Lapis Server – User Administration API, command line tools and Web application

Posted: 16 May 2014 in Teamsite

Hello All,

in the latest round of development for the Lapis Server, I wanted to make sure that the user administration was solid. With this aim, I created the following:

  • a SecurityManager object to create/update/read/delete users/groups/roles. This object interfaces with the XML login module.
  • a command line tool to create users
  • a command line tool to update users
  • a command line tool to list users
  • a command line tool to view a specific user
  • a command line tool to delete users
  • a command line tool to grant/revoke roles to users
  • a command line tool to join/leave groups for users
  • a command line tool to list users in roles
  • a command line tool to list users in groups

In addition to command line tools, a lot of effort was placed into being able to perform all of the users/groups/roles administration tasks in the web application

Users

Users are persisted in an XML document referenced to by the server property java.security.auth.login.users (etc/users.xml is the value we use). The file should not be modified directly when the server is up and running, as concurrent access may result in loss of information. Instead, the series of command line tools below should be use ensure that updates to the file are synchronised.

Listing users

A command line tool lapis.users.sh has been created to list all users that have been created forthe Lapis Server.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.

Listing users can also be done through the web application

Viewing a user

A command line tool lapis.user.sh has been created to view a specific user. The tool lists some user properties as well as the roles and groups of the user.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-user: the name of the user to view

The user can also be viewed in the web application

Adding users

The user repository is an xml document which needs to be modified to add users.
A command line tool lapis.useradd.sh has been created for adding users. Do not modify the user repository directly when the server is running.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-user: the user to add
-password: the password of the user to add. The password is in plain text on the command line but is stored encrypted by the application
-email: the email address of the user to add.
-grant: comma-separated list of roles granted to the user.
-join: a comma-separated list of groups the user will join

A user can also be added through the web application

Modifying users

A command line tool lapis.userupdate.sh has been created for modifying users. Do not modify the user repository directly when the server is running.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-user: the user to add
-password: the password of the user to add. The password is in plain text on the command line but is stored encrypted by the application
-email: the email address of the user to add.
-grant: a comma-separated list of roles to grant to the user.
-revoke: a comma-separated list of roles to revoke from the user.
-join: a comma-separated list of groups the user will join
-leave: a comma-separated list of groups the user will leave

Removing users

A command line tool lapis.userdel.sh has been created for removing users. Do not modify the user repository directly when the server is running.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-user: the user to remove

A user can also be removed from the web application

Roles

privileges can be granted to roles and roles be granted to users. This is the prefered way to manage user privileges and avoid micro-management.
Roles are simply identified by a name and granted privileges via the jaas configuration file defined by the java.security.policy server property.

Listing roles

A command line tool lapis.roles.sh has been created to list all roles that have been granted to users.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.

Listing users in role

A command line tool lapis.role.sh has been created to list all users who have been granted a specific role.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-role: the name of the role to list

Granting/Revoking a role to/from a user

a command line tool lapis.roleupdate.sh has been created to grant or revoke roles to and from users.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-role: the name of the role to grant
-grant: a comma-separated list of user names to grant the role to (optional)
-revoke: a comma-separated list of user names to revoke the role from (optional)

Again, roles can be granted and revoked from the web application also

Groups

Users can belong to groups. In the Lapis Server, groups are not used for granting privileges to users. This is achieved through roles. Groups are used to target a number of individuals in a more effective manner. Groups are used in group nodes, where any one indivudual belonging to the list of groups of the node can acquire ownership of the node and execute the node. Groups are simply identified by a name and members can join or leave the group.

Listing groups

A command line tool lapis.groups.sh has been created to list all groups that have members.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.

Groups can be listed from the web application

Listing users in a group

A command line tool lapis.group.sh has been created to list all users who have joined a specific group
role.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-group: the name of the group to list

Members of a group can be listed from the web application also

Joining/Leaving a group

a command line tool lapis.groupupdate.sh has been created to join or leave a group.
It accepts the following command line arguments:
-u <username>: the username to connect to the server with. Required.
-p <password>: the password to connect to the server with. See also -P. Optional, but at least one of -p or -P options must be used.
-P: prompts for the password and reads it from standard input. Optional, but at least one of -p or -P options must be used.
-host: the server to connect to. Can be a host name or an IP address. Required.
-port: the port on the server to connect to. Required.
-role: the name of the role to grant
-join: a comma-separated list of user names to join the group (optional)
-leave: a comma-separated list of user names to leave the group (optional)

That was a long “sprint”, but it got all done in the end.
As always, all of this functionality is available through the API also. Here’s an picture of the javadoc:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s