6 Replies Latest reply on Dec 19, 2007 11:44 AM by swisst

    Using CMS with alternate Admin user still broken in 2.6.3?

    swisst

      I have LDAP working great, and have for a few months (Thanks to Tobias and his wiki post). I just downloaded and installed the bundled version of Portal 2.6.3. I was trying out this fix:

      http://jira.jboss.com/jira/browse/JBPORTAL-1740

      Because I am connected to an existing LDAP structure and do not have a user named 'Admin', I was hoping this would fix my CMS issue. I updated the two files specified in the JIRA task with my LDAP Admin user GROUP and get errors on start-up. Do I have to have a named Admin User as opposed to an LDAP group? I hope not....

      Here are the errors:

      12:16:32,062 WARN [ServiceController] Problem starting service portal:service=CMS
      java.lang.RuntimeException: org.jboss.portal.identity.NoSuchUserException: No such user No user found with name: My_Admin_Users
       at org.jboss.portal.cms.security.AuthorizationProviderImpl.getRoot(AuthorizationProviderImpl.java:227)
       at org.jboss.portal.cms.impl.jcr.JCRCMS.createContent(JCRCMS.java:359)
       at org.jboss.portal.cms.impl.jcr.JCRCMS.startJCR(JCRCMS.java:314)
       at org.jboss.portal.cms.impl.jcr.JCRCMS.startService(JCRCMS.java:267)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
       at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:196)
       at org.jboss.portal.jems.as.system.AbstractJBossService.start(AbstractJBossService.java:73)
       at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.portal.jems.as.system.JBossServiceModelMBean$ServiceMixin.execute(JBossServiceModelMBean.java:486)
       at org.jboss.portal.jems.as.system.JBossServiceModelMBean$ServiceMixin.startService(JBossServiceModelMBean.java:452)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
       at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:196)
       at org.jboss.portal.jems.as.system.JBossServiceModelMBean$6.invoke(JBossServiceModelMBean.java:374)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:995)
       at $Proxy0.start(Unknown Source)
       at org.jboss.system.ServiceController.start(ServiceController.java:417)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at org.jboss.system.ServiceController.start(ServiceController.java:435)
       at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy4.start(Unknown Source)
       at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy191.start(Unknown Source)
       at org.jboss.deployment.XSLSubDeployer.start(XSLSubDeployer.java:197)
       at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782)
       at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy9.deploy(Unknown Source)
       at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:421)
       at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:634)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:263)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:336)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978)
       at $Proxy0.start(Unknown Source)
       at org.jboss.system.ServiceController.start(ServiceController.java:417)
       at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy4.start(Unknown Source)
       at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302)
       at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:766)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:615)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy5.deploy(Unknown Source)
       at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:482)
       at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
       at org.jboss.Main.boot(Main.java:200)
       at org.jboss.Main$1.run(Main.java:508)
       at java.lang.Thread.run(Thread.java:801)
      Caused by:
      org.jboss.portal.identity.NoSuchUserException: No such user No user found with name: My_Admin_Users
       at org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl.findUserByUserName(LDAPExtUserModuleImpl.java:90)
       at org.jboss.portal.cms.security.AuthorizationProviderImpl.getRoot(AuthorizationProviderImpl.java:220)
       ... 128 more


      -- MBeans waiting for other MBeans ---
      ObjectName: portal:service=CMS
       State: FAILED
       Reason: java.lang.RuntimeException: org.jboss.portal.identity.NoSuchUserException: No such user No user found with name: My_Admin_Users
       I Depend On:
       jboss.jca:service=DataSourceBinding,name=PortalDS
       portal:service=JAASLoginModule
       portal:service=Hibernate,type=CMS
       cms.pm.cache:service=TreeCache
       portal:service=AuthorizationManager,type=cms
       portal:service=InterceptorStackFactory,type=Cms
       Depends On Me:
       portal:commandFactory=CMSObject
      
      --- MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM ---
      ObjectName: portal:service=CMS
       State: FAILED
       Reason: java.lang.RuntimeException: org.jboss.portal.identity.NoSuchUserException: No such user No user found with name: My_Admin_Users
       I Depend On:
       jboss.jca:service=DataSourceBinding,name=PortalDS
       portal:service=JAASLoginModule
       portal:service=Hibernate,type=CMS
       cms.pm.cache:service=TreeCache
       portal:service=AuthorizationManager,type=cms
       portal:service=InterceptorStackFactory,type=Cms
       Depends On Me:
       portal:commandFactory=CMSObject


        • 1. Re: Using CMS with alternate Admin user still broken in 2.6.
          swisst

          Ughhhh...this is the case. You must name one user (not a group) as the Admin for CMS.

          Does anyone else think this is a bad idea and worthy of Feature Request? What's the point of having user groups if you still need individual magic accounts?

          On another note, even though I don't get start-up errors, I still get an "Access Denied" when going to the CMS tab in the Admin Portal. I'm guessing I just have to update the portal-cms.sar/META-INF/jboss-service.xml file and change all references to 'Admin' to either my Admin user (consistent with this fix) or my Admin LDAP group (consistent with all of the other Admin portlets).

          I'll let you know what I find out...

          • 2. Re: Using CMS with alternate Admin user still broken in 2.6.
            swisst

            Changing all of the other references from Admin to my LDAP group fixed the Access Denied issue.

            So I guess what I'm left with is wondering why we still need a magic user, who now doesn't have to be called Admin but must be a user and not a group. I'll wait a few days before I submit the request in Jira...

            • 3. Re: Using CMS with alternate Admin user still broken in 2.6.
              theute

              It's already in Jira
              It's already fixed
              It's already released (2.6.3)
              ;)

              • 4. Re: Using CMS with alternate Admin user still broken in 2.6.

                swisst,

                I'll have to update the wiki entry to reflect your findings. I'm not sure why this didn't show up for me until now, I guess it has to do that I never tested with an "admin but not member of special admin group" user.

                Anyway, I think the wiki entry needs to be reorganised, it's getting too cluttered. I'll get to it soon.

                As for the reason for all of this: The main change that was implemented for 2.6.3 is that the admin user/group is now configurable, instead of being hardcoded in and cluttered throughout the source. The need for (not) having a special admin user/group has not been addressed so far.

                Thanks,
                Tobias

                • 5. Re: Using CMS with alternate Admin user still broken in 2.6.
                  soshah

                   


                  Ughhhh...this is the case. You must name one user (not a group) as the Admin for CMS.

                  Does anyone else think this is a bad idea and worthy of Feature Request? What's the point of having user groups if you still need individual magic accounts?


                  This is not true anymore. You can designate any Role you like to become Administrators of the CMS including access to the Security Console. You will obviously have to setup your permissions for this Role accordingly.

                  The CmsRootUserName in the configuration file serves a completely different purpose. As explained
                  <!--
                   NOTE: cmsRootUserName denotes a single Portal user that has access to everything in the CMS. Denote this user
                   carefully and should be synonymous to the 'root' user in a Unix system. By default: this value is the built-in
                   'admin' user account. This can be changed to any other user account registered in your Portal
                  -->
                  


                  Basically if somehow you mess up your security policy and lock all users out or something like that, you can login with this root user and perform whatever fixes you need to set everything up properly. This feature will save you many stomach dropping incidents at the thought of having to dig through the database data to fix setup mistakes ;)

                  Thanks




                  • 6. Re: Using CMS with alternate Admin user still broken in 2.6.
                    swisst

                    Thanks for the clarification of the "CmsRootUserName" property, that makes sense.

                    So starting the CMS service and managing the CMS service are two different things (make sense that they would be). You need the named user to start it, but then anyone in a role can administer it.

                    The light just went on....thanks!