Welcome to the new Gigaspaces XAP forum. To recover your account, please follow these instructions.

Ask Your Question
0

Create users/roles for remote XAP (deployed on a RHEL VM)

Hi, guys

I need to create a user to secure my processing units (authentication + safe communication) deployed in a remote server (a RHEL box). As far as I see - and correct me if I'm wrong - there's no way to create/manage roles/users through gs-webui. So, the tool in case would be gs-ui, but it is a graphical interface. When opening a local gs-ui application, I don't see a way to push configuration to remote servers. I can add locators to it, so I can see and manipulate spaces, processing units, etc, but in this case I am not controlling deployment and this kind of stuff. Only thing I'd need to do is to create this user in that XAP installation.

How would I do it? How can I manage such a thing using gs-ui? Maybe there's another tool?

Cheers, Pedro

asked 2016-10-20 08:08:30 -0500

pedro_brigatto gravatar image
edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by » oldest newest most voted
0

Hi Pedro, The gs-ui has a built in directory manager for managing security users/roles for a file-based security implementation. This is a simple implementation for getting started purposes. Usually users will go for the Spring based Security manager which connects to a database, ldap, etc.

If you want to use the file-based security manager, you can specify users and roles through a local gs-ui application, and copy the file (.fsm) to each of the remote hosts where Spaces are to be loaded. The default location is <xap root="">/security/gs-directory.fsm There is also an option for a URL File Service.

More information is available here:

answered 2016-10-22 14:17:07 -0500

shay hassidim gravatar image
edit flag offensive delete link more

Comments

Hey Shay, Well, thanks again.You rock.

Actually, while I was waiting for an answer to this question, I've tried exactly what you've suggested: generating the file locally and copying it to the servers. I also added a security.properties file which estipulates the property com.gs.security.fs.file-service.file-path, which value is the location of the .fsm file.

It works. Deployment runs fine. But I'm seeing an exception thrown not to all the PUs I'm deploying, but 2 of them ... here it is:

2016-10-21 09:59:46,946 sample_pu.1 [2] WARNING [org.openspaces.admin.internal.space.DefaultSpace] - Failed to get runtime information; Caused by: com.gigaspaces.security.AuthenticationException: No authentication details were supplied at org.openspaces.admin.internal.admin.DefaultAdmin.login(DefaultAdmin.java:344) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getIJSpace(DefaultSpaceInstance.java:341) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getPlatformLogicalVersion(DefaultSpaceInstance.java:606) at org.openspaces.admin.internal.space.DefaultSpace$ScheduledRuntimeFetcher$1.run(DefaultSpace.java:639) at org.openspaces.admin.internal.admin.DefaultAdmin.scheduleNonBlockingStateChange(DefaultAdmin.java:771) at org.openspaces.admin.internal.space.DefaultSpace$ScheduledRuntimeFetcher.run(DefaultSpace.java:636) at org.openspaces.admin.internal.admin.DefaultAdmin$LoggerRunnable.run(DefaultAdmin.java:2093) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)

It talks about a DefaultAdmin, and the problem is related to the authentication ... but I am deploying a ZIP file passing -user and -password parameters, as well as the -secured true (that wouldn't even be necessary, once I'm informing the credentials).

What would be this issue related to? Any thoughts on that one?

Thanks in advance!

pedro_brigatto gravatar imagepedro_brigatto ( 2016-10-22 14:54:34 -0500 )edit

You should provide user credentials when constructing the Admin via AdminFactory.

shay hassidim gravatar imageshay hassidim ( 2016-10-22 17:30:38 -0500 )edit

Hum, not sure I got it. In reality, I am deploying a bundle (zip) with all my PUs packaged. I am using a non-interactive approach, from a start script, and the command is: gs.sh -user <myuser> -password <mypwd> deploy-application -user <myuser> -password <mypwd> -secure true <my_zip.zip> I tried both with and without the first '-user/-password' pair, same result always. Because of this approach I'm taking, I am not able to visualize where this 'Admin via AdminFactory' thing can be applied. I know there's a default admin/admin principal used to manage roles/users, but I don't believe this is the user that should go in the first pair, right?

Sorry if the question is so simple, it is just because I am not visualizing the solution at this point. Can you please give some further clarification on this Admin stuff?

Thanks, Shay!

pedro_brigatto gravatar imagepedro_brigatto ( 2016-10-22 18:22:02 -0500 )edit

What I meant by 'non-interactive' mode is that the deployment is happening via a script, where I use gs.sh to deploy a zip. Also, there is a typo in the command line I presented above: it is not 'secure = true', but 'secured = true'. I am using it right, just put it wrong in the message. So, once I'm doing all from a script, I'm not using the API to set anything, such as credentials, in the code level. That's why I got confused when you suggested setting the credentials when constructing the Admin via Admin Factory, because I'm not doing it at all. So, in this case, what should I do?

pedro_brigatto gravatar imagepedro_brigatto ( 2016-10-24 06:32:23 -0500 )edit
add a comment
0

Shay/guys, I think I understand it more clearly now, but still have no fix to the issue. In my understanding, now, the platform is started by invoking, from a script, the gs-agent.sh. This will start the GSA which, in turn, manages the grid services. I am calling it this way:

${gs.home}/bin/gs-agent.sh gsa.global.lus 0 gsa.lus 1 gsa.gsc 1

GSA is started, then, without any security applied to it. Because of that, I have the impression that, any time GSA wants to retrieve any information from any PU, as it does not have authorization to it, I get an AuthenticationException. Makes sense?

The test I'd like to make now is to invoke gs-agent providing the security credentials. However, I could not make it. I get all the connections to the LUS rejected. I am trying the same statement I used to gs.sh, passing -user, -password, -secured parameters. Doesn't seem to be valid, doesn't seem to be recognized (although gs-agent is just a wrapper to gs.sh).

So my questions would be:

  • How to start GSA securely with a command I can embed into my own script, just as I did with gs.sh?
  • From my script, is it possible to invoke gs.sh in an interactive way, so that the session is shared between commands?
  • If only non-interactive mode is possible from my script, how can I start XAP and deploy the application, with security enabled in both?

Thanks, guys. I'm asking after a long time trying it out. Hope we can come with a solution together!

Best regards, Pedro

answered 2016-10-24 15:29:48 -0500

pedro_brigatto gravatar image
edit flag offensive delete link more

Comments

startSecureSessionGrid.sh

./gs-agent.sh -secured true -user user -password pass gsa.global.lus 1 gsa.global.gsm 1 gsa.gsc 3

startSecureSessionSpace.sh

./gs.sh -user user -password pass deploy -cluster schema=partitioned-sync2backup total_members=3,1 -secured true -override-name mySpace -properties embed://dataGridName=mySpace ../deploy/templates/datagrid

deploySecureSessionSpace.sh

./gs.sh -user user -password pass pudeploy -secured true -user user -password pass ../examples/web/session/HttpSession.war

jb gravatar imagejb ( 2016-10-24 15:45:34 -0500 )edit

Hi, jb. Thanks for your answer. I've been trying exactly the line you show under 'startSecureSessionGrid.sh'. But the thing is that, once I run it, I get the following:

2016-10-24 19:21:30,291 INFO [com.gigaspaces.start] - Starting ServiceGrid [user=root, command="services=GSA -secured true -user myuser -password mypwd gsa.global.lus 0 gsa.lus 1 gsa.gsc 1"] 2016-10-24 19:21:30,404 SEVERE [com.gigaspaces.start] - Error while booting system - ; Caused by: net.jini.config.ConfigurationException: Override 2: Line 1: expected fully qualified entry name, found '-secured' at net.jini.config.ConfigurationFile.oops(ConfigurationFile.java:2768) at net.jini.config.ConfigurationFile.access$100(ConfigurationFile.java:386) at net.jini.config.ConfigurationFile$Parser.oops(ConfigurationFile.java:1743) at net.jini.config.ConfigurationFile$Parser.syntax(ConfigurationFile.java:1715) at net.jini.config.ConfigurationFile$Parser.parseOverride(ConfigurationFile.java:1425) at net.jini.config.ConfigurationFile$Parser.<init>(ConfigurationFile.java:1247) at net.jini.config.ConfigurationFile.<init>(ConfigurationFile.java:1813) at net.jini.config.ConfigurationProvider.getInstance(ConfigurationProvider.java:256) at net.jini.config.ConfigurationProvider.getInstance(ConfigurationProvider.java:142) at com.gigaspaces.start.SystemConfig.<init>(SystemConfig.java:202) at com.gigaspaces.start.SystemConfig.getInstance(SystemConfig.java:257) at com.gigaspaces.start.SystemBoot.main(SystemBoot.java:318)

When I add the same parameters in the end of the string, the exception goes away, but then I see many connection attempts to LUS refused and nothing is even started.

Any ideas? Have you ever faced this issue before?

pedro_brigatto gravatar imagepedro_brigatto ( 2016-10-24 21:01:58 -0500 )edit

Pedro

Let me have a look at it today, I haven't used it with more recent versions. Are you using v11 or v12?

jb gravatar imagejb ( 2016-10-25 07:52:51 -0500 )edit

Actually, we've been using 10.1 ... for a long time. Right now, we've just started jumping from this old version to 12, but it is still in the beginning. While this doesn't happen, I'm still on 10.1. These commands you've suggested are for 12? I can give it a try as well, but I'm afraid that, if it doesn't work for 10.1, things I've been doing will get blocked until I can use XAP 12 officially. :( By the way, thank you very much for the support!

pedro_brigatto gravatar imagepedro_brigatto ( 2016-10-25 08:09:45 -0500 )edit

okay, I will test with 10.1. I asked only because I think I wrote those commands for 9.5

jb gravatar imagejb ( 2016-10-25 08:12:49 -0500 )edit
see more comments
0

Hi Pedro, I will try to guide you with some easy steps to get you started, because I see some confusion.

  1. launch gs-ui.sh and under Security > Manage Security sign-in using admin/admin with the default configuration. This will allow you to setup an initial user. For example Create-new-user, User Name = foo, Password = bar. Make sure the user has the following Permissions checked: Monitor JVM, Monitor PU, Provision PU. Hit Create. You should see the user foo and Permissions in the table. Close this window. This should create a file named gs-directory.fsm under <xap root="">/security folder.

  2. edit setenv.sh and add -Dcom.gs.security.enabled=true to the EXT_JAVA_OPTIONS to be passed to each component.

  3. launch gs-agent.sh for example with gsa.global.lus 0 gsa.lus 1 gsa.gsc 1 When it loads, you should see "Security enabled for grid" in each grid component log file. This means that the property has been applied to each of the components loaded by the gs-agent

  4. deploy using the cli ./gs.sh -user foo -password bar deploy-application -timeout 300000 -deploy-timeout 300000 /Users/me/tmp/myapp

The -user/-password refer to a user which has "deploy" permissions (Provision PU).

This should deploy your application to the Grid.

Note, if you also have Space permissions (e.g. write/read) then you also need to add the -user/-password after deploy-application. If your Space is not secured, you don't need these. For example:

./gs.sh -user foo -password bar deploy-application -user aaaa -password 1234 /Users/me/tmp/myapp

It can be the same user/password - depends on the permissions. Not all Space users have grid permissions.

You can also find a reference example here: http://docs.gigaspaces.com/xap120sec/...

Hope this helps.

answered 2016-10-25 13:16:42 -0500

Meron gravatar image
edit flag offensive delete link more

Comments

Hi Meron, thanks for the answer. Actually, your steps are quite clear to me. I have done everything you said. And, in terms of the application itself, it is deployed. I can reach the web apps, use the clients to consume the services the app provides, etc. What I was concerned about, and this was the reason to the post, is that, during deployment, for some of the PUs, I see the authentication exception being thrown, whenever the platform tries to read some metadata from the spaces. See this:

com.gigaspaces.security.AuthenticationException: No authentication details were supplied at org.openspaces.admin.internal.admin.DefaultAdmin.login(DefaultAdmin.java:344) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getIJSpace(DefaultSpaceInstance.java:341) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getPlatformLogicalVersion(DefaultSpaceInstance.java:606)

It doesn't happen to all processing units, just to 2 of them. Then I was wondering about this default admin, and how I could set the authorities to this user in such a way that it is able to read the information it needs from the space. It seems to be something the platform does, and it has no side effect to my application ... I just wanted to make sure it is the case and if it is possible to fix this issue. If, for example the grid service trying to reach one of the spaces to read some metadata is the GSA, I could launch the grid services with security enabled AND a principal, explicitly defined, being this principal one that has permissions to monitor the JVM, deploy, etc etc, just as you described.

Makes sense? Or I am misunderstanding the platform in some way? Do you see my point? The platform seems to be unable to reach some of my spaces, due to the lack of authorization. I just wanted to fix this.

pedro_brigatto gravatar imagepedro_brigatto ( 2016-10-25 13:29:29 -0500 )edit

Hi, I am not sure how your PUs are configured. Make sure your PU has credentials to access the Space. See http://docs.gigaspaces.com/xap120sec/...

If this still doesn't work I suggest you run the example that I referenced and see if this still happens.

Meron gravatar imageMeron ( 2016-10-26 04:19:18 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2016-10-20 08:08:30 -0500

Seen: 296 times

Last updated: Oct 25 '16

Related questions

Setting Webster Http port

Gigaspaces ports required

what does write() do exactly

Local View questions

Does Gigaspaces Xap10.1 support Java 8?

Xap9.1 Excel Viewer

Memory footprint

Gigaspaces Classloader order

argument type mismatch exception

Remote connect to space (URL)

Copyright GigaSpaces, Inc. Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | help | privacy policy | give feedback
Powered by Askbot version 0.7.58