- Create a Management user
- Configure JBoss security
- Disable JBoss logging subsystem
- Test
This was tested with JBoss EAP 6.2, Hawtio 1.4.9 and Java 7 (this is the reason to not use the last Hawtio release).
Create a Management user
The user who will access hawtio console will need to provide a valid credentials, and he must have asociated an specific role (group).
[root@jboss01 bin]# ./add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): a Enter the details of the new user to add. Using realm 'ManagementRealm' as discovered from the existing property files. Username : hawtio Password : Re-enter Password : What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: roleHawtio About to add user 'hawtio' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'hawtio' to file '/opt/jboss-eap-6.2-dc/standalone/configuration/mgmt-users.properties' Added user 'hawtio' to file '/opt/jboss-eap-6.2-dc/domain/configuration/mgmt-users.properties' Added user 'hawtio' with groups roleHawtio to file '/opt/jboss-eap-6.2-dc/standalone/configuration/mgmt-groups.properties' Added user 'hawtio' with groups roleHawtio to file '/opt/jboss-eap-6.2-dc/domain/configuration/mgmt-groups.properties' Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls. yes/no? no [root@jboss01 bin]#
After the command is executed, you need to replicate the mgmt-users.properties and mgmt-groups.properties files in all nodes of your domain.
Configure JBoss security
In domain.xml file you need to add the following system properties (the complete list of available properties to configure are in the this link):<system-properties> <property name="java.net.preferIPv4Stack" value="true"/> <property name="hawtio.authenticationEnabled" value="true"/> <property name="hawtio.offline" value="true"/> <property name="hawtio.realm" value="hawtio-domain"/> <property name="hawtio.role" value="roleHawtio" /> </system-properties>
The property hawtio.realm is referencing the hawtio-domain, so you need to configure this domain in jboss security subsystem.
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
(...)
<security-domain name="hawtio-domain" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
Is very important to keep in mind that you need to replicate this config in all profiles of the domain.xml file.
Disable JBoss logging subsystem
If you are like me and you think that JBoss logging subsystem is a pain in the ass, probably you would like to disable it. Luckly it´s very esay, just open the hawtio WAR and add the following jboss-deployment-structure.xml file in META-INF folder:<?xml version="1.0" encoding="UTF-8"?> <jboss-deployment-structure> <deployment> <exclude-subsystems> <subsystem name="logging" /> </exclude-subsystems> <exclusions> <module name="org.apache.log4j" /> <module name="org.slf4j" /> <module name="org.log4j" /> <module name="org.jboss.logging" /> </exclusions> </deployment> </jboss-deployment-structure>
Test
When these changes are done, you can deploy hawtio WAR in your domain. There you should see the following log trace, where you can check the params you specified before:[Server:spre-segjava-1] 14:47:45,269 INFO [stdout] (ServerService Thread Pool -- 77) INFO | ServerService Thread Pool -- 77 | Starting hawtio authentication filter, JAAS realm: "hawtio-domain" authorized role: "roleHawtio" role principal classes: ""
If you try to access to http://[host]/hawtio/ you will be redirect to the login page and you just need to use the credentials created in the first step.
No hay comentarios:
Publicar un comentario