Skip to content

WDT discovery does not get global roles #822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
textanalyticsman opened this issue Jan 25, 2021 · 5 comments · Fixed by #980
Closed

WDT discovery does not get global roles #822

textanalyticsman opened this issue Jan 25, 2021 · 5 comments · Fixed by #980

Comments

@textanalyticsman
Copy link

I have used discover domain tool to introspect a domain. However, the model does not include WebLogic Global Roles, is this part of the functionality provided by discover domain? If not, how could I model several global roles? Let us say I want to add several groups into the Admin role. I have seen the example here and it does not show this specific case.

Thanks a lot in advance.
@ddsharpe
Copy link
Member

ddsharpe commented Jan 26, 2021
edited
Loading

@textanalyticsman As you may have noticed, we have an enhancement request in the issue list for adding discovery of Global Roles. The discovery of security "data" (as WebLogic Server sees it) is not configuration and therefore not available to offline WLST. We can, however, get the data from online WLST when we implement the feature.

As you have seen, creating and modifying WebLogic Global Roles is supported and documented here. To add a group to the Admin role, you can use something like:

domainInfo:
  WLSRoles:
    Admin:
      UpdateMode: append
      Expression: "|Grp(mygroup)"

If you want to do something more complex, I recommend using the WebLogic Server console to create the expression using the tool in the console, and then explore the expression using WLST. For example, you can use the output of this script to show the expression that WDT would need for the Expression attribute:

connect('weblogic','welcome1')
realm=cmo.getSecurityConfiguration().getDefaultRealm()
role=realm.lookupRoleMapper('XACMLRoleMapper')
defaultRoleExpression=role.getRoleExpression(None,'Admin')
print(defaultRoleExpression)
disconnect()

@textanalyticsman
Copy link
Author

Thanks a lot, I will try to use your recommendations and then I will report the results.

@robertpatrick
Copy link
Member

@textanalyticsman I am looking at what we could do to add discovery of the Global Roles for online discovery. My first thought is to try to do a limited implementation that only adds Global Roles to the discovered model if:

  1. a built-in Global Role has been modified from the default
  2. a non-built-in Global Role has been added

What I would like your feedback on is the types of changes you are making to the global roles. For example, if the first pass would only support associating groups with the roles, is that sufficient for your use case(s)?

@textanalyticsman
Copy link
Author

textanalyticsman commented Feb 5, 2021
edited
Loading

@robertpatrick thanks a lot for your comments. I think this makes sense for the use c ase I am implementing and it could be a good start. As soon as you implement it, I would like to try to provide feedback.

Thanks a lot.

TAM

@textanalyticsman
Copy link
Author

@ddsharpe thanks a lot for your advice it has helped me a lot to complete this task.

@CarolynRountree CarolynRountree mentioned this issue Sep 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Wdt 822 discover roles oracle/weblogic-deploy-tooling
3 participants
@textanalyticsman @robertpatrick @ddsharpe