geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.1 > Administering users and groups
Date Thu, 18 Nov 2010 04:12:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxDOC21&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Administering+users+and+groups">Administering
users and groups</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h1. Changing the password
for derby Admin <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Starting
from G217, a new user group *derbyadmin* is defined to manage all connections to the embedded
Derby server. By default, the user name is _dbadmin_ and defined in the {{/var/security/users.properties}}
file. You can easily update the default password _manager_ to any other combinations you like.
However, you must follow the steps below to make sure the whole server and relevant database
pools work well even after you updated the password. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Starting
from G217, a new user *dbadmin* is defined to manage all connections to the embedded Derby
server. By default, the user and its group are defined in the {{/var/security/groups.properties}}
file, which you should NOT update. But you can update the default password _manager_ to any
other combinations you like. While doing so, you must follow the steps below to make sure
the whole server and relevant database pools work well after you updated the password. <br></td></tr>
            <tr><td class="diff-unchanged" ># Start Geronimo server <br>#
Update the password of *dbadmin* via *console &gt;security &gt; Users and Groups*
portlet <br></td></tr>
            <tr><td class="diff-changed-lines" ># Edit the user password in existing
datasources via *console &gt; Services &gt; Database pools* portlet <span class="diff-added-words"style="background-color:
#dfd;">especially for those [system related datasources|Database pool#dbpools]</span>
<br></td></tr>
            <tr><td class="diff-unchanged" ># Shutdown Geronimo server <br>#
Update the *userPassword* attribute of {{DerbyNetwork}} GBean in {{var\config\config.xml}}
with the new password <br># Restart Geronimo server  <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h2. Controlling Derby authentication{anchor:controlingderbyauthentication} <br>Starting
from 2.1.7, a system property *derby.connection.requireAuthentication* is supported to control
the switch of Derby authentication on a Geronimo server. You can set the property to _true_
to enable derby authentication by passing the property and its value to *GERONIMO_OPTS* as
followed before the server is started, and set to _false_ to disable. <br> <br>*
!Setup^ngaix.gif|height=&quot;13&quot; width=&quot;49&quot; alt=&quot;(On
an AIX system)&quot;!!Setup^nglinux.gif|height=&quot;13&quot; width=&quot;49&quot;
alt=&quot;(On a Linux system)&quot;!!Setup^ngsolaris.gif|height=&quot;13&quot;
width=&quot;61&quot; alt=&quot;(On a Solaris system)&quot;! *export GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false*
 <br>* !Setup^ngwin.gif|height=&quot;13&quot; width=&quot;51&quot; alt=&quot;(On
a Windows system)&quot;! *set GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false*
 <br> <br>h2. Accessing user-defined Derby databases{anchor:accessinguserdefinedderbydatabase}
<br>When you&#39;re using the Apache Derby database, a table is always in a schema.
If you don&#39;t specify a schema explicitly, Derby implicitly uses the built-in _apps_
schema. A second built-in schema called _sys_ which is used to isolate system tables. If you
specify a user name _A_ when creating the database, thinking about the scenario you are [deploying
a datasource|Database pool|deploying a datasource] and set the *create database* parameter
as *true*, then you create a table _T_, the fully qualified name of the table _T_ will be
_A.T_. <br> <br>If you turn the derby authentication on and you still want to
access the databases you created, make sure that a new group _derby_DBname_ and its users
are specified in the {{groups.properties}} and {{users.properties}} files as followed.  <br>{panel:borderStyle=solid|title=groups.properties}
<br>admin=system, <br>derbyadmin=dbadmin <br>derby_DBname=user2 <br>{panel}
<br> <br>{panel:borderStyle=solid|title=users.properties} <br>system=manager
<br>dbadmin=manager <br>user2=password <br>{panel} <br> <br>where
<br>* _DBname_ is name of the database that *user2* created. <br>* _user2_ is
name of the user when creating the database *DBname*. <br>* _password_ is the plain
text password of user *user2*. <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC21/Administering+certificates"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC21/Administering+certificates">Administering
certificates</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC21/Configuring+security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC21/Configuring+security">Configuring security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;<a href="/confluence/display/GMOxDOC21/Adminstering+security+realms">Adminstering
security realms</a></td><td class='ScrollbarNextIcon'><a href="/confluence/display/GMOxDOC21/Adminstering+security+realms"><img
border='0' align='middle' src='/confluence/images/icons/forwd_16.gif' width='16' height='16'></a></td></tr></table></div>

<p>You can add users and groups via the Geronimo Administration Console or by modifying
some configuration files. We will start simple by using the realm provided by Geronimo by
default. Then, as we explore the different realms and security configurations, we will come
back and revisit some of the topics as needed.</p>

<p>To manage users and groups via the Geronimo Administration Console the <b>Users
and Groups</b> portlet is available on the <b>Console Navigation</b> menu
on the left hand side. Here you will find two portlets, one for administering users and another
for administering user groups, both are illustrated in the following figures.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77413/consoleRealms.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>To change a user's password click on (<b>Details</b> next to the user
you want to update in the <b>Console Realm Users</b> portlet, it will bring up
the UserID and Password so you can update that profile.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77413/consoleRealmUserEdit.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>To remove a user click on the corresponding <b>Delete</b>, you will be
prompted to confirm deletion of that user, click <b>OK</b>.</p>

<p>To add a new user click on <b>Create New User</b>, you will be prompted
for a UserID and Password (twice), enter those values and click <b>Add</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77413/consoleRealmUserAdd.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>Once you created new users you can add them to group. By default, the group <b>admin</b>
is available and the user <b>system</b> is in that group. If you click on the
<b>Details</b> next to the <b>admin</b> group you will see the user
<b>system</b> in the window on the right and any other available user will be
listed in the window on the left.</p>

<p>To add a new user to this group select the user first, then click <b>Add &gt;&gt;</b>
and then click <b>Update</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77413/consoleRealmGroupEdit.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>To create a new group click on <b>Create New Group</b>, this step is
very similar to the one mentioned before for the users. In addition to be prompted for adding
users to this group you will also have to provide a group name. Once you entered the new group
name and added the users click on <b>Add</b> to finish.</p>

<p>The changes you made via the <b>Console Realm Users</b> and <b>Console
Realm Groups</b> portlets are reflected in two different files, these files are <b>users.properties</b>
and <b>groups.properties</b> respectively and they are located in the &lt;geronimo_home&gt;\var\security
directory.</p>



<p>You can equally administer users and groups by modifying directly these files:</p>

<ul>
	<li><tt>users.properties</tt></li>
	<li><tt>groups.properties</tt></li>
</ul>


<p><b><tt>users.properties</tt></b> uses the <b>&lt;user_name&gt;=&lt;password&gt;</b>
format, groups.properties uses the <b>&lt;group_name&gt;=&lt;user_name&gt;</b>
format. See the following examples for additional details.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>users.properties</b></div><div class="preformattedContent
panelContent">
<pre>system=manager
user2=password
user1=password
</pre>
</div></div>

<p>As we are using the basic, by default, security configuration you will see the user
IDs and passwords are stored in plain text. You can add, remove and change passwords from
this file.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>groups.properties</b></div><div class="preformattedContent
panelContent">
<pre>admin=system,user1
users=user2</pre>
</div></div>

<p>Just like with the users, with the <b><tt>groups.properties</tt></b>
you can add and remove groups and users to those groups.</p>

<p>The files mentioned in this sections along with the all the security configuration
in addition to user names and passwords are defined in the <b>geronimo-properties-realm</b>
security realm covered in the <a href="/confluence/display/GMOxDOC21/Adminstering+security+realms"
title="Adminstering security realms">Adminstering security realms</a> section.</p>

<h1><a name="Administeringusersandgroups-ChangingthepasswordforderbyAdmin"></a>Changing
the password for derby Admin</h1>
<p>Starting from G217, a new user <b>dbadmin</b> is defined to manage all
connections to the embedded Derby server. By default, the user and its group are defined in
the <tt>/var/security/groups.properties</tt> file, which you should NOT update.
But you can update the default password <em>manager</em> to any other combinations
you like. While doing so, you must follow the steps below to make sure the whole server and
relevant database pools work well after you updated the password.</p>
<ol>
	<li>Start Geronimo server</li>
	<li>Update the password of <b>dbadmin</b> via <b>console &gt;security
&gt; Users and Groups</b> portlet</li>
	<li>Edit the user password in existing datasources via <b>console &gt; Services
&gt; Database pools</b> portlet especially for those <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC21&amp;title=Database+pool&amp;linkCreation=true&amp;fromPageId=77413"
class="createlink">system related datasources</a></li>
	<li>Shutdown Geronimo server</li>
	<li>Update the <b>userPassword</b> attribute of <tt>DerbyNetwork</tt>
GBean in <tt>var\config\config.xml</tt> with the new password</li>
	<li>Restart Geronimo server</li>
</ol>


<h2><a name="Administeringusersandgroups-ControllingDerbyauthentication"></a>Controlling
Derby authentication<a name="Administeringusersandgroups-controlingderbyauthentication"></a></h2>
<p>Starting from 2.1.7, a system property <b>derby.connection.requireAuthentication</b>
is supported to control the switch of Derby authentication on a Geronimo server. You can set
the property to <em>true</em> to enable derby authentication by passing the property
and its value to <b>GERONIMO_OPTS</b> as followed before the server is started,
and set to <em>false</em> to disable.</p>

<ul>
	<li><span class="error">Unable to render embedded object: File (ngaix.gif) not
found.</span><span class="error">Unable to render embedded object: File (nglinux.gif)
not found.</span><span class="error">Unable to render embedded object: File (ngsolaris.gif)
not found.</span> <b>export GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false</b></li>
	<li><span class="error">Unable to render embedded object: File (ngwin.gif) not
found.</span> <b>set GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false</b></li>
</ul>


<h2><a name="Administeringusersandgroups-AccessinguserdefinedDerbydatabases"></a>Accessing
user-defined Derby databases<a name="Administeringusersandgroups-accessinguserdefinedderbydatabase"></a></h2>
<p>When you're using the Apache Derby database, a table is always in a schema. If you
don't specify a schema explicitly, Derby implicitly uses the built-in <em>apps</em>
schema. A second built-in schema called <em>sys</em> which is used to isolate
system tables. If you specify a user name <em>A</em> when creating the database,
thinking about the scenario you are <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC21&amp;title=Database+pool&amp;linkCreation=true&amp;fromPageId=77413"
title="deploying a datasource" class="createlink">deploying a datasource</a> and
set the <b>create database</b> parameter as <b>true</b>, then you
create a table <em>T</em>, the fully qualified name of the table <em>T</em>
will be <em>A.T</em>.</p>

<p>If you turn the derby authentication on and you still want to access the databases
you created, make sure that a new group <em>derby_DBname</em> and its users are
specified in the <tt>groups.properties</tt> and <tt>users.properties</tt>
files as followed. </p>
<div class="panel" style="border-style: solid;border-width: 1px;"><div class="panelHeader"
style="border-bottom-width: 1px;border-bottom-style: solid;"><b>groups.properties</b></div><div
class="panelContent">
<p>admin=system,<br/>
derbyadmin=dbadmin<br/>
derby_DBname=user2</p>
</div></div>

<div class="panel" style="border-style: solid;border-width: 1px;"><div class="panelHeader"
style="border-bottom-width: 1px;border-bottom-style: solid;"><b>users.properties</b></div><div
class="panelContent">
<p>system=manager<br/>
dbadmin=manager<br/>
user2=password</p>
</div></div>

<p>where</p>
<ul>
	<li><em>DBname</em> is name of the database that <b>user2</b>
created.</li>
	<li><em>user2</em> is name of the user when creating the database <b>DBname</b>.</li>
	<li><em>password</em> is the plain text password of user <b>user2</b>.</li>
</ul>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Administering+users+and+groups">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=77413&revisedVersion=5&originalVersion=4">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Administering+users+and+groups?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message