8 Replies Latest reply on Apr 24, 2018 10:56 AM by vamshi1413

    jboss cli without specifying username/password

    chrisla

      Is there a way to run the ./jboss-cli.sh script and have it read the username/password from a properties file? Basically I want to do ./jboss-cli.sh --controller=<DC_fqdn:port> --properties=user.properties, where user.properties is a file that has a username & hashed password.

       

      The RedHat documentation I've found so far hasn't specific how to do this, and I don't see how else to execute cli scripts remotely. If there's another way of accomplishing this, I'd love to know...

       

       

      Thanks!

        • 1. Re: jboss cli without specifying username/password
          dlofthouse

          Not via properties no.

           

          Double check the jboss-cli.xml I think we had some options there to specify a username and password including vault integration at some point but it would need checking to see which versions it was added to.

           

          Alternatively using anything from WildFly 11 onwards WildFly Elytron has been integrated so the CLI can be used for a full Elytron authentication client configuration including credential store integration for usernames and passwords.

           

          There are other options also available, you could enable CLIENT_CERT style authentication so unattended clients can authenticate using certificates instead of usernames and passwords, this can be enabled in parallel to still supporting username / password authentication for administrators.

          • 2. Re: jboss cli without specifying username/password
            prageetika.sharma

            Its not possible to pass password from any property file while executing CLI command through jboss-cli.sh script. But, you can use custom shell script which will read password from properties file and use that password in cli command for authentication.

             

            You can use script something similar to below :

             

            =========

            #!/bin/sh

             

            #Read properties file.

            getProperty()

            {

              property_key="admin"

              property_value=`cat /abc/users.properties | grep ${property_key} | cut -d'=' -f2`

            }

             

            #define the management interface IP address. With default configuration management interface bound to localhost.

            JBOSS_IP= 127.0.0.1

            JBOSS_HOME="/path_to_jboss/"

            USER="admin"

             

            getProperty ${key}

            #echo "Property_value" $property_value

             

             

            $JBOSS_HOME/bin/jboss-cli.sh --connect controller=$JBOSS_IP:9990 --user=$USER --password=$property_value --command="/subsystem=logging:read-resource"

            =========

            • 3. Re: jboss cli without specifying username/password
              chrisla

              Hey Darran,

               

              Thanks for the reply. Technically this is for EAP 7.1.1. Does this info still apply? CLIENT_CERT is out of the question since I need to tie any config changes to an actual user.

               

              I realize this forum is for AS, but to be honest I haven't found anything yet for EAP and I don't want to open a case just for this.. 90% of the stuff on Google for Jboss seems to be AS related, and any documentation I do find for EAP is not very helpful.

              • 4. Re: jboss cli without specifying username/password
                dlofthouse

                As this is for EAP 7.1.1 I would suggest you do open a support case, this is the kind of situation our support team should be able to assist you with.

                 

                But to answer your question, yes WildFly Elytron was integrated in EAP 7.1.0.GA so the WildFly Elytron authentication client configuration is an option for the CLI.  The client side configuration is independent of the server side configuration so you can start to use the new configuration on the client even if the server side is still using the legacy security realms.

                 

                FYI even with CLIENT_CERT auth we can still map certificates to individuals, this does get easier with WildFly Elytron server side configuration as we have more flexibility but as I say a solution exists for your original problem to store the username and password in a configuration file to avoid the need for prompts and user interaction when executing scripts.

                • 5. Re: jboss cli without specifying username/password
                  chrisla

                  Good deal. I'll take a look at the Elytron config and see what I can do.

                   

                  Thanks for the help!

                  • 6. Re: jboss cli without specifying username/password
                    vamshi1413

                    You don’t need to pass any arguments in order to connect to jboss-cli except for connect. (./jbos-cli.sh -c) you can customize the jbos-cli.xml to not ask for controller and IP address information.

                     

                    What does your cli.xml look like ?

                    • 7. Re: jboss cli without specifying username/password
                      dlofthouse

                      The silent mode you mention Vamshi is only available where the CLI is running on the same host as the application server and the user executing the CLI has read access to the server installation to trigger the local authentication mechanism.

                       

                      I may be mistaken but generally once a user starts to mention specifying the address of the server they are managing they tend to be remote from the server.

                      • 8. Re: jboss cli without specifying username/password
                        vamshi1413

                        I might have overlooked the content in the discussion Darran, that we are trying to connect and run commands remotely from an external client. I tried to execute basic commands from jboss-cli invoking from Jenkins and it was prompting for username and password which I don't the prompt when executed on the server directly.