Assign Groups/Users to specific Authenticator Provider
sebmichiels opened this issue · 4 comments
Hello,
Currently, in the WDT model, it's not possible to assign a user or a group to a specific Authenticator. By default, the users and groups will be assigned to the DefaultAuthenticator.
In my case, I have 2 providers (the default one and the SQLAuthenticator). As all the users and groups are assigned to the DefaultProvider, the users and groups are not created in the database related to the SQLAuthenticator. I can of course do an SQL script to update the database in a kind of post-step and it will create the corresponding users/groups in the Realm.
But of course, as soon as the Introspector job is triggered again, everything disappears.
If I put the DefaultAuthenticator after the SQLAuthenticator in the order. It's even worst. The default users and groups are assigned to SQLAuthenticator and DefaultAuthenticator but my new users/groups are only assigned to the DefaultAuthenticator.
Can you please give me a proper way to do it?
Thanks.
@sebmichiels Correct. We only support creating users and groups in the DefaultAuthenticator. There is no mechanism in WLST for us to create users and groups in the other authenticators.
In general, other authentication providers have their own mechanisms/tools to use to manipulate the users and groups. For example, the SQLAuthenticator uses a database as the user store so you can use any database client and SQL DML to add/update/delete users. To create a domain with pre-populated users and groups, simply write a script to update the database and run createDomain.sh followed by your custom database script.
I believe that this will allow you to accomplish what you want. We have no plans to teach WDT how to interact with other types of user stores. We added support for offline creation of users/groups in the Default Authenticator simply because there was no other supported way to accomplish this (because the WebLogic AdminServer needs to be running to interact with it using LDAP APIs).
Hello,
Thanks for your quick and clear answer.
Unfortunately, I think it will not work to add a kind of pre-script in the createDomain because the introspector job (or the start of the NodeManager) will purge what has been inserted in the database.
I guess at some point, there is a kind of sync between the users/groups of the WDT model and the one of the SQLAuthenticator in the database. And of course, I didn't put any user/group in the WDT model. So, I guess it's the reason why the users/groups inserted in my db are deleted.
Even if it's not planned to teach WDT to interact with other types of user stores, it should not influence the users/groups stored in the DB.
I found a workaround.
I'm using ReadOnlySQLAuthenticator. With this ReadOnlySQLAuthenticator, I'm able to prepopulate the database before the creation of the domain. The introspector job and the start of the NodeManager will not purge our data already inserted because it's a Readonly Authenticator. The drawback is that I cannot use wlst to add users/groups. I have to do it manually with statements directly in the database.
I just don't understand why when I use SQLAuthenticator, the data are purged.
Is it expected or is it a bug?
Many thanks for your time.
I guess at some point, there is a kind of sync between the users/groups of the WDT model and the one of the SQLAuthenticator in the database. And of course, I didn't put any user/group in the WDT model. So, I guess it's the reason why the users/groups inserted in my db are deleted.
WDT does no such thing. If there is any synchronization, it is happening when you (or the operator, in this case) start the WebLogic Admin Server.
Even if it's not planned to teach WDT to interact with other types of user stores, it should not influence the users/groups stored in the DB.
WDT is not responsible for this.
I found a workaround.
I'm using ReadOnlySQLAuthenticator. With this ReadOnlySQLAuthenticator, I'm able to prepopulate the database before the creation of the domain. The introspector job and the start of the NodeManager will not purge our data already inserted because it's a Readonly Authenticator.
If you read what I wrote carefully, my recommendation was to do it after domain creation but depending on what is manipulating the data and when, that may or may not help.
The drawback is that I cannot use wlst to add users/groups. I have to do it manually with statements directly in the database.
As I said before, WebLogic Server does not provide general purpose mechanisms to populate other types of user stores. For example, as far as I know, the WebLogic Admin Console does not allow you to edit users in the SQL Authenticator or any of the LDAP-based Authenticators (other than the DefaultAuthenticator).
I just don't understand why when I use SQLAuthenticator, the data are purged. Is it expected or is it a bug?
I have no idea. If it is a bug, it is a WebLogic Server bug. There is nothing WDT or WKO are doing that would cause this behavior.
Thanks for the detailed reply.