Red Hat Training

A Red Hat training course is available for Red Hat Fuse

14.2. JAAS Console Commands

Editing user data from the console

Red Hat JBoss Fuse provides a set of jaas:* console commands, which you can use to edit JAAS user data from the console. This works both for standalone JAAS realms and for Fabric JAAS realms.
Note
The jaas:* console commands are not compatible with the LDAP JAAS module.

Standalone realm configuration

A standalone container (which uses the JAAS PropertiesLoginModule and the PublickeyLoginModule) maintains its own database of secure user data, independently of any other containers. To configure the user data for a standalone container, you must log into the specific container (see Connecting and Disconnecting Remotely) whose data you want to modify. Each standalone container must be configured separately.
To start editing the standalone JAAS user data, you must first specify the JAAS realm that you want to modify. To see the available realms, enter the jaas:realms command, as follows:
JBossFuse:karaf@root> jaas:realms
Index Realm                Module Class                                                                    
    1 karaf                org.apache.karaf.jaas.modules.properties.PropertiesLoginModule                  
    2 karaf                org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule
    3 karaf                org.apache.karaf.jaas.modules.audit.FileAuditLoginModule                        
    4 karaf                org.apache.karaf.jaas.modules.audit.EventAdminAuditLoginModule
All of these login modules are active in the default karaf JAAS realm. Enter the following console command to start editing the properties login module in the karaf realm:
JBossFuse:karaf@root> jaas:manage --index 1

Fabric realm configuration

A container in a fabric (which uses the JAAS ZookeeperLoginModule by default) shares its secure user data with all of the other containers in the fabric and the user data is stored in the Fabric Registry. To configure the user data for a fabric, you can log into any of the containers. Because the user data is shared in the registry, any modifications you make are instantly propagated to all of the containers in the fabric.
To start editing the fabric JAAS user data, you must first specify the JAAS login module you want to modify. In the context of fabric, you must modify the Zookeeper login module. For example, if you enter the jaas:realms console command, you might see a listing similar to this:
Index Realm                Module Class
    1 karaf                io.fabric8.jaas.ZookeeperLoginModule
    2 karaf                org.apache.karaf.jaas.modules.properties.PropertiesLoginModule
    3 karaf                org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule
The ZookeeperLoginModule login module has the highest priority and is used by the fabric (you cannot see this from the listing, but its realm is defined to have a higher rank than the other modules). In this example, the ZookeeperLoginModule has the index 1, but it might have a different index number in your container.
Enter the following console command to start editing the fabric's JAAS realm (specifying the index of the ZookeeperLoginModule):
JBossFuse:karaf@root> jaas:manage --index 1

Adding a new user to the JAAS realm

For example, consider how to add a new user, jdoe, to the JAAS realm.
First of all, start to manage the relevant JAAS realm as follows:
  1. List the available realms and login modules by entering the following command:
    JBossFuse:karaf@root> jaas:realms
  2. Choose the login module to edit by specifying its index, Index, using a command of the following form:
    JBossFuse:karaf@root> jaas:manage --index Index
Add the user, jdoe, with password, secret, by entering the following console command:
JBossFuse:karaf@root> jaas:useradd jdoe secret
Add the admin role to jdoe, by entering the following console command:
JBossFuse:karaf@root> jaas:roleadd jdoe admin
As a matter of fact, these changes are not applied right away. Initially, the changes are queued in a list of pending operations. To see this list, enter the jaas:pending console command, as follows:
JBossFuse:karaf@root> jaas:pending
Jaas Realm:karaf Jaas Module:org.apache.karaf.jaas.modules.properties.PropertiesLoginModule
UserAddCommand{username='jdoe', password='secret'}
RoleAddCommand{username='jdoe', role='admin'}
Now you can apply the changes by invoking jaas:update, as follows:
JBossFuse:karaf@root> jaas:update
The new user entry is then persisted (either by writing to the remote container's etc/users.properties file, in the case of a standalone container, or by storing the user data in the Fabric Registry, in the case of a fabric).

Canceling pending changes

If you decide that you do not want to make the changes permanent after all, instead of invoking the jaas:update command, you could abort the pending changes using the jaas:cancel command, as follows:
JBossFuse:karaf@root> jaas:cancel