i'm used wso2 api manager v2.2.0 for api gateway, and i've problem for backup users and roles, at the moment i'm used api-import-export-2.1.0, but just backup APIs, any advice for my problem?
Users and roles are in the user database, therefore you need to backup your user database (or any other userstore you use).
By default WSO2AM comes with H2 embedded database which is not really recommended (or suited) for production deployment and you should setup your own databases on any supported DB system.
If you still use the the embedded H2 database, by default the user database file is located at repository/database/WSO2CARBON_DB.h2.db , however I don't recommend to backup/copy the file while it is open (while wso2am is running).
Related
Since the cloud-sql-proxy already forces individual user authentication with the database through a users iam account, and allows specifying read / write permissions, it seems potentially pointless to also have an individual database accounts for each user as well.
For security, is it necessary to have a database user per dev when using cloud-sql-proxy, or is it fine to just have one database user, since they are already authenticated by the time they can enter a database user / password anyways. I'm not a server dev or a DBA, so I thought it best to ask.
In fact, you have 2 levels of permissions
Cloud IAM allows you to access to Cloud SQL product or not
Database user management allows to log into the db engine and to get the db engine permission (access to a specific schema, one schema per developer, on the same SQL instance for instance).
The hosted database engine are based on MySQL, PostgreSQL or SQL Server. All those databases have their legacy user authentication in place. You have to deal with.
I was successfully able to connect to RDS like any other database connection.
I use spring jpa data ( repository ) to do CRUD operation on postgres db.
currently I provide the db url and the credential in the properties file
spring:
datasource:
url: jdbc:postgresql://<rds-endpoint>:5432/<dbschema>
username: <dbuser>
password: <dbpassword>
However this is not an option while connecting to production or preproduction.
what is the best practise here.
Does AWS provide any inbuild mechanism to read these details from an endpoint like in the case of accessing S3 ?
My intention is not expose the password.
Several options are available to you:
Use the recently announced IAM access to Postgres RDS
Use Systems Manager Parameter Store to store the password
Use Secrets Manager to store the password and automatically rotate credentials
For 2 and 3, look up the password on application start in Spring using a PropertyPlaceholderConfiguration and the AWSSimpleSystemsManagement client (GetParameter request). SystemsManager can proxy requests to SecretsManager to keep a single interface in your code to access parameters.
IAM credentials is more secure in that:
If using EC2 instance profiles, access to the database uses short lived temporary credentials.
If not on EC2 you can generate short lived authentication tokens.
The password is not stored in your configuration.
If you have a separate database team they can manage access independent of the application user.
Removing access can be done via IAM
another generic option I found was to use AWS Secret Manager
(doc link)
RDS specific solution is to connect to DB Instance Using the AWS SDK using IAMDBAuth
I have multiple wso2-is server set up as my dev, staging and prod environment.
And I would want to have a functionality wherein I can export all the configuration from some server ( say dev ) to some other server ( say staging ) to make both the server identical i.e both the server would have same database configurations, same tenants, same service providers and same identity providers and so on.
From the documentation here, I know that I can create service providers and identity providers using XML files, so in turn, I can share the XML files to sync SPs and IdPs between servers.
But is there a standard way to achieve that? Like, from the management console or so?
It even seems possible that syncing between [IS-HOME]/repository directory would ensure that the servers are identical, But are there any caveats for this approach?
There is no standard way to sync the service provider configurations among different environment, as of now. This issue is reported to track the feature requirement and its a work in progress at the moment and you can expect it in a future release.
One possible solution you can use to achieve your target is, retrieving the service provider from the Admin service and create the same service provider in other environment.
You can use the file based service provider configurations to achieve this target. But with that approach, you will not be able to see the service providers added from the configuration files in the management console. Next limitation you will face is you can add saml based inbound authentication configurations only through the config files ( such as OAuth 2.0 / OIDC inbound authentication configurations)
To answer your last question, you can't sync the [IS-HOME]/repository folder to achieve this. The reason you were able to observe this behavior seems to be you are using the inbuilt H2 database and its in [IS-HOME]/repository/database folder. With your file sync, you have actually synced the databases.
I have two instances of wso2 api manager running on two different servers.Both of them are referring to same UM_DB . I created a role by logging with admin credentials on one server .After that i checked for the role on other server by logging with admin credentials again.I found that there was role existing on other server but permission that i provided for that role does not exist on another server.Is that a bug with wso2 api manager or I missed something in configuration..?
You want to deploy two APIM instances in a cluster. It is better to refer the APIM clustering guide to setup it properly. There are tow things you need to understand.. when your deploying APIM in cluster
You must point both instance in to same database. There are can be three logical databases i.e UM, Registry and AM database. These three can be an one physical DB. However must pointed to same by the both instance.
You must configure the Hazelcast based clustering using axis2.xml file. This is required because, APIM uses Hazelcast based implementation to distribute the data in the caches. Sometime, In your scenario, i guess you have not configured this. Therefore permission tree has not been distributed between two nodes. Therefore lot of data that is stored in the caches for high performance. therefore please make sure to configure this properly.
I guess this would help you.
I'm working on upgrading from WSO2 Identity Server 4.1.0 to 4.5.0 and I've found that new users are now added to an internal/identity group instead of the in LDAP identity group that they were being added to formerly.
In particular I would like to add new users to the LDAP group (I've got a lot of things that expect and need accounts to be in that group). But it brings up another question, is there anyway to define groups / roles that a new user automatically gets added to during sign-up?
Users who are signing up would be added in to a Internal/identity role by default in 4.5.0. This internal role is created in the internal databases. Basically the user management database which has been defined in user-mgt.xml file.(UM_HYBRID_ROLE table). This is because, This role is created pragmatically, therefore is not good to create in the actual user store. I guess WSo2 Identity Server has not way to configure this role name and configure where it must be retrieved. I saw this as some limitation.