I have developed a custom userstore that extends UniqueIDJDBCUserStoreManager to handle customer login (domain customer), but when I deploy this bundle, admin login is not working anymore, I don't know why it's triggering the custom user store database connection, in logs I can see it's calling a function doGetUserNameFromUserIDWithID in class UniqueIDJDBCUserStoreManager. Hence I got an SQL error since I'm using wrong DB password (check following logs).
The question is why without my bundle the admin can log normally to console, when I deploy the bundle JAR along with user store xml (e.g. customer.xml) the admin is trying to use this secondary store to authenticate instead of primary store?
Please support, thank you,
PFB config details
wso2is 5.11 console url: https://localhost:9443/carbon/admin/login.jsp
Custom userstore Java class:
org.wso2.emkan.user.store.manager.SecondaryCustomUserStore
public class SecondaryCustomUserStore extends UniqueIDJDBCUserStoreManager{...}
snippet of userstore xml: /repository/deployment/server/userstores/customer.xml:
<?xml version="1.0" encoding="UTF-8"?><UserStoreManager class="org.wso2.emkan.user.store.manager.SecondaryCustomUserStore">
<Property name="url">jdbc:oracle:thin:#//test.com</Property>
<Property name="userName">test1</Property>
<Property encrypted="true" name="password">wrong_password</Property>
<Property name="driverName">oracle.jdbc.driver.OracleDriver</Property>
Deployment.toml snippet:
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[user_store]
type = "read_write_ldap_unique_id"
connection_url = "ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
base_dn = "dc=wso2,dc=org"
[database.identity_db]
url = "jdbc:oracle:thin:#(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=host.docker.internal)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=orclpdb2)))"
username = "user"
password = "Id#333333"
driver = "oracle.jdbc.OracleDriver"
[user_store_mgt]
allowed_user_stores=["org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager", "org.wso2.carbon.user.core.ldap.UniqueIDActiveDirectoryUserStoreManager","org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager","org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager","org.wso2.emkan.user.store.manager.SecondaryCustomUserStore"]
Error logs:
wso2is511_1 | [2022-10-18 17:46:44,984] [8e36165e-ad29-4520-890f-9624450ce205] INFO {org.wso2.emkan.user.store.manager.SecondaryCustomUserStore} - Second
aryCustomUserStore doGetUserNameFromUserIDWithID...userID=56c92c55-519e-4e53-af03-916c41005e24
wso2is511_1 | [2022-10-18 17:46:50,842] [8e36165e-ad29-4520-890f-9624450ce205] ERROR {org.apache.tomcat.jdbc.pool.ConnectionPool} - Unable to create initi
al connections of pool. java.sql.SQLException: ORA-01017: invalid username/password; logon denied
wso2is511_1 |
wso2is511_1 | at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:494)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:441)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:436)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:1027)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIoauthenticate.processError(T4CTTIoauthenticate.java:551)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:537)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:255)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:500)
wso2is511_1 | at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1280)
wso2is511_1 | at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:690)
wso2is511_1 | at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
wso2is511_1 | at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
wso2is511_1 | at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:319)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.PooledConnection.connect(PooledConnection.java:212)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.ConnectionPool.createConnection(ConnectionPool.java:744)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:676)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.ConnectionPool.init(ConnectionPool.java:483)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.ConnectionPool.(ConnectionPool.java:154)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.DataSourceProxy.pCreatePool(DataSourceProxy.java:118)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.DataSourceProxy.createPool(DataSourceProxy.java:107)
wso2is511_1 | at org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:131)
wso2is511_1 | at org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager.getDBConnection(JDBCUserStoreManager.java:1197)
wso2is511_1 | at org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager.doGetUserNameFromUserIDWithID(UniqueIDJDBCUserStoreManager.java:1344)
wso2is511_1 | at org.wso2.emkan.user.store.manager.SecondaryCustomUserStore.doGetUserNameFromUserIDWithID(SecondaryCustomUserStore.java:62)
wso2is511_1 | at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserStoreInternalWithId(AbstractUserStoreManager.java:7286)
As far as I understood this is expected. Seems like from the deployment.toml you have configured the secondary custom user store as your user store. I don't see any configuration for the another primary user store configuration. In that case in the custom user store xml file if you use the wrong password it will fail the login with the oracle database.
I'm able now to login as admin along with deploying my custom userstore, now the custom store is different than primary one. I have changed the extends of custom store class (SecondaryCustomUserStore) from UniqueIDJDBCUserStoreManager to JDBCUserStoreManager and used the 5.9 methods implementation. Also updated deployment file.
public class SecondaryCustomUserStore extends JDBCUserStoreManager {....}
[super_admin]
admin_role = "admin"
username = "admin"
password = "admin"
create_admin_account= true
[user_store]
type = "read_write_ldap_unique_id"
connection_url = "ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
base_dn = "dc=wso2,dc=org"
[user_store_mgt]
allowed_user_stores=["org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager","org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager", "org.wso2.carbon.user.core.ldap.UniqueIDActiveDirectoryUserStoreManager","org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager","org.wso2.emkan.user.store.manager.SecondaryCustomUserStore"]
[database.identity_db]
............
[database.shared_db]
...........
The first thing is you need to configure this as a secondary userstore. Since this is extending the UniqueIDJDBCUserStoreManager you need to extend several more methods than in JDBCUserStoreManager
IS 5.11.0 does support backward compatibility to you should be able to deploy the existing implementation given the dependencies does match with IS 5.11.0.
Related
Could you check why user kcizek is not able to login to either hub.tess.io nor ecr? This is first time login but it should work with corp and PIN + Yubi. Login works for me just fine.
I am unable to access https://ecr.vip.ebayc3.com/repository/
When I log in, I am faced with this. The ‘contact us’ link doesn’t have any contact information, so I’m trying here. Any ideas? Thanks.
Potentially relevant background: this is my first time attempting to get access.
enter image description here
It's found the email info is absent in user account.
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| email | |
| enabled | True |
| id | e69fe5b9d9384b338b3c397c7c84e33f |
| name | kcizek |
+-----------+----------------------------------+
Solution is to contact Tess oncall to add email info.
Related Command
openstack user set kcizek --email kcizek#ebay.com
I'm trying to setup my mobile app with amplify, after the first time i run amplify configuration it prompt me that I have missing plugins.
The following official plugins are missing or inactive:
awscloudformation: provider | amplify-provider-awscloudformation#4.33.0
analytics: category | amplify-category-analytics#2.19.1
api: category | amplify-category-api#2.27.0
auth: category | amplify-category-auth#2.25.0
function: category | amplify-category-function#2.26.3
hosting: category | amplify-category-hosting#undefined
hosting: category | amplify-console-hosting#undefined
interactions: category | amplify-category-interactions#2.6.1
notifications: category | amplify-category-notifications#2.17.1
predictions: category | amplify-category-predictions#2.6.1
storage: category | amplify-category-storage#2.10.3
xr: category | amplify-category-xr#2.6.1
codegen: util | amplify-codegen#2.19.0
flutter: frontend | amplify-frontend-flutter#0.2.0
android: frontend | amplify-frontend-android#2.14.2
ios: frontend | amplify-frontend-ios#2.16.0
javascript: frontend | amplify-frontend-javascript#2.19.0
mock: util | amplify-util-mock#3.27.0
Then it asked me to select my backend provider, but there is nothing for me to choose.
I think it is cause by the missing plugin, how do I install those plugin?
Try to re-install amplify with this command npm install -g #aws-amplify/cli --unsafe-perm=true.
I'm using WSO2 API-Manager 3.0. When I browse to the DevPortal (before signing in) I can see the list of APIs.
But when I login (using my email as assigned by my organization's IAM team) I get a red pop-up message saying 'Error While Loading APIs':
The log file revels this message:
api-manager_1 | [2020-04-13 17:47:58,602] INFO - PermissionUpdater Permission cache updated for tenant -1234
api-manager_1 | [2020-04-13 17:48:00,125] ERROR - APIUtil Error while creating axis configuration for tenant mydomain.com
api-manager_1 | java.lang.RuntimeException: Error while getting tenant activation status.
api-manager_1 | at org.wso2.carbon.core.multitenancy.utils.TenantAxisUtils.getTenantConfigurationContext(TenantAxisUtils.java:126) ~[org.wso2.carbon.core_4.5.1.jar:?]
api-manager_1 | at org.wso2.carbon.core.multitenancy.utils.TenantAxisUtils.getTenantAxisConfiguration(TenantAxisUtils.java:104) ~[org.wso2.carbon.core_4.5.1.jar:?]
api-manager_1 | at org.wso2.carbon.apimgt.impl.utils.APIUtil.loadTenantConfigBlockingMode_aroundBody372(APIUtil.java:6166) [org.wso2.carbon.apimgt.impl_6.5.349.jar:?]
api-manager_1 | at org.wso2.carbon.apimgt.impl.utils.APIUtil.loadTenantConfigBlockingMode(APIUtil.java:6162) [org.wso2.carbon.apimgt.impl_6.5.349.jar:?]
api-manager_1 | at org.wso2.carbon.apimgt.rest.api.util.impl.WebAppAuthenticatorImpl.authenticate(WebAppAuthenticatorImpl.java:129) [org.wso2.carbon.apimgt.rest.api.util_6.5.349.jar:?]
api-manager_1 | at org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.OAuthAuthenticationInterceptor.handleRequest(OAuthAuthenticationInterceptor.java:121) [org.wso2.carbon.apimgt.rest.api.util_6.5.349.jar:?]
api-manager_1 | at org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.OAuthAuthenticationInterceptor.handleMessage(OAuthAuthenticationInterceptor.java:66) [org.wso2.carbon.apimgt.rest.api.util_6.5.349.jar:?]
api-manager_1 | at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.2.8.jar:3.2.8]
api-manager_1 | at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.2.8.jar:3.2.8]
api-manager_1 | at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) [cxf-rt-transports-http-3.2.8.jar:3.2.8]
api-manager_1 | at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) [cxf-rt-transports-http-3.2.8.jar:3.2.8]
api-manager_1 | at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) [cxf-rt-transports-http-3.2.8.jar:3.2.8]
api-manager_1 | at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) [cxf-rt-transports-http-3.2.8.jar:3.2.8]
(plus another 200 lines of trace-back)
When I login to the Publisher the page loads with a spinning icon that says "Loading Settings" and stays there forever:
Again the log file reveals the same message as above.
Note: Other users in my organization are able to login and view the APIs just fine. But they are not using an email address to authenticate. I am the only using an email address to authenticate.
Another Note: Our organization uses an IAM server for authentication.
Any suggestions on what to try next to resolve this?
In WSO2 servers, the username john#tenant.com represents the user john in abc.com tenant. Therefore, you email domain has been identified as a tenant domain. Try the below format for your username. It should work.
john#gmail.com#tenant.com
If you don't have multiple tenants, use carbon.super as the tenant. So your username should go like this.
john#gmail.com#carbon.super
I'm creating a database cluster and a DMS in the same stack. I'm using SecretsManager to pass the connection properties of the DB Cluster to the Endpoint. I've added a dependency between the endpoint and DB Cluster, but when I try to deploy the stack I get a problem like this:
11/14 | 10:08:49 AM | CREATE_COMPLETE | AWS::RDS::DBCluster | FooDBCluster
11/14 | 10:08:51 AM | CREATE_IN_PROGRESS | AWS::DMS::Endpoint | fooendpoint
11/14 | 10:08:51 AM | CREATE_IN_PROGRESS | AWS::SecretsManager::SecretTargetAttachment | FooDBSecretAttachment (FooDBSecretAttachmentE2E5F50F)
12/14 | 10:08:52 AM | CREATE_FAILED | AWS::DMS::Endpoint | fooendpoint Could not find a value associated with JSONKey in SecretString
The same does not happen if I have complemented the deployment of the DB Cluster some time before starting to deploy the Endpoint. This implies the host & port are not present in the Secret right after the DB Cluster has been created. Indeed in CDK they are declared after the DB Cluster.
However, I cannot add a dependency between the Endpoint and SecretTargetAttachment as SecretTargetAttackment is not a CfnResource type expected by the CfnEndpoint addDependencyOn method.
You can add the dependency if you access the underlying node, like so.
if (secretsAttachment.node.defaultChild) {
endPoint.node.addDependency(secretsAttachment.node.defaultChild);
}
As a POC (proof of concept), I'm trying to setup "WSO2 API Manager + Analytics" in an "all-in-one" way on a single node. It should be production-ready for a small scale, so I'm trying to replace H2 databases with MySQL databases.
So far, following the documentation, I've created these databases :
For WSO2 API Manager :
| wso2_apimgtdb | wso2am-2.0.0/dbscripts/apimgt/mysql5.7.sql
| wso2_mbstoredb | wso2am-2.0.0/dbscripts/mb-store/mysql-mb.sql
| wso2_metricsdb | wso2am-2.0.0/dbscripts/metrics/mysql.sql
| wso2_regdb | wso2am-2.0.0/dbscripts/mysql5.7.sql
| wso2_statsdb | (tables are build dynamically in this db)
For WSO2 API Manager Analytics :
| wso2_anal_eventstoredb | (tables are build dynamically in this db)
| wso2_anal_processeddatastoredb | (tables are build dynamically in this db)
From that point, I've configured datasources in WSO2AM to point to these db :
<name>WSO2_CARBON_DB</name> --> wso2_regdb
<name>WSO2AM_DB</name> --> wso2_apimgtdb
<name>WSO2AM_STATS_DB</name> --> wso2_statsdb
<name>WSO2_MB_STORE_DB</name> --> wso2_mbstoredb
<name>WSO2_METRICS_DB</name> --> wso2_metricsdb
Now, the question is : which db should be mutualized with Analytics and which db has to be created once for API Manager and once for Analytics ?
Here are the datasources to be configured in wso2am-analytics/repository/conf/datasources/ :
analytics-datasources.xml : <name>WSO2_ANALYTICS_EVENT_STORE_DB</name>
analytics-datasources.xml : <name>WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB</name>
master-datasources.xml : <name>WSO2_CARBON_DB</name>
metrics-datasources.xml : <name>WSO2_METRICS_DB</name>
stats-datasources.xml: <name>WSO2AM_STATS_DB</name>
As stated above, I've created empty databases corresponding to WSO2_ANALYTICS_EVENT_STORE_DB and WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB, but I don't know what to do with WSO2_CARBON_DB, WSO2_METRICS_DB and WSO2AM_STATS_DB. Should I point to existing databases or create new ones ?
You can have separate databases for WSO2_CARBON_DB and WSO2_METRICS_DB. But WSO2AM_STATS_DB must be shared.