Informacoes da conexão do usuário no wildfly

Uma contribuição que fiz para o wildfly foi aceita, relacionada a funcionalidade de exibir as informações da conexão do usuário logado no Wildfly (WFCORE-73).

Atualmente quando o usuário se conectar com o jboss-cli, não é possível mostrar as informações da conexão, esta contribuição mostra: nome do usuário, desde quando está logado, roles associadas, certificado ssl. Pode-se fazer um clone e build do wildfly para ter acesso a estas funcionalidades, que estará disponível na próxima versão do Wildfly.

Adicionei o comando connection-info que mostra as seguintes informações

  • Logado sem SSL, sem RBAC
[domain@pavlov-0:9990 /] connection-info 
Username               admin, granted role ["SuperUser"] 
Logged since           Tue Sep 02 22:45:32 BRT 2014      
Not an SSL connection.                              

 

  • Logado com SSL, sem RBAC
[domain@pavlov-0:9993 /] connection-info
Username     admin, granted role ["SuperUser"]                             
Logged since Tue Sep 02 22:48:28 BRT 2014                                  
Subject      CN=mgmt-connector,OU=jboss,O=jboss,L=Brasilia,ST=DF,C=BR      
Issuer       CN=mgmt-connector, OU=jboss, O=jboss, L=Brasilia, ST=DF, C=BR 
Valid from   Fri Aug 08 01:13:16 BRT 2014                                  
Valid to     Thu Nov 06 02:13:16 BRST 2014                                 
SHA1         fa:25:f4:cf:57:89:ce:ff:97:82:9d:b4:c8:b1:67:ef:b3:08:a8:b4   
MD5          e6:67:14:c7:86:84:d3:22:14:21:e7:43:09:05:a4:7f

 

  • Logado com SSL, com RBAC
[domain@pavlov-0:9993 /] connection-info
Username     claudio, granted roles ["Maintainer","Operator","Deployer"]   
Logged since Tue Sep 02 22:52:22 BRT 2014                                  
Subject      CN=mgmt-connector,OU=jboss,O=jboss,L=Brasilia,ST=DF,C=BR      
Issuer       CN=mgmt-connector, OU=jboss, O=jboss, L=Brasilia, ST=DF, C=BR 
Valid from   Fri Aug 08 01:13:16 BRT 2014                                  
Valid to     Thu Nov 06 02:13:16 BRST 2014                                 
SHA1         fa:25:f4:cf:57:89:ce:ff:97:82:9d:b4:c8:b1:67:ef:b3:08:a8:b4   
MD5          e6:67:14:c7:86:84:d3:22:14:21:e7:43:09:05:a4:7f

 

Wildfly’s User Connection information

A contribution to wildfly was accepted, related to a feature to jboss-cli, to display user connection informantion (WFCORE-73).

Currently, when an user is connected using jboss-cli, it is not possible to display connection information, this contribution displays: username, logged in time, associated roles, ssl certificate.

To have access to this you need to clone wildfly repo and build it.

A new connection-info command is available, an example:

  • Logged in with no SSL, no RBAC
[domain@pavlov-0:9990 /] connection-info 
Username               admin, granted role ["SuperUser"] 
Logged since           Tue Sep 02 22:45:32 BRT 2014      
Not an SSL connection.                              

 

  • Logged in with SSL, no RBAC
[domain@pavlov-0:9993 /] connection-info
Username     admin, granted role ["SuperUser"]                             
Logged since Tue Sep 02 22:48:28 BRT 2014                                  
Subject      CN=mgmt-connector,OU=jboss,O=jboss,L=Brasilia,ST=DF,C=BR      
Issuer       CN=mgmt-connector, OU=jboss, O=jboss, L=Brasilia, ST=DF, C=BR 
Valid from   Fri Aug 08 01:13:16 BRT 2014                                  
Valid to     Thu Nov 06 02:13:16 BRST 2014                                 
SHA1         fa:25:f4:cf:57:89:ce:ff:97:82:9d:b4:c8:b1:67:ef:b3:08:a8:b4   
MD5          e6:67:14:c7:86:84:d3:22:14:21:e7:43:09:05:a4:7f

 

  • Logged in with  SSL, with RBAC
[domain@pavlov-0:9993 /] connection-info
Username     claudio, granted roles ["Maintainer","Operator","Deployer"]   
Logged since Tue Sep 02 22:52:22 BRT 2014                                  
Subject      CN=mgmt-connector,OU=jboss,O=jboss,L=Brasilia,ST=DF,C=BR      
Issuer       CN=mgmt-connector, OU=jboss, O=jboss, L=Brasilia, ST=DF, C=BR 
Valid from   Fri Aug 08 01:13:16 BRT 2014                                  
Valid to     Thu Nov 06 02:13:16 BRST 2014                                 
SHA1         fa:25:f4:cf:57:89:ce:ff:97:82:9d:b4:c8:b1:67:ef:b3:08:a8:b4   
MD5          e6:67:14:c7:86:84:d3:22:14:21:e7:43:09:05:a4:7f

 

base64 password for wildfly domain controller communication

Using wildfly in domain mode with additional host controller on different servers, it is required an user to authenticate the HC (host controller) to DC (domain controller). This is configured in the host.xml of HC server, the password is base64 encoded, see the example:

<management>
    <security-realms>
        <security-realm name="ManagementRealm">
            <server-identities>
                <secret value="YWRtaW4xMjNA"/>
            </server-identities>

<domain-controller>
    <remote host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm" username="admin2" />
</domain-controller>

If you do not know the base64 of a password, use the base64 linux command to convert the plain text password, the echo -n parameter, doesn’t print the carriage return char. See the example for a password: admin123@

$ echo -n "admin123@" | base64 
YWRtaW4xMjNA

This is useful in cases where the add-user.sh command is invoked in non interactive mode, as it doesn’t print the base64 password.

 

Senha base64 para comunicação com wildfly domain controller

Quando configura-se o Wildfly em modo domínio com host controllers adicionais, é necessário que exista um usuário no HC (host controller) para comunicar-se com o DC (domain controller). Esta comunicação é especificado no host.xml do HC, onde é necessário informar o usuário e senha, esta no valor base64, exemplo:

<management>
    <security-realms>
        <security-realm name="ManagementRealm">
            <server-identities>
                <secret value="YWRtaW4xMjNA"/>
            </server-identities>

<domain-controller>
    <remote host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm" username="admin2" />
</domain-controller>

Caso não saiba qual o valor base64 da senha, basta usar o comando base64 do linux para obter a senha, lembre-se de remover o caracter de quebra de linha do echo, veja o valor base64 para a senha: admin123@

$ echo -n "admin123@" | base64 
YWRtaW4xMjNA

Isso é útil em alguns cenários onde cria-se o usuário com o add-user.sh não interativo e deseja-se saber o valor base64 da senha.