Other than the users with admin role, no other user can access and monitor weblogic resources. But sometimes it is important that even the users with the monitor, operator roles should be able to monitor the resources.
By default this feature is not available, but we can create JMX policies to grant access to monitors, operators and deployers of the resources.
For example : If a user with the role monitor logs into the console and tries to access the messages in the JMS queues, he will not be able to do it because of the permissions. Below error will be thrown on the admin console:
Error weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[divya, Operators, Monitors, Deployers], on ResourceType: JMSDestinationRuntime Action: execute, Target: getMessages
This means the user divya with the roles Operator, Monitor and Deployer does not have privileges to access JMSDentinationRuntime MBean, cannot view the messages in the JMS queue. We need to give privileges to the user divya by creating JMX policies as below:
- Log into the admin console with the admin credentials.
- Go to Security Realms
- Select the name of the realm that you want to control access to MBeans (for example, myrealm)
- Go to configurations -> General tab.
- Check the box for Use Authorization Providers to Protect JMX Access. (Enable it)
- Now go to the tab Roles and Policies -> Realm Policies
- Click on the link JMX Policy Editor
- The next screen will give you an option of selecting policy.
- If you want a policy that applies to all instances of a WebLogic Server MBean, select the radio button next to Global Scope. Then click the Next button.
- If you want a policy that applies only to the MBean instance that is used to manage a specific deployment or system resource:
1) In the Scope column, expand the category name that describes the type of deployment or resource you want to secure.
2) Select the radio button next to the deployment or resource you want to secure. Then click the Next button.
- Select global scope so that the policy applies to all instances
Click on next.
- If you want a policy that applies to all instances of all MBeans in the scope that you selected on the previous page, select the radio button next to All MBean Types. Then click the Next button.
- If you want a policy that applies only to a specific MBean instance, in the MBean Type column, expand the categories of MBeans until you find the MBean. We can expand weblogic.management.runtime and select JMSDestinationRuntimeMBean for having the privileges to access the JMS queue, or select All MBean Types.
Click next.
- To control read access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Read category and select the attribute and select it.
- To control write access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Write category and select the attribute and select it.
- To control write or read access for encrypted attributes, expand the Encrypted Attributes: Permission to Read or Encrypted Attributes: Permission to Write category and select the attribute and select it.
- To control access to a specific operation (applicable only if you selected a specific MBean to secure), expand the Operations: Permission to Invoke category and select the operation.
- To control access to lookup operations (which enable clients to find this MBean’s child MBeans) select the Lookup Operations: Permission to Invoke category or a specific lookup operation in the category.
For all MBean Typees, select Operations: Permission to Invoke
- Click on Create Policy.
- Click on “Add Condition” Button under Policy Conditions.
- Click on Next, leave the Role in Predicate List field.
- Add the “Admin” & “Monitor” Roles in “Role Argument Name” field.
- Click on Finish and then on Save.
Now log out of the console and login with the credentials of the user for which you have created the policy. Try to check the messages in the JMS queues, they will now be accessible.
If you face any issues in configuring the policies, or have any doubts or issues, do let us know.
Best Regards.
10 Comments
Good article!!
Thanks Anandraj
hi,
myself Ranadheer…HOw will integrate wls with sunone6.x
Try this
http://weblogic-wonders.com/weblogic/2010/11/12/configuring-sunone-iplanet-webserver-with-weblogic/
Great article. I have the following question regarding security policy on individual JMS queues. Not sure if this is the right place to post but here goes. I am creating a security policy on a JMS module with WLST using
atzr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer(“XACMLAuthorizer”)
atzr.createPolicy(‘type=, application=’+JMSModuleName,’Usr(‘+newUser+’)')
This part is working as expected. The problem is when I am trying to create a policy on an individual queue for “BROWSE”/”SEND”/”RECEIVE” methods
atzr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer(“XACMLAuthorizer”)
atzr.createPolicy(‘type=, application=’+JMSModuleName+’, destinationType=queue, resource=’+distributedQueueName+’,action=’+queueAction,’Usr(‘+newUser+’)')
The script doesn’t return any error but the policy is also not created. What am I missing here? Thanks in advance.
Hi,
we have a weblogic 9.2mp3 environment with around 40 apps in different clusters owned by different developers.we need to provide access to developers to the apps they own only like( if we add monitor group to developer id he gets read access to all the apps owned by all developers or if we add deployer group to developer id he gets read,write access to all apps owned by all developers which is not the solution i want).can we customize roles like a developer id can read or write the apps which he owns only and he cant read other apps for example in deployments or jdbc or jms modules.Please help me out.Thanks in advance.
Smitha mirugule.
Hi,
I am trying to create a policy for deployments.
I want user1 to Admin access and have complete control of app1.
I want user2 to access and have complete control of app2.
User1 cannot access app2 and vice versa…
I tried a lot but then i am only able to monitor them … please help
Kindly post your question to our forum
http://weblogic-wonders.com/weblogic/forum/#/
Hi All,
I am facing the terrible problem with this error in weblogic 10.3.
I am trying to invoke the mbean operation called changePasswords. I created a webservice here is the code to access the mbean operation.
Code below.
—————————-
JMXServiceURL serviceUrl =
new JMXServiceURL(
“service:jmx:iiop://196.40.124.97:7001/jndi/weblogic.management.mbeanservers.runtime”);
Hashtable env = new Hashtable();
// env.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,
// “weblogic.management.remote”);
env.put(javax.naming.Context.SECURITY_PRINCIPAL, “admin”);
env.put(javax.naming.Context.SECURITY_CREDENTIALS,”admin”);
// jmxCon = JMXConnectorFactory.newJMXConnector(serviceUrl,env);
jmxCon = JMXConnectorFactory.connect(serviceUrl,env);
jmxCon.connect();
MBeanServerConnection mbs = jmxCon.getMBeanServerConnection();
ObjectName securityMBeanName = new ObjectName(“Security:Name=myrealmDefaultAuthenticator”);
Object[] objuser = new Object[] {(userId), (Oldpassword), (newPassword) };
String[] objstr = new String[] {(“String”), (“String”), (“String”) };
try {
mbs.invoke(securityMBeanName,”changeUserPassword”,objuser,objstr);
}
Error details:
—————–
[Management:141102]Subject: principals=[] does not have access to perform Admin actions.
It seems that the username / password passed is not having admin privileges.
You can try using the WebLogic admin user to invoke the admin rights.
env.put(javax.naming.Context.SECURITY_PRINCIPAL, “admin”);
env.put(javax.naming.Context.SECURITY_CREDENTIALS,”admin”);
Also check if there are any typo errors in there.
Cheers,
Anandraj
Post a Comment