Login / Sign Up
Blog Posts BPMN DMN
Contributed on May 11, 2022
Loading 293
350

How to add users using file-based strategy in PAM/DM 7.12

Blog: Drools & jBPM Blog

Issue Identified:

Custom Users/Roles not created in RHPAM 7.12.1/EAP 7.4.1.

Sample of invalid user.xml:

<?xml version="1.0" ?>
<identity xmlns="urn:elytron:1.0">
    <attributes>
        <name="roles" value="kie-server"></attribute>
        <attribute name="roles" value="rest-all"></attribute>
        <attribute name="roles" value="admin"></attribute>
        <attribute name="roles" value="kiemgmt"></attribute>
        <attribute name="roles" value="Administrators"></attribute>
        <attribute name="roles" value="user"></attribute>
    </attributes></identity>$

Error in logs:

23:35:20,692 ERROR [org.jboss.as.controller.management-operation] (CLI command executor) WFLYCTL0013: Operation (“set-password”) failed – address: ( (“subsystem” => “elytron”), (“filesystem-realm” => “ApplicationRealm”) ) – failure description: “WFLYCTL0216: Management resource ‘[
(”subsystem” => ”elytron”),
(”filesystem-realm” => ”ApplicationRealm”)
]’ not found”
The batch failed with the following error (you are remaining in the batch editing mode to have a chance to correct the error):
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-11
Operation: /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=pamAdmin, clear={password=’testAdmin’})
Failure: WFLYCTL0216: Management resource ‘ (“subsystem” => “elytron”), (“filesystem-realm” => “ApplicationRealm”) ‘ not found

Warning in logs: 

23:36:18,734 WARN [org.jboss.modules.define] (ServerService Thread Pool -- 86) Failed to define class org.jboss.resteasy.microprofile.config.ServletConfigSourceImpl in Module "org.jboss.resteasy.resteasy-jaxrs" version 3.15.1.Final-redhat-00001 from local module loader @21edd891 (finder: local module finder @de579ff (roots: /opt/eap/modules,/opt/eap/modules/system/layers/openshift,/opt/eap/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.4.1.CP,/opt/eap/modules/system/layers/base,/opt/eap/modules/system/add-ons/keycloak)): java.lang.NoClassDefFoundError: Failed to link org/jboss/resteasy/microprofile/config/ServletConfigSourceImpl (Module "org.jboss.resteasy.resteasy-jaxrs" version 3.15.1.Final-redhat-00001 from local module loader @21edd891 (finder: local module finder @de579ff (roots: /opt/eap/modules,/opt/eap/modules/system/layers/openshift,/opt/eap/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.4.1.CP,/opt/eap/modules/system/layers/base,/opt/eap/modules/system/add-ons/keycloak))): org/eclipse/microprofile/config/spi/ConfigSource
at java.base/java.lang.ClassLoader.defineClass1(Native Method)

Other errors if an invalid user/roles properties file is provided:

sh-4.4$ /opt/eap/bin/elytron-tool.sh filesystem-realm --users-file /home/jboss/custom/application-users.properties --roles-file /home/jboss/custom/application-roles.properties --output-location /opt/eap/standalone/configuration/kie-fs-realm-users --filesystem-realm-name kie-fs-realmusers --debug
WARNING: No roles were found for user
WARNING: Roles were found for user , but user  was not defined.
WARNING: No roles were found for user
Exception encountered executing the command:
java.lang.IndexOutOfBoundsException
        at java.base/java.lang.Character.offsetByCodePoints(Character.java:8699)

WARNING: No password was found for user
WARNING: No roles were found for user
WARNING: No roles were found for user
Exception encountered executing the command:
java.lang.IndexOutOfBoundsException

Solution

The following steps will help resolve the above issues:

STEP 1/5: FROM registry.redhat.io/rhpam-7/rhpam-kieserver-rhel8:7.12.1-3
STEP 2/5: COPY jboss-eap-7.4.4-patch.zip /tmp/jboss-eap-7.4.4-patch.zip
--> Using cache f9926b6ad308871c77bf3f1e650104f1c64f249b487613e4181d8e1e9ca9cd07
--> f9926b6ad30
STEP 3/5: USER root
--> Using cache 15639841591027c9db7a4056ea69b51252d72dac6a2704528533d5b0ce03496f
--> 15639841591
STEP 4/5: RUN $JBOSS_HOME/bin/jboss-cli.sh --command="patch apply /tmp/jboss-eap-7.4.4-patch.zip --override-modules" ; rm /tmp/jboss-eap-7.4.4-patch.zip
{
    "outcome" : "success",
    "result" : {}
}
STEP 5/5: USER 185
COMMIT image-registry.openshift-image-registry.svc:5000/op2/rhpam-kieserver-rhel8-custom:7.12.1-test
--> 85398f6feb7
Successfully tagged image-registry.openshift-image-registry.svc:5000/op2/rhpam-kieserver-rhel8-custom:7.12.1-test
85398f6feb78e1485f53a2ee154d20d33b2b7457a13325cfc9a928c7a7592ce3
[jboss@4c610ade4e51 eap]$ ls
JBossEULA.txt  LICENSE.txt  appclient  bin  docs  domain  jboss-modules.jar  jolokia.jar  migration  modules  standalone  version.txt  welcome-content
[jboss@4c610ade4e51 eap]$ more version.txt
Red Hat JBoss Enterprise Application Platform - Version 7.4.4.GA

Sample application-users.properties:

Sample application-roles.properties:

echo "START - enable-users"
/opt/eap/bin/elytron-tool.sh filesystem-realm --users-file /home/jboss/custom/application-users.properties --roles-file /home/jboss/custom/application-roles.properties --output-location /opt/kie/data/kie-fs-realm-users
find /opt/kie/data/kie-fs-realm-users -name *.xml -exec sed -i 's/<attribute name="roles"/<attribute name="role"/g' {} ;
echo "END - enable-users"
<?xml version="1.0" ?>
<identity xmlns="urn:elytron:1.0">
    <credentials>
        <password algorithm="digest-md5" format="base64">Ag9pbnRlZ3JhdGlvblVzZXIQQXBwbGljYXRpb25SZWFsbSjAetOv+11Kg3GFrzK+r98</password>
    </credentials>
    <attributes>
        <attribute name="role" value="kie-server"></attribute>
        <attribute name="role" value="rest-all"></attribute>
        <attribute name="role" value="admin"></attribute>
        <attribute name="role" value="kiemgmt"></attribute>
        <attribute name="role" value="Administrators"></attribute>
        <attribute name="role" value="user"></attribute>
    </attributes></identity>sh-4.4$

Root Cause

RHPAM 7.12.1 paired with EAP 7.4.1 does not create a valid XML file for kie-fs-realm users/roles. Reference RedHat support case – https://access.redhat.com/support/cases/#/case/03197932

The post How to add users using file-based strategy in PAM/DM 7.12 appeared first on KIE Community.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="https://www.businessprocessincubator.com/content/how-to-add-users-using-file-based-strategy-in-pam-dm-7-12/?feed=html" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples

BPMN.org

XPDL.org

×