Granting OSB Test Console access to Integration Monitors

In situations where you require non developers/administrators to access to OSB sbconsole, the approach followed is to assign these users to the Integration Monitors weblogic role. This grants them a read-only access and can just see the configurations in sbconsole without editing it. We had a requirement to grant our testers access to sbconsole to do some system testing of the middleware components using OSB test framework. We didn’t want to grant admin rights to these testers and hence thought of assigning their user id’s to Integration Monitor role. But by default , OSB doesn’t allow Integration Monitors to access test console. This can be fixed by the below approach.

Weblogic security offers  a pluggable framework whereby you can plug different providers for doing different type of security needs. One type is Authorization providers which implements access control policies which specifies what secured resources can be accessed by users, groups and roles. Weblogic comes with a default XACML Authorization provider which uses the embedded ldap as the store for these access control policies. By default when you create a OSB weblogic domain, the newly created embedded ldap has 2 policies which restrict access to test console to only Integration Admin and Integration Deployer roles.  We can modify these policies using WLST to add Integration Monitors to the allowed list in these 2 policies. Here are the steps to do this:

First create 2 files called Policy.xml and Policy1.xml.

Policy.xml

<Policy PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Fwlsb-console@G@M@Opath@E@VTestConsole@W@M@Oaction@ETest" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Rol(IntegrationAdmin) | Rol(IntegrationDeployer) | Rol(IntegrationMonitor) </Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;wlsb-console&gt;, path={TestConsole}, action=Test</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule RuleId="primary-rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationAdmin</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationDeployer</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationMonitor</AttributeValue>
                        <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="deny-rule" Effect="Deny"/>
</Policy>

Policy1.xml

<Policy PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Fejb@G@M@Oapplication@EALSB@OTest@OFramework@M@Omodule@EsbTestFwkEjb.jar@M@Oejb@ETestService" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Rol(IntegrationDeployer,IntegrationAdmin,IntegrationMonitor)</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;ejb&gt;, application=ALSB Test Framework, module=sbTestFwkEjb.jar, ejb=TestService</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule RuleId="primary-rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationDeployer</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationAdmin</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationMonitor</AttributeValue>
</Apply>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="deny-rule" Effect="Deny"/>
</Policy>

Copy above 2 files to domain home and then start command prompt to run wlst from domain-home

java weblogic.WLST


#connect to admin server of domain -  
connect('weblogic','weblogic1','t3://localhost:7001')

easeSyntax()

cd SecurityConfiguration/&lt;domain_name&gt;/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer

xacmlFile=open('policy.xml','r')

xacmlDoc=xacmlFile.read()

cmo.modifyPolicy(xacmlDoc)

xacmlFile=open('policy1.xml','r')

xacmlDoc=xacmlFile.read()

cmo.modifyPolicy(xacmlDoc)

exit()

 To confirm that the policies have been updated, go to Admin Console ->Security Realms –  myrealm -> Providers ->XACMLAuthorizer ->Migration -> Export tab and click save.  This will create a XACMLAuthorizer.dat file in domain home ( by default, can change this to other locations). This is a text file which can be opened in any text editor and checked to see whether the polcies been updated to include Integration Monitor.

Advertisements

About atheek

I am a Weblogic consultant working in Middleware/Integration area.
This entry was posted in OSB, Security and tagged , , . Bookmark the permalink.

15 Responses to Granting OSB Test Console access to Integration Monitors

  1. Dilip Paul says:

    Hi Atheek,

    I tried out this method by changing the order of the file read as it was throwing exception and it worked.

    Thanks a lot for your work.Very much appreciated.

    Thanks,
    Dilip Paul

  2. Das says:

    Hi Atheek,

    This worked for me too in OSB.. Do you have similar steps for ALSB 2.6.1

    • atheek says:

      I feel the above might work in alsb also.. test it please. In case it doesn’t work, output the XACMlAuthorizer.dat as explained towards end of the blog and have a look at it for policies related to ALSB & when you create the updated policies include the variations .

      • Das says:

        I tried with same policy files but it got failed in ALSB, And also tried with option that you given (XACMlAuthorizer.dat ) but not getting test console rights with IntegrationMonitor. Please advise.

  3. Akshay says:

    Hi Atheek!

    I followed steps as per your instructions. But after restarting WebLogic Domain, I have a problem when I run the test console for user (role IntegrationMonitor) in OSBConsole:
    “An unexpected error occurred accessing the test service: [EJB:010160]Security Violation: User: ‘hudson’ has insufficient permission to access EJB: type=, application=ALSB Test Framework, module=sbTestFwkEjb.jar, ejb=TestService, method=create, methodInterface=Home, signature={}.”

    I opened the Domain->Deployments->ALSB Test Framework->Security->Policies->Policy Conditions and I add the role IntegrationMonitor ин Add Conditions.

    But its did’n help me. So could you please help me find the solution.

    • sam says:

      Hi Atheek, I am also getting same error,
      has insufficient permission to access EJB: type=, application=ALSB Test Framework, module=sbTestFwkEjb.jar, ejb=TestService, method=create, methodInterface=Home, signature={}.”
      please advise

      • atheek says:

        did you add both the policy files ( policy.xml and policy1.xml) ? policy1.xml is for assigning the permission for the ejb sbTestFwkEjb.jar, ejb

  4. Rao says:

    Hello Atheek, Great post , I have applied the changes exactly you have mentioned in the blog but after restarting Admin server the changes are not working it is coming up with same error as other users:
    ” insufficient permission to access EJB: type=, application=ALSB Test Framework, module=sbTestFwkEjb.jar, ejb=TestService, method=create, methodInterface=Home, signature={}.”. Is there any way I can apply the changes permanently… thanks very much

  5. somu says:

    Hi Atheek, thanks for the post. as Rao mentioned above. I too ran in to the same issue after restarting the Admin server, losing the access.

  6. TestConsole says:

    Same error here. I applied both xml policy files, in the same order as advised. The exported XACML file contains the .jar permission, but still I receive the “An unexpected error occurred accessing the test service: [EJB:010160]Security Violation: User: ‘testconsole’ has insufficient permission to access EJB: type=, application=ALSB Test Framework, module=sbTestFwkEjb.jar, ejb=TestService, method=create, methodInterface=Home, signature={}.” error.

    The deployed test framework in weblogic is called “sbTestFwk.jar”, should we need to repeat the process for that .jar too?

  7. TestConsole says:

    Hmmm weird…. before applying this method, I made a backup of the domain’s config folder.
    After seeing this error, I restored it and NOW IT WORKS! How is that possible? Is XACML information stored somewhere else? And when I tried for first time I got the permission error :S
    By the way, how could I undo those changes?

    Thanks!

  8. TestConsole says:

    Oooops… I see the sbconsole user doesn’t even have the ‘IntegrationMonitor’ role assigned! :S

  9. Matt says:

    Hi, Thanks for the blog, I get below error, could you help
    alm/myrealm> cmo.modifyPolicy(xacmlDoc)
    Traceback (innermost last):
    File “”, line 1, in ?
    AttributeError: modifyPolicy

  10. Senthil says:

    Hi Atheek,

    Is there a way that we can avoid this insufficient permission issue after the restart?

    Thanks in Advance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s