Provision PU).

This should deploy your application to the Grid.

Note, if you also have Space permissions (e.g. write/read) then you also need to add the -user/-password after deploy-application. If your Space is not secured, you don't need these. For example:

It can be the same user/password - depends on the permissions. Not all Space users have grid permissions.

You can also find a reference example here: http://docs.gigaspaces.com/xap120sec/...

Hope this helps.

more

Hi Meron, thanks for the answer. Actually, your steps are quite clear to me. I have done everything you said. And, in terms of the application itself, it is deployed. I can reach the web apps, use the clients to consume the services the app provides, etc. What I was concerned about, and this was the reason to the post, is that, during deployment, for some of the PUs, I see the authentication exception being thrown, whenever the platform tries to read some metadata from the spaces. See this:

It doesn't happen to all processing units, just to 2 of them. Then I was wondering about this default admin, and how I could set the authorities to this user in such a way that it is able to read the information it needs from the space. It seems to be something the platform does, and it has no side effect to my application ... I just wanted to make sure it is the case and if it is possible to fix this issue. If, for example the grid service trying to reach one of the spaces to read some metadata is the GSA, I could launch the grid services with security enabled AND a principal, explicitly defined, being this principal one that has permissions to monitor the JVM, deploy, etc etc, just as you described.

Makes sense? Or I am misunderstanding the platform in some way? Do you see my point? The platform seems to be unable to reach some of my spaces, due to the lack of authorization. I just wanted to fix this.

( 2016-10-25 13:29:29 -0600 )edit

Hi, I am not sure how your PUs are configured. Make sure your PU has credentials to access the Space. See http://docs.gigaspaces.com/xap120sec/...

If this still doesn't work I suggest you run the example that I referenced and see if this still happens.

( 2016-10-26 04:19:18 -0600 )edit