glassfish
  1. glassfish
  2. GLASSFISH-14860

create-file-user should allow specifying target

    Details

    • Type: Bug Bug
    • Status: Reopened
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.1
    • Fix Version/s: 4.1
    • Component/s: security
    • Labels:
      None
    • Environment:

      all platform

      Description

      list-file-users , delete-file-user takes in target, but create-file-user doesn't.

      Usage: asadmin [asadmin-utility-options] create-file-user
      [--groups user_groups[:user_groups]*] [--authrealmname <authrealm_name>]
      [?|-help[=<help(default:false)>]] username

      Without being able to specify the target during creation, it seems this user is created for EVERY instance.
      here is what i see:

      %asadmin create-file-user --authrealmname file userABC

      Command create-file-user executed successfully.

      %asadmin list-file-users --authrealmname file server
      userABC
      Command list-file-users executed successfully.

      %asadmin list-file-users --authrealmname file instance-1
      userABC
      Command list-file-users executed successfully.

      Besides missing the target option, list and delete doesn't takes in config name as target.
      %asadmin list-file-users --authrealmname file sever-config
      org.glassfish.api.admin.CommandException: remote failure: Unable to find a valid target with name sever-config
      Command list-file-users failed.
      This doesn't sound right since any security realm is based on configuration, so it should take in config name as target as well.

      GUI issue (GLASSFISH-14797) and (GLASSFISH-14770) is depending on this bug fix. We want the following to happen:

      1. add 'target' as an option for create-file-user (blocks GLASSFISH-14770)
      2. config name should be a valid target. (blocks GLASSFISH-14797)

        Issue Links

          Activity

          Hide
          kumarjayanti added a comment -

          Note : create-file-user and delete-file-user already support a --target option. It has to be a --target since the username is the operand for these commands and this is not any different from V2.

          Added CONFIG as a targetype.

          Note : When dealing with create-file-user and delete-file-user you really need to look at what the Property

          <property value="$

          {com.sun.aas.instanceRoot}

          /config/keyfile" name="file" />

          is pointing to. For example the same property above appears in default-config and server-config. So if you do

          create-file-user with one config and do list-file-users with another config. You might see the new user under the second config if they share the same keyfile. This is not a bug in security.

          Show
          kumarjayanti added a comment - Note : create-file-user and delete-file-user already support a --target option. It has to be a --target since the username is the operand for these commands and this is not any different from V2. Added CONFIG as a targetype. Note : When dealing with create-file-user and delete-file-user you really need to look at what the Property <property value="$ {com.sun.aas.instanceRoot} /config/keyfile" name="file" /> is pointing to. For example the same property above appears in default-config and server-config. So if you do create-file-user with one config and do list-file-users with another config. You might see the new user under the second config if they share the same keyfile. This is not a bug in security.
          Hide
          kumarjayanti added a comment -

          fixed

          Show
          kumarjayanti added a comment - fixed
          Hide
          Anissa Lam added a comment -

          I have to reopen this issue.
          I don't see a target option for create-file-user with the latest nightly build 12/18.

          Usage: asadmin [asadmin-utility-options] create-file-user
          [--groups user_groups[:user_groups]*] [--authrealmname <authrealm_name>]
          [?|-help[=<help(default:false)>]] username
          Command create-file-user failed.

          Show
          Anissa Lam added a comment - I have to reopen this issue. I don't see a target option for create-file-user with the latest nightly build 12/18. Usage: asadmin [asadmin-utility-options] create-file-user [--groups user_groups [:user_groups] *] [--authrealmname <authrealm_name>] [ ?| -help [=<help(default:false)>] ] username Command create-file-user failed.
          Hide
          Anissa Lam added a comment -

          Raising the issue. This has to be fixed for 3.1

          Show
          Anissa Lam added a comment - Raising the issue. This has to be fixed for 3.1
          Hide
          kumarjayanti added a comment -

          ------------------
          %asadmin list-file-users --authrealmname file sever-config
          org.glassfish.api.admin.CommandException: remote failure: Unable to find a valid target with name sever-config
          Command list-file-users failed.
          This doesn't sound right since any security realm is based on configuration, so it should take in config name as target as well.
          -------------------

          This command above is giving a bogus config as argument and hence the failure is correct. I think you misspelled server-config as sever-config.

          ---------here is the output for right config------
          ./asadmin list-file-users --authrealmname file server-config
          test1
          test
          Command list-file-users executed successfully.
          -------------------------------------------

          Same issue with delete-file-users

          -------------------
          $ ./asadmin delete-file-user --authrealmname file --target server-config test1
          Command delete-file-user executed successfully.
          $ ./asadmin list-file-users --authrealmname file server-config
          test
          Command list-file-users executed successfully.
          --------------------

          And create-file-users does accept a --target option :

          ---------------------------------
          $ ./asadmin create-file-user --authrealmname file --target server-config test2
          Enter the user password>
          Enter the user password again>
          Command create-file-user executed successfully.
          $ ./asadmin list-file-users --authrealmname file server-config
          test2
          test
          Command list-file-users executed successfully.

          ----------------------------------

          And here is the output of create-file-user --help (it does show the --target option in the help and a config is acceptable as an argument.

          $ ./asadmin create-file-user --help

          asadmin Utility Subcommands create-file-user(1)

          NAME
          create-file-user - creates a new file user

          SYNOPSIS
          create-file-user[--help] [--authrealmname auth_realm_name]
          [--target target
          [--groups user_groups[:user_groups]*] user_name

          DESCRIPTION
          Thecreate-file-user subcommand creates an entry in the key-
          file with the specified username, password, and groups. Mul-
          tiple groups can be created by separating them with a colon
          (. If auth_realm_name is not specified, an entry is
          created in the keyfile for the default realm. If
          auth_realm_name is specified, an entry is created in the
          keyfile using the auth_realm_name.

          This subcommand is supported in remote mode only.

          OPTIONS
          --help
          -?

          Displays the help text for the subcommand.

          --target
          This is the name of the target on which the command
          operates. The valid targets are config, instance, clus-
          ter, or server. By default, the target is the server.

          This option is valid only in domains that are configured
          to support clusters, such as domains that are created
          with the cluster profile or the enterprise profile.

          --groups

          This is the group associated with this file user.

          --authrealmname
          This is the file where the file users are stored.

          OPERANDS
          user_name This is the name of file user to
          be created.

          Java EE 6 Last change: 01 December 2010 1

          asadmin Utility Subcommands create-file-user(1)

          EXAMPLES
          Example 1 Creating a User in the File Realm

          This example creates a file realm user named sample_user. It
          is assumed that an authentication realm has already been
          created using the create-auth-realm subcommand.

          asadmin> create-file-user
          --groups staff:manager
          --authrealmname auth-realm1 sample_user
          Command create-file-user executed successfully

          EXIT STATUS
          0 subcommand executed successfully

          1 error in executing the subcom-
          mand

          SEE ALSO
          create-auth-realm(1), delete-file-user(1), list-file-
          users(1), update-file-user(1), list-file-groups(1)

          Show
          kumarjayanti added a comment - ------------------ %asadmin list-file-users --authrealmname file sever-config org.glassfish.api.admin.CommandException: remote failure: Unable to find a valid target with name sever-config Command list-file-users failed. This doesn't sound right since any security realm is based on configuration, so it should take in config name as target as well. ------------------- This command above is giving a bogus config as argument and hence the failure is correct. I think you misspelled server-config as sever-config. --------- here is the output for right config ------ ./asadmin list-file-users --authrealmname file server-config test1 test Command list-file-users executed successfully. ------------------------------------------- Same issue with delete-file-users ------------------- $ ./asadmin delete-file-user --authrealmname file --target server-config test1 Command delete-file-user executed successfully. $ ./asadmin list-file-users --authrealmname file server-config test Command list-file-users executed successfully. -------------------- And create-file-users does accept a --target option : --------------------------------- $ ./asadmin create-file-user --authrealmname file --target server-config test2 Enter the user password> Enter the user password again> Command create-file-user executed successfully. $ ./asadmin list-file-users --authrealmname file server-config test2 test Command list-file-users executed successfully. ---------------------------------- And here is the output of create-file-user --help (it does show the --target option in the help and a config is acceptable as an argument. $ ./asadmin create-file-user --help asadmin Utility Subcommands create-file-user(1) NAME create-file-user - creates a new file user SYNOPSIS create-file-user [--help] [--authrealmname auth_realm_name] [--target target [--groups user_groups [:user_groups] *] user_name DESCRIPTION Thecreate-file-user subcommand creates an entry in the key- file with the specified username, password, and groups. Mul- tiple groups can be created by separating them with a colon ( . If auth_realm_name is not specified, an entry is created in the keyfile for the default realm. If auth_realm_name is specified, an entry is created in the keyfile using the auth_realm_name. This subcommand is supported in remote mode only. OPTIONS --help -? Displays the help text for the subcommand. --target This is the name of the target on which the command operates. The valid targets are config, instance, clus- ter, or server. By default, the target is the server. This option is valid only in domains that are configured to support clusters, such as domains that are created with the cluster profile or the enterprise profile. --groups This is the group associated with this file user. --authrealmname This is the file where the file users are stored. OPERANDS user_name This is the name of file user to be created. Java EE 6 Last change: 01 December 2010 1 asadmin Utility Subcommands create-file-user(1) EXAMPLES Example 1 Creating a User in the File Realm This example creates a file realm user named sample_user. It is assumed that an authentication realm has already been created using the create-auth-realm subcommand. asadmin> create-file-user --groups staff:manager --authrealmname auth-realm1 sample_user Command create-file-user executed successfully EXIT STATUS 0 subcommand executed successfully 1 error in executing the subcom- mand SEE ALSO create-auth-realm(1), delete-file-user(1), list-file- users(1), update-file-user(1), list-file-groups(1)
          Hide
          kumarjayanti added a comment -

          closing the issue as cannot reproduce unless you give me the specific create-file-user command that is failing/refusing to accept a --target.

          Show
          kumarjayanti added a comment - closing the issue as cannot reproduce unless you give me the specific create-file-user command that is failing/refusing to accept a --target.
          Hide
          Anissa Lam added a comment - - edited

          ok, man page is correct and include --target.
          But usage does NOT have --target as an option. Thats why i was confused.

          Please fix the usage text so there is no confusion. I still see issues with creating and listing file user. will file another bug.

          Usage: asadmin [asadmin-utility-options] create-file-user
          [--groups user_groups[:user_groups]*] [--authrealmname <authrealm_name>]
          [?|-help[=<help(default:false)>]] username

          Also, since authrealmname is optional, what is the realmname defaults to if not specified. Man page didn't specify that either.

          Show
          Anissa Lam added a comment - - edited ok, man page is correct and include --target. But usage does NOT have --target as an option. Thats why i was confused. Please fix the usage text so there is no confusion. I still see issues with creating and listing file user. will file another bug. Usage: asadmin [asadmin-utility-options] create-file-user [--groups user_groups [:user_groups] *] [--authrealmname <authrealm_name>] [ ?| -help [=<help(default:false)>] ] username Also, since authrealmname is optional, what is the realmname defaults to if not specified. Man page didn't specify that either.
          Hide
          kumarjayanti added a comment - - edited

          Where is the usage controlled from and how do you get the usage string ?. Can you tell me the command which prints the usage ?, why is there a separate Usage apart from --help which shows up the manpage. It is not the security code that controls the usage. So please transfer the bug to Docs or Admin.

          Here is the usage that we have in comments on top of create-file-user.

          /**

          • Create File User Command
          • Usage: create-file-user [--terse=false] [--echo=false] [--interactive=true]
          • [--host localhost] [--port 4848|4849] [--secure | -s]
          • [--user admin_user] [--userpassword admin_passwd]
          • [--passwordfile file_name] [--groups user_groups[:user_groups]*]
          • [--authrealmname authrealm_name] [--target target(Default server)]
          • username
            *
          • @author Nandini Ektare
            */
          Show
          kumarjayanti added a comment - - edited Where is the usage controlled from and how do you get the usage string ?. Can you tell me the command which prints the usage ?, why is there a separate Usage apart from --help which shows up the manpage. It is not the security code that controls the usage. So please transfer the bug to Docs or Admin. Here is the usage that we have in comments on top of create-file-user. /** Create File User Command Usage: create-file-user [--terse=false] [--echo=false] [--interactive=true] [--host localhost] [--port 4848|4849] [--secure | -s] [--user admin_user] [--userpassword admin_passwd] [--passwordfile file_name] [--groups user_groups [:user_groups] *] [--authrealmname authrealm_name] [--target target(Default server)] username * @author Nandini Ektare */
          Hide
          Anissa Lam added a comment -

          Tom,
          Can you comment on how to fix the usage of a command ? If this is a trivial fix, maybe we should address that for 3.1
          thanks

          Show
          Anissa Lam added a comment - Tom, Can you comment on how to fix the usage of a command ? If this is a trivial fix, maybe we should address that for 3.1 thanks
          Hide
          Tom Mueller added a comment -

          The usage message is either automatically generated based on the @Param annotations, or, if the @I18n annotation is provided, and the appropriate key exists in the LocalStrings.properties file, then the usage message is taken from the properties file.

          In the case of create-file-user, it is the latter. The usage message is in the LocalStrings.properties file, and that message is missing the --target part.

          Reassigning back to Kumar to fix.

          Show
          Tom Mueller added a comment - The usage message is either automatically generated based on the @Param annotations, or, if the @I18n annotation is provided, and the appropriate key exists in the LocalStrings.properties file, then the usage message is taken from the properties file. In the case of create-file-user, it is the latter. The usage message is in the LocalStrings.properties file, and that message is missing the --target part. Reassigning back to Kumar to fix.
          Hide
          Tom Mueller added a comment -

          The 2.1.1 release has a --target option for the create-file-user command, so this is a regression.

          Show
          Tom Mueller added a comment - The 2.1.1 release has a --target option for the create-file-user command, so this is a regression.

            People

            • Assignee:
              kumarjayanti
              Reporter:
              Anissa Lam
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: