Developing a custom user registry with BELLS

[dmuelle]

rework this unpublished wasDev article into an Open Liberty task topic for the Security section. Needs to be verified and tested. SME: @una-tapa

[Rwalls1]

@una-tapa Please review: https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/configuring-user-registry.html

[Rwalls1]

New link: https://draft-openlibertyio.mybluemix.net/docs/20.0.0.12/configuring-user-registry.html

[una-tapa]

Great work @Rwalls1 ! Please publish the doc. Thank you!

[lauracowen]

Ok, I think we need to put this topic on hold for now, for several reasons (sorry for the delay in reviewing, I've been trying to look into a few different aspects of it since starting reviewing it last week):

• A lot of the info in this topic (as it currently stands) doesn't/can't apply to Open Liberty and the OL docs.
  • The sample files linked to won't exist in another week because the Liberty Repository front end is going to be taken offline and as the samples themselves are unmaintained, they'll be taken offline at the backend as well.
  • The sample itself is an OSGi user extension for WebSphere Liberty, which is not what we're wanting to demonstrate here. I appreciate that it's just the user registry from that that's relevant to this BELLs topic, but it's a very convoluted way to get it (also, I couldn't extract it enough on my Mac to get the actual .jar file when I tried, only the .class file).
  • WDT isn't applicable to Open Liberty (WDT was open sourced as Open Liberty Tools, OLT) - this is a minor point but we generally don't talk about proprietary tools etc where there are open source options that we should be talking about.

I think there is also an issue around the goal of the topic. I realise there wasn't much info to go on in the issue and I didn't understand the content of the draft WASdev article properly.

The title of this new doc topic says it's about configuring the custom user registry using BELLs (which is what I assumed the WASdev article to be about) but actually that's only a tiny part of it. Most of it (as in the original WASdev draft article) is actually about writing an app to verify the configuration which, while potentially useful to some users, is not the same thing and I don't think we have a high priority for a topic about that at the moment.

The configuration is taken care of in the BELLs feature topic, which @Rwalls1 is also working on (#2417).

At this stage, how to write an app for verification isn't high enough priority relative to the other docs users need and would sit oddly with the rest of our information so far, implying users should be writing/configuring custom user registries instead of using the capabilities provided already. This topic would take enough work to make it relevant to Open Liberty that I'm going to suggest we put this issue in the Icebox for now until we have a good requirement for doing more with it.

[ggam]

Someone else is also having trouble with this: https://groups.io/g/openliberty/topic/80768611

[bwa]

It was me... And I must confirm that the available documentation in Knowledge Center is quite confusing. Creating an ESA file for a beginner is almost impossible. In my case with the Custom User Registry BELL saved the day. It was actually quite easy to implement, easy to understand, and also filled a very wanted use case; to create a more flexible user repository without install a LDAP server.

For minor applications ( i.e one application runing on just one instance of Liberty, and the need for a user repository managed by the application itself). I rewrote to sample to use the user database from the application itself, and it works like a charm ...

But it was a long road, involving IBM support, but luckily @una-tapa come to rescue since I also went the groups.io way.

Just missing the option to pass inn configuration properties to BELL....

[treo]

This is something that I'd also like to know how to do it in the intended way.

I think I understand how to use BELL to register a UserRegistry, but I'd also like to access the configured data source.

@bwa In the groups.io thread I see that you were looking for a way to access the data source, too. Have you found a solution?

[una-tapa]

Hello @treo

This is what I shared with @bwa . I had a chance to chat with him. He seems to be using this variable method!

Sample 1

 <dataSource jndiName="jdbc/ds" >
    <jdbcDriver libraryRef="myJDBCDriver"/>
    <properties serverName="${env.DB_SERVER_NAME" etc.../>
  </dataSource>

export DB_SERVER_NAME=my.db.server.com

Sample 2

password="${env.passwordProp}" in server.xml and then System.getenv("passwordProp")
<jndiEntry jndiName=“password” value=“${password}“/>

Credit goes to @aguibert He left a lot of good info.

[una-tapa]

bwa also asked really good questions that I got to chat with architects. I am leaving it here so we will get it documented (hopefully)

1. Can multiple bells be configured? - YES
2. Can bells feature take input parameters - NO (but it is good use case... dev team may consider it in the future)

[bwa]

The datasource works fine, but the configuration is not possible from server.xml. System environment variables will work, but I has been encouraged to open a RFE for this. Will share it here to get more votes.

So the solution is to 'hardcode' the jndi name in the CustomUserRegistry and manage the datasource in server.xml

[dmuelle]

Reopening this issue to get this info into the Open Liberty docs.

[treo]

I've played around with this for a bit (created a user registry that does nothing but allows me to set a break point into it 😄).

I guessed that I'll have to get the DataSource via JNDI, and getting it with something along the lines of the following works just fine:

DataSource ds = (DataSource)(new InitialContext()).lookup(dataSourceName);

And just as you, I have found that I need a way to specify the JNDI resource name. But as my application does use MicroProfile Config, I can get things via ConfigProvider.getConfig().getValue("myUserRegistry.dataSourceName", String.class). That way I can define a variable for the data source JNDI name, and then just look up what is configured for it.

And while that does hardcode a variable name, it is better than hardcoding the JNDI name.

The biggest hurdle to making this "just work" for my setup, is to figure out where the UserRegistry interface can be found to be declared as a maven dependency. For my exploration today, I've just directly pointed the project to the com.ibm.ws.webcontainer_1.1.47.jar that's in wlp/lib.

But as I'd like to continue using Maven to build the entire project, I'll have to figure out a way to do it properly.

Edit:
And I've found the solution for that last problem, too. The API jars can be found in wlp/dev/api/. A quick find . -name '*.jar' | xargs -n1 unzip -l | less helped me to figure out which jar from those I need (com.ibm.websphere.appserver.api.basics_1.4.49.jar) and a quick lookup on maven central later, and I have the appropriate maven coordinates to get what I need:

<dependency>
  <groupId>com.ibm.websphere.appserver.api</groupId>
  <artifactId>com.ibm.websphere.appserver.api.basics</artifactId>
  <version>1.4.49</version>
  <scope>provided</scope>
</dependency>

Now, I can have a simple multi-module project in maven, and tell the open liberty maven plugin to install my registry in the correct place and hopefully that will also package just fine into the open liberty uberjar.

[bwa]

@treo Sweeet. I was also using maven to build, but had my good old was_public jar available to compile. This was better.

Thanks!

[bwa]

Please vote here: http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=149114

[Rwalls1]

This doc needs more input from the SME before moving forward with strategy and development. The SME doesn't currently have time to contribute so moving to Icebox.

[una-tapa]

@dmuelle @lauracowen

I recently worked on a couple of customer questions regarding how to configure bells. I remembered @bwa 's suggestion creating a simple maven repository so I tried out. It worked so well with our pre-made User Registry (also used for the OSGi feature sample) @treo 's update here was helpful to create the dependency.

I configured the user registry that came out of the maven project with Liberty Docker container.
It immediately worked.

I am posting for your review. I am hoping to get it WASDev so our L2 could just point customer to it.
https://github.com/una-tapa/bellscur

Thanks in advance!

[dmuelle]

Hi Hiroko, thanks- I took a quick look and I agree this could be a good addition to the wasdev repo, and could possibly be adapted for the docs from there. As afar as a reviewe, I see a few edits that could be made for clarity, and also a few questions raised. Should I open a PR against the README for suggestions/questions?

[una-tapa]

@dmuelle

Thanks for looking & considering to doc. It will really help reduce our support work (One of them was SEV1..)

I will appreciate your review and PR on the README but since it is still my personal repository, I hope to get it on WASDev first so your PR work will be counted as the WASDev contribution (not to my personal repo).

By any chance, do you know who can create a repo for this bells UR sample?

[una-tapa]

@dmuelle @lauracowen cc: @arkarkala
When you get a chance, will you help create a repository under WASDev for me to upload "Custom User Registry using BELLS" sample please?

We recently worked on a high sev customer case. The customer created their own custom user registry with BELLS. We later found they needed a small update in their CUR to get it working.

We were able to get the issue resolved by pointing my personal repo as a sample (https://github.com/una-tapa/bellscur)
It would have been better if the sample code were under WASDev. The customer was looking for official repo.

The bells UR questions comes up from time to time. Thanks in advance!

[dmuelle]

Hi @una-tapa - I dont know how to create repos in WASDev but I'm roping in @dazavala as we have an outstanding issue #5850 that overlaps with this, relating to some updates he recently made for the BELLS feature.

[una-tapa]

@dmuelle - I consulted with @dazavala in this Slack thread
https://ibm-cloud.slack.com/archives/C30NGTBFS/p1670013550855539

His suggestion was to use my sample, and it helped convince customer to look at their code.
From the thread by Dave

I noticed you have a whitepaper on deploying custom user registries using bells.  Curious if you have the sample deployment example handy so we can verify the use-case works on 2200x.  I couldn’t find a FAT test for UseRegistry deployed as a bell.

I think this is my last try to make an official CUR sample available, if it does not happen, I will just move on.

[lauracowen]

Created: https://github.com/WASdev/sample.customuserregistry.bells

[una-tapa]

Thank you @lauracowen for the repo.

I will post the Bells CUR sample -Parts of the code/config were contributed by our customers @bwa @treo and @ggam. Glad it will be under WASDev.

Just today, I got a notification that the following Bell feature was delivered and closed.
This was also suggested by @bwa,
https://cloud-platform.ideas.ibm.com/ideas/TWAS-I-115

I might update the sample with the function @dazavala made available.