14.2. JAAS Console Commands
Editing user data from the console
Red Hat JBoss Fuse provides a set of
jaas:*
console commands, which you can use to edit JAAS user data from the console. This works both for standalone JAAS realms and for Fabric JAAS realms.
Note
The
jaas:*
console commands are not compatible with the LDAP JAAS module.
Standalone realm configuration
A standalone container (which uses the JAAS
PropertiesLoginModule
and the PublickeyLoginModule
) maintains its own database of secure user data, independently of any other containers. To configure the user data for a standalone container, you must log into the specific container (see Connecting and Disconnecting Remotely) whose data you want to modify. Each standalone container must be configured separately.
To start editing the standalone JAAS user data, you must first specify the JAAS realm that you want to modify. To see the available realms, enter the
jaas:realms
command, as follows:
JBossFuse:karaf@root> jaas:realms Index Realm Module Class 1 karaf org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 2 karaf org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule 3 karaf org.apache.karaf.jaas.modules.audit.FileAuditLoginModule 4 karaf org.apache.karaf.jaas.modules.audit.EventAdminAuditLoginModule
All of these login modules are active in the default
karaf
JAAS realm. Enter the following console command to start editing the properties login module in the karaf
realm:
JBossFuse:karaf@root> jaas:manage --index 1
Fabric realm configuration
A container in a fabric (which uses the JAAS
ZookeeperLoginModule
by default) shares its secure user data with all of the other containers in the fabric and the user data is stored in the Fabric Registry. To configure the user data for a fabric, you can log into any of the containers. Because the user data is shared in the registry, any modifications you make are instantly propagated to all of the containers in the fabric.
To start editing the fabric JAAS user data, you must first specify the JAAS login module you want to modify. In the context of fabric, you must modify the Zookeeper login module. For example, if you enter the
jaas:realms
console command, you might see a listing similar to this:
Index Realm Module Class 1 karaf io.fabric8.jaas.ZookeeperLoginModule 2 karaf org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 3 karaf org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule
The
ZookeeperLoginModule
login module has the highest priority and is used by the fabric (you cannot see this from the listing, but its realm is defined to have a higher rank than the other modules). In this example, the ZookeeperLoginModule
has the index 1
, but it might have a different index number in your container.
Enter the following console command to start editing the fabric's JAAS realm (specifying the index of the
ZookeeperLoginModule
):
JBossFuse:karaf@root> jaas:manage --index 1
Adding a new user to the JAAS realm
For example, consider how to add a new user,
jdoe
, to the JAAS realm.
First of all, start to manage the relevant JAAS realm as follows:
- List the available realms and login modules by entering the following command:
JBossFuse:karaf@root> jaas:realms
- Choose the login module to edit by specifying its index, Index, using a command of the following form:
JBossFuse:karaf@root> jaas:manage --index Index
Add the user,
jdoe
, with password, secret
, by entering the following console command:
JBossFuse:karaf@root> jaas:useradd jdoe secret
Add the
admin
role to jdoe
, by entering the following console command:
JBossFuse:karaf@root> jaas:roleadd jdoe admin
As a matter of fact, these changes are not applied right away. Initially, the changes are queued in a list of pending operations. To see this list, enter the
jaas:pending
console command, as follows:
JBossFuse:karaf@root> jaas:pending Jaas Realm:karaf Jaas Module:org.apache.karaf.jaas.modules.properties.PropertiesLoginModule UserAddCommand{username='jdoe', password='secret'} RoleAddCommand{username='jdoe', role='admin'}
Now you can apply the changes by invoking
jaas:update
, as follows:
JBossFuse:karaf@root> jaas:update
The new user entry is then persisted (either by writing to the remote container's
etc/users.properties
file, in the case of a standalone container, or by storing the user data in the Fabric Registry, in the case of a fabric).
Canceling pending changes
If you decide that you do not want to make the changes permanent after all, instead of invoking the
jaas:update
command, you could abort the pending changes using the jaas:cancel
command, as follows:
JBossFuse:karaf@root> jaas:cancel