robertpatrick
commented
5 months ago @tdferreira
Also, if we have multiple realms, how can we specify for which realm the policy is?
As I said before, I do not believe this is even possible. We are copying/updating an LDIFT file with a well-known name into the $DOMAIN_HOME/security directory that the Admin Server will load on first start. As far as I know, this is loaded into the embedded LDAP server without any accommodation for multiple security realms. Feel free to peruse the $ORACLE_HOME/wlserver/server/lib/XACMLAuthorizerInit.ldift file that we use as the starting point and let me know if you figure out how to make it work without modifying WLS proper.
Would it also be possible that you could enhance WDT in order to use something like the WebLogic Remote Console extension to make WDT able to use the Discovery Domain Tool to extract the users, groups, policies, credential mappings, etc?
It is certainly possible to export data from the various built-in providers in online mode (no need to use the Remote Console extension to accomplish this) but trying to translate this data into model entries is a hard problem.
- For example, when exporting users from the DefaultAuthenticator, the passwords cannot be exported in clear text so createDomain would need to be able to accept already hashed passwords.
- For example, the policies are exported as XACML documents and the model currently uses an internal policy language to specify and create policies. Trying to convert the XACML document back to this internal policy language is very complex and likely beyond the scope of what we can reasonably do in WDT.
If you just want to export/import internal security provider data between domains, this is certainly possible with simple WLST scripts that treat the exported/imported data as a black box. For example, to export data from the DefaultAuthenticator:
from java.util import Properties
connect('weblogic', 'welcome1', 't3s://localhost:9002')
domain_name = get('Name')
default_realm_path = '/SecurityConfiguration/%s/DefaultRealm' % domain_name
default_realms = ls(default_realm_path, returnType='c', returnMap='true')
if default_realms is None or len(default_realms) != 1:
print('Failed to determine the default realm name')
exit(1)
realm_name = default_realms[0]
default_authenticator_path = \
'/SecurityConfiguration/%s/Realms/%s/AuthenticationProviders/DefaultAuthenticator' % (domain_name, realm_name)
default_authenticator_mbean = cd(default_authenticator_path)
constraints = Properties()
default_authenticator_mbean.exportData('DefaultAtn', '/Users/rpatrick/tmp/users/DefaultAuthenticator_export.ldift', constraints)
disconnect()and to export that data into another domain:
from java.util import Properties
connect('weblogic', 'welcome1', 't3s://localhost:9002')
domain_name = get('Name')
default_realm_path = '/SecurityConfiguration/%s/DefaultRealm' % domain_name
default_realms = ls(default_realm_path, returnType='c', returnMap='true')
if default_realms is None or len(default_realms) != 1:
print('Failed to determine the default realm name')
exit(1)
realm_name = default_realms[0]
default_authenticator_path = \
'/SecurityConfiguration/%s/Realms/%s/AuthenticationProviders/DefaultAuthenticator' % (domain_name, realm_name)
default_authenticator_mbean = cd(default_authenticator_path)
constraints = Properties()
default_authenticator_mbean.importData('DefaultAtn', '/Users/rpatrick/tmp/users/DefaultAuthenticator_export.ldift', constraints)
disconnect()Other built-in provider MBeans also support the exportData() and importData() functions that work in a similar way. If this is what you want/need, it seems like you have everything you need to write the WLST script(s) to do this yourself without needing us to try to add the exported data into the WDT model. See the WebLogic Server Security MBeans Reference docs.
tdferreira
Hello,
As pointed out in https://github.com/oracle/weblogic-deploy-tooling/issues/1496#issuecomment-2040329919, I'm opening this issue to request improvement in the support for policies within WDT.
When using, for example, the oracle weblogic 12 dev docker image:
container-registry.oracle.com/middleware/weblogic:12.2.1.4-dev-ol8it already has a JNDI Policy with Resource IDtype=<jndi>defined by default. Basically, this exists already in the Root Level:If I try to create my domain with this:
I get the following error:
It would be good if we could have an extra parameter that would tell what to do if there's an existing policy. Something like:
Also, if we have multiple realms, how can we specify for which realm the policy is? it would be good if we could also have a parameter for that. Something like:
Would it also be possible that you could enhance WDT in order to use something like the WebLogic Remote Console extension to make WDT able to use the Discovery Domain Tool to extract the users, groups, policies, credential mappings, etc?
Can you please consider these improvements? Thanks