geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.2 > Administering users and groups
Date Mon, 22 Nov 2010 02:00:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxDOC22&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+users+and+groups">Administering
users and groups</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
        <br/>
                         <h4>Changes (3)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-unchanged" >{scrollbar} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words"><span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">{excerpt}</span>You</span>
can add users and groups via the Geronimo Administration Console or by modifying some configuration
<span class="diff-changed-words">files.<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">{excerpt}</span></span>
We will start simple by using the realm provided by Geronimo by default. Then, as we explore
the different realms and security configurations, we will come back and revisit some of the
topics as needed. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>To manage users and groups
via the Geronimo Administration Console the *Users and Groups* portlet is available on the
*Console Navigation* menu on the left hand side. Here you will find two portlets, one for
administering users and another for administering user groups, both are illustrated in the
following figures. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >Just like with the users, with the
*{{groups.properties}}* you can add and remove groups and users to those groups. <br>
<br></td></tr>
            <tr><td class="diff-changed-lines" >The files mentioned in this sections
along with the all the security configuration in addition to user names and passwords are
defined in the *geronimo-properties-realm* security realm covered in the <span class="diff-changed-words">[Admin<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">i</span>stering</span>
security realms] section. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h1. Changing password for derby Admin{anchor:changingpasswordforderbyadmin} <br>Starting
from G217, a new user *dbadmin* is defined to manage all connections to the embedded Derby
server. By default, the user and its group are defined in the {{/var/security/groups.properties}}
file, which you should NOT update. But you can update the default password _manager_ to any
other combinations you like. While doing so, you must follow the steps below to make sure
the whole server and relevant database pools work well after you updated the password. <br>#
Start Geronimo server <br># Update the password of *dbadmin* via *console &gt;security
&gt; Users and Groups* portlet <br># Edit the user password in existing datasources
via *console &gt; Services &gt; Database pools* portlet especially for the system
related datasources <br># Shutdown Geronimo server <br># Update the *userPassword*
attribute of {{DerbyNetwork}} GBean in {{var\config\config.xml}} with the new password <br>#
Restart Geronimo server  <br> <br>h2. Controlling Derby authentication{anchor:controlingderbyauthentication}
<br>Starting from 2.2.1, a system property *derby.connection.requireAuthentication*
is supported to control the switch of Derby authentication on a Geronimo server. You can set
the property to _true_ to enable derby authentication by passing the property and its value
to *GERONIMO_OPTS* as followed before the server is started, and set to _false_ to disable.
By default, the value is _true_. <br> <br>* non-Windows systems *export GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false*
 <br>* Windows systems *set GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false*
 <br> <br>h2. Accessing user-defined Derby databases{anchor:accessinguserdefinedderbydatabases}
<br>When you&#39;re using the Apache Derby database, a table is always in a schema.
If you don&#39;t specify a schema explicitly, Derby implicitly uses the built-in _apps_
schema. A second built-in schema called _sys_ which is used to isolate system tables. If you
specify a user name _A_ when creating the database, thinking about the scenario you are [deploying
a datasource|Configuring database pools|deploying a datasource] and set the *create database*
parameter as *true*, then you create a table _T_, the fully qualified name of the table _T_
will be _A.T_. <br> <br>When executing SQL commands upon a Derby database, always
remember to specify the fully qualified name of the table. Otherwise, you might be experiencing
certain SQLExceptions such as {{Connection authentication failure}}, especially when the username
and the schema are not the same. <br> <br>If you turn the derby authentication
on and you still want to access the databases you created, make sure that the user name is
defined in *derbyadmin* group within the {{groups.properties}} file, and the user&#39;s
password defined in {{users.properties}} files as followed.  <br>{panel:borderStyle=solid|title=groups.properties}
<br>admin=system, <br>derbyadmin=dbadmin,app,user1 <br>{panel} <br>
<br>{panel:borderStyle=solid|title=users.properties} <br>system=manager <br>dbadmin=manager
<br>app=app <br>user1=password <br>{panel} <br> <br>where <br>*
_dbadmin_ is the default derby system user. <br>* _app_ is the user name to access a
table with the default _APP_ schema. <br>* _user1_ is name of the user who creates the
database. <br>* _password_ is the plain text password of user *user1*. <br> <br>
<br>Note that if a database is created via *Create DB* button on the *DB Manager* portlet,
the default schema is _DBADMIN_ and its default owner is *dbadmin*. <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC22/Administering+security+realms"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC22/Administering+security+realms">Administering
security realms</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC22/Administering+Security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC22/Administering+Security">Administering Security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;<a href="/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration">Basic
Hints on Security Configuration</a></td><td class='ScrollbarNextIcon'><a
href="/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration"><img border='0'
align='middle' src='/confluence/images/icons/forwd_16.gif' width='16' height='16'></a></td></tr></table></div>

<p>You can add users and groups via the Geronimo Administration Console or by modifying
some configuration files. We will start simple by using the realm provided by Geronimo by
default. Then, as we explore the different realms and security configurations, we will come
back and revisit some of the topics as needed.</p>

<p>To manage users and groups via the Geronimo Administration Console the <b>Users
and Groups</b> portlet is available on the <b>Console Navigation</b> menu
on the left hand side. Here you will find two portlets, one for administering users and another
for administering user groups, both are illustrated in the following figures.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/93299/consoleRealms.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>To change a user's password click on (<b>Details</b> next to the user
you want to update in the <b>Console Realm Users</b> portlet, it will bring up
the UserID and Password so you can update that profile.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/93299/consoleRealmUserEdit.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>To remove a user click on the corresponding <b>Delete</b>, you will be
prompted to confirm deletion of that user, click <b>OK</b>.</p>

<p>To add a new user click on <b>Create New User</b>, you will be prompted
for a UserID and Password (twice), enter those values and click <b>Add</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/93299/consoleRealmUserAdd.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>Once you created new users you can add them to group. By default, the group <b>admin</b>
is available and the user <b>system</b> is in that group. If you click on the
<b>Details</b> next to the <b>admin</b> group you will see the user
<b>system</b> in the window on the right and any other available user will be
listed in the window on the left.</p>

<p>To add a new user to this group select the user first, then click <b>Add &gt;&gt;</b>
and then click <b>Update</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/93299/consoleRealmGroupEdit.png?version=1&amp;modificationDate=1203611628000"
style="border: 0px solid black" /></span></p>

<p>To create a new group click on <b>Create New Group</b>, this step is
very similar to the one mentioned before for the users. In addition to be prompted for adding
users to this group you will also have to provide a group name. Once you entered the new group
name and added the users click on <b>Add</b> to finish.</p>

<p>The changes you made via the <b>Console Realm Users</b> and <b>Console
Realm Groups</b> portlets are reflected in two different files, these files are <b>users.properties</b>
and <b>groups.properties</b> respectively and they are located in the &lt;geronimo_home&gt;\var\security
directory.</p>



<p>You can equally administer users and groups by modifying directly these files:</p>

<ul>
	<li><tt>users.properties</tt></li>
	<li><tt>groups.properties</tt></li>
</ul>


<p><b><tt>users.properties</tt></b> uses the <b>&lt;user_name&gt;=&lt;password&gt;</b>
format, groups.properties uses the <b>&lt;group_name&gt;=&lt;user_name&gt;</b>
format. See the following examples for additional details.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>users.properties</b></div><div class="preformattedContent
panelContent">
<pre>system=manager
user2=password
user1=password
</pre>
</div></div>

<p>As we are using the basic, by default, security configuration you will see the user
IDs and passwords are stored in plain text. You can add, remove and change passwords from
this file.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>groups.properties</b></div><div class="preformattedContent
panelContent">
<pre>admin=system,user1
users=user2</pre>
</div></div>

<p>Just like with the users, with the <b><tt>groups.properties</tt></b>
you can add and remove groups and users to those groups.</p>

<p>The files mentioned in this sections along with the all the security configuration
in addition to user names and passwords are defined in the <b>geronimo-properties-realm</b>
security realm covered in the <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC22&amp;title=Adminstering+security+realms&amp;linkCreation=true&amp;fromPageId=93299"
class="createlink">Adminstering security realms</a> section.</p>

<h1><a name="Administeringusersandgroups-ChangingpasswordforderbyAdmin"></a>Changing
password for derby Admin<a name="Administeringusersandgroups-changingpasswordforderbyadmin"></a></h1>
<p>Starting from G217, a new user <b>dbadmin</b> is defined to manage all
connections to the embedded Derby server. By default, the user and its group are defined in
the <tt>/var/security/groups.properties</tt> file, which you should NOT update.
But you can update the default password <em>manager</em> to any other combinations
you like. While doing so, you must follow the steps below to make sure the whole server and
relevant database pools work well after you updated the password.</p>
<ol>
	<li>Start Geronimo server</li>
	<li>Update the password of <b>dbadmin</b> via <b>console &gt;security
&gt; Users and Groups</b> portlet</li>
	<li>Edit the user password in existing datasources via <b>console &gt; Services
&gt; Database pools</b> portlet especially for the system related datasources</li>
	<li>Shutdown Geronimo server</li>
	<li>Update the <b>userPassword</b> attribute of <tt>DerbyNetwork</tt>
GBean in <tt>var\config\config.xml</tt> with the new password</li>
	<li>Restart Geronimo server</li>
</ol>


<h2><a name="Administeringusersandgroups-ControllingDerbyauthentication"></a>Controlling
Derby authentication<a name="Administeringusersandgroups-controlingderbyauthentication"></a></h2>
<p>Starting from 2.2.1, a system property <b>derby.connection.requireAuthentication</b>
is supported to control the switch of Derby authentication on a Geronimo server. You can set
the property to <em>true</em> to enable derby authentication by passing the property
and its value to <b>GERONIMO_OPTS</b> as followed before the server is started,
and set to <em>false</em> to disable. By default, the value is <em>true</em>.</p>

<ul>
	<li>non-Windows systems <b>export GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false</b></li>
	<li>Windows systems <b>set GERONIMO_OPTS=-Dderby.connection.requireAuthentication=true|false</b></li>
</ul>


<h2><a name="Administeringusersandgroups-AccessinguserdefinedDerbydatabases"></a>Accessing
user-defined Derby databases<a name="Administeringusersandgroups-accessinguserdefinedderbydatabases"></a></h2>
<p>When you're using the Apache Derby database, a table is always in a schema. If you
don't specify a schema explicitly, Derby implicitly uses the built-in <em>apps</em>
schema. A second built-in schema called <em>sys</em> which is used to isolate
system tables. If you specify a user name <em>A</em> when creating the database,
thinking about the scenario you are <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC22&amp;title=Configuring+database+pools&amp;linkCreation=true&amp;fromPageId=93299"
title="deploying a datasource" class="createlink">deploying a datasource</a> and
set the <b>create database</b> parameter as <b>true</b>, then you
create a table <em>T</em>, the fully qualified name of the table <em>T</em>
will be <em>A.T</em>.</p>

<p>When executing SQL commands upon a Derby database, always remember to specify the
fully qualified name of the table. Otherwise, you might be experiencing certain SQLExceptions
such as <tt>Connection authentication failure</tt>, especially when the username
and the schema are not the same.</p>

<p>If you turn the derby authentication on and you still want to access the databases
you created, make sure that the user name is defined in <b>derbyadmin</b> group
within the <tt>groups.properties</tt> file, and the user's password defined in
<tt>users.properties</tt> files as followed. </p>
<div class="panel" style="border-style: solid;border-width: 1px;"><div class="panelHeader"
style="border-bottom-width: 1px;border-bottom-style: solid;"><b>groups.properties</b></div><div
class="panelContent">
<p>admin=system,<br/>
derbyadmin=dbadmin,app,user1</p>
</div></div>

<div class="panel" style="border-style: solid;border-width: 1px;"><div class="panelHeader"
style="border-bottom-width: 1px;border-bottom-style: solid;"><b>users.properties</b></div><div
class="panelContent">
<p>system=manager<br/>
dbadmin=manager<br/>
app=app<br/>
user1=password</p>
</div></div>

<p>where</p>
<ul>
	<li><em>dbadmin</em> is the default derby system user.</li>
	<li><em>app</em> is the user name to access a table with the default <em>APP</em>
schema.</li>
	<li><em>user1</em> is name of the user who creates the database.</li>
	<li><em>password</em> is the plain text password of user <b>user1</b>.</li>
</ul>



<p>Note that if a database is created via <b>Create DB</b> button on the
<b>DB Manager</b> portlet, the default schema is <em>DBADMIN</em>
and its default owner is <b>dbadmin</b>.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+users+and+groups">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93299&revisedVersion=7&originalVersion=6">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+users+and+groups?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message