I'm going to write the entire process up more fully, once I've proven it to actually work.
However, one of the required steps took me a wee while to fully comprehend, and I obviously misunderstood the documentation.
This is the Knowledge Center page to which I refer: -
which says in part: -
...
IBM Business Process Manager provides the following applications that contain users that are mapped to the RunAs roles:
• IBM_BPM_PerformanceDW_supportDeploymentTarget
• IBM_BPM_Teamworks_applicationDeploymentTarget
• BPEContainer__applicationDeploymentTarget
• TaskContainer__applicationDeploymentTarget
...
...
Note: The bpmModifyMapRunAsRole script is used to update the IBM_BPM_Teamworks*.ear and IBM_BPM_PerformanceDW*.ear applications. It does not update other IBM Business Process Manager applications.
To define the RunAs roles user assignments, run the bpmModifyMapRunAsRole script, which is located at install_root/util/Security/bpmModifyMapRunAsRole.py.
...
So I read and absorbed this, and wrote the following series of commands: -
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName SupCluster -applicationName IBM_BPM_PerformanceDW_SupCluster
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName IBM_BPM_Teamworks_AppCluster
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName BPEContainer_AppCluster
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName TaskContainer_AppCluster
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName IBM_BPM_Teamworks_AppCluster
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName BPEContainer_AppCluster
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName TaskContainer_AppCluster
each of which ran (!) and returned: -
*************************************************************************************
Start: Mapping run as roles to users
Mapping users for cluster profile.
End: Mapping run as roles to users
*************************************************************************************
However .....
Start: Mapping run as roles to users
Mapping users for cluster profile.
End: Mapping run as roles to users
*************************************************************************************
However .....
The change didn't "take" and I could see no differences to the RunAs user mappings for each of the four applications.
Which wasn't nice.
So I read the actual Jython script: -
/opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py
and saw, in part: -
...
if(applicationName == ''):
appName = "IBM_BPM_Teamworks_" + targetName
options = '[-MapRunAsRolesToUsers [[twem ' + userName + ' ' + password + '] [twuser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
appName = "IBM_BPM_PerformanceDW_" + targetName
options = '[-MapRunAsRolesToUsers [[tw-loader ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
else:
if(applicationName == 'Teamworks'):
appName = "IBM_BPM_Teamworks_" + targetName
options = '[-MapRunAsRolesToUsers [[twem ' + userName + ' ' + password + '] [twuser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
elif(applicationName == 'PerformanceDW'):
appName = "IBM_BPM_PerformanceDW_" + targetName
options = '[-MapRunAsRolesToUsers [[tw-loader ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
appName = "IBM_BPM_Teamworks_" + targetName
options = '[-MapRunAsRolesToUsers [[twem ' + userName + ' ' + password + '] [twuser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
appName = "IBM_BPM_PerformanceDW_" + targetName
options = '[-MapRunAsRolesToUsers [[tw-loader ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
else:
if(applicationName == 'Teamworks'):
appName = "IBM_BPM_Teamworks_" + targetName
options = '[-MapRunAsRolesToUsers [[twem ' + userName + ' ' + password + '] [twuser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
elif(applicationName == 'PerformanceDW'):
appName = "IBM_BPM_PerformanceDW_" + targetName
options = '[-MapRunAsRolesToUsers [[tw-loader ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
...
...
AdminConfig.save();
...
...
Interestingly, I never actually saw the output from AdminConfig.save() either, which rang alarum bells.
In other words, the script was looking for JUST the application name, NOT the fully qualified application name ( with the cluster name appended ) e.g. PerformanceDW rather than IBM_BPM_PerformanceDW_SupCluster.
Once I amended my commands: -
I started to see more meaningful messages: -
*************************************************************************************
Start: Mapping run as roles to users
Mapping users for cluster profile.
ADMA5075I: Editing of application IBM_BPM_PerformanceDW_SupCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IBM_BPM_PerformanceDW_SupCluster is complete.
ADMA5076I: Application IBM_BPM_PerformanceDW_SupCluster edited successfully. The application or its web modules may require a restart when a save is performed.
End: Mapping run as roles to users
*************************************************************************************
Start: Mapping run as roles to users
Mapping users for cluster profile.
ADMA5075I: Editing of application IBM_BPM_PerformanceDW_SupCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IBM_BPM_PerformanceDW_SupCluster is complete.
ADMA5076I: Application IBM_BPM_PerformanceDW_SupCluster edited successfully. The application or its web modules may require a restart when a save is performed.
End: Mapping run as roles to users
*************************************************************************************
*************************************************************************************
Start: Mapping run as roles to users
Mapping users for cluster profile.
ADMA5075I: Editing of application IBM_BPM_Teamworks_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IBM_BPM_Teamworks_AppCluster is complete.
ADMA5076I: Application IBM_BPM_Teamworks_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
End: Mapping run as roles to users
*************************************************************************************
Start: Mapping run as roles to users
Mapping users for cluster profile.
ADMA5075I: Editing of application IBM_BPM_Teamworks_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IBM_BPM_Teamworks_AppCluster is complete.
ADMA5076I: Application IBM_BPM_Teamworks_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
End: Mapping run as roles to users
*************************************************************************************
etc.
*AND* more importantly, the change was actually effective: -
which IS nice.
However, the script does NOT touch the BPEContainer and TaskContainer applications, as can be seen from the IF/ELSE logic above; it only works on the PerformanceDW and TeamWorks applications :-(
I ended up writing my own, modified, version of this script, specifically for the two extra BPM applications: -
daveModifyMapRunAsRole.py
userName = sys.argv[0]
password = sys.argv[1]
clusterName = sys.argv[2]
targetName = clusterName
appName = "BPEContainer_" + targetName
options = '[-MapRunAsRolesToUsers [[JMSAPIUser ' + userName + ' ' + password + '] [AdminJobUser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
appName = "TaskContainer_" + targetName
options = '[-MapRunAsRolesToUsers [[AdminJobUser ' + userName + ' ' + password + '] [EscalationUser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
userName = sys.argv[0]
password = sys.argv[1]
clusterName = sys.argv[2]
targetName = clusterName
appName = "BPEContainer_" + targetName
options = '[-MapRunAsRolesToUsers [[JMSAPIUser ' + userName + ' ' + password + '] [AdminJobUser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
appName = "TaskContainer_" + targetName
options = '[-MapRunAsRolesToUsers [[AdminJobUser ' + userName + ' ' + password + '] [EscalationUser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
which I ran as follows: -
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f daveModifyMapRunAsRole.py DepEnvAdmin P455w0rd AppCluster
with the following results: -
WASX7209I: Connected to process "dmgr" on node Dmgr using SOAP connector; The type of process is: DeploymentManager
WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[DepEnvAdmin, P455w0rd, AppCluster]"
ADMA5075I: Editing of application BPEContainer_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application BPEContainer_AppCluster is complete.
ADMA5076I: Application BPEContainer_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
ADMA5075I: Editing of application TaskContainer_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application TaskContainer_AppCluster is complete.
ADMA5076I: Application TaskContainer_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
---------------------------------------------------------------
AdminNodeManagement: Synchronize the active nodes
Usage: AdminNodeManagement.syncActiveNodes()
Return: If the command is successfully invoked, a value of 1 is returned.
---------------------------------------------------------------
Node1
I'm going to be writing this up more fully once I've run through the end-to-end process a few more times ....
No comments:
Post a Comment