Managing users

From ControlTier

These instructions explain how to manage user credentials for the ControlTier server webapps in Jetty's realm.properties file.

realm.properties

The default ControlTier server installation handles user authentication via Jetty, which in turn is configured to pull its user authentication from the $JETTY_HOME/etc/realm.properties file. $JETTY_HOME is usually at $CTIER_ROOT/pkgs/jetty-x.y.z. This file is created at the time that you install the server, and the out-of-the-box usernames and passwords can be adjusted through the default.xml file or appropriate command-line arguments.

Assuming you use the defaults, your realm.properties file will probably look something like this:

jetty: MD5:164c884306627e17250af12c89345d44,user
admin: CRYPT:cxekz..ry.1Ns,server-administrator,content-administrator,admin
other: OBF:1vmk1x261d9r1r1c1dmq
plain: plain
user: password

# This entry is for digest auth.  The credential is a MD5 hash of username:realmname:password
digest: MD5:6e110442ad67abfbc485dc2cb784e217
#
# This sets the default user accounts for the ControlTier apps
#
default:default,user,admin,architect,deploy,build
admin:admin,user,admin,architect,deploy,build
deploy:deploy,user,deploy
build:build,user,build

The default user

The default user in particular is used by the various applications to communicate with each other, and the values are hardcoded into the applications at install time. You need to be very careful if you change the credentials. To change the default credentials, they need to be updated in all of these locations:

• On the server: $JETTY_HOME/etc/realm.properties (as above) and $JETTY_HOME/webapps/itnav/WEB-​INF/classes/runtime.properties (properties dav.user and dav.password)
• On all clients (including the server, which is also a client): $CTL_BASE/etc/framework.properties (properties framework.server.username, framework.server.password, framework.webdav.username, framework.webdav.password)

If you do not, you'll run into "HTTP Authorization failure" and "403 Forbidden" errors.

Here is a bash shell script to change the password on the client:

File listing: update-client-user-pass.sh

# Update user name and password on clients
# Moses Lei, ControlTier project
# Apache License, Version 2.0
 
# N.B. Depends on GNU sed!
 
if [ ! $2 ]; then
  echo $(basename $0): Error: No username or password specified >&2
  echo "$(basename $0): Usage: $(basename $0) <username> <password>" >&2
  exit 1
fi 
sed -i.$(date +%Y%m%d) -re "s/(framework\.(server|webdav)\.username = ).*$/\1$1/g" -e "s/(framework\.(server|webdav)\.password = ).*$/\1$2/g" $CTL_BASE/etc/framework.properties

You can run this script to a large number of boxes using ctl-exec, for example:

ctl-exec -p project -I regex-of-nodes-to-change -s update-client-user-pass.sh -- username password

Adding additional users

You may wish to have additional users with various privileges rather than giving out role accounts to groups. You may also want to avoid having the passwords in plaintext within the configuration file.

To accomplish this, you'll need a properly hashed or encrypted password to use in the config. On the control tier server, move into the directory that contains your jetty installation and pass the username and password to the jetty Password utility. In this example, we'll setup a new user named "jsmith", with a password of "mypass":

$ cd $JETTY_HOME
$ java -cp lib/jetty-6.1.14.jar:lib/jetty-util-6.1.14.jar org.mortbay.jetty.security.Password jsmith mypass
OBF:1xfd1zt11uha1ugg1zsp1xfp
MD5:a029d0df84eb5549c641e04a9ef389e5
CRYPT:jsnDAc2Xk4W4o

Then add this to the etc/realm.properties file with a line like so:

jsmith: MD5:a029d0df84eb5549c641e04a9ef389e5,user,build,deploy

Then restart ctier to ensure jetty picks up the change and you're done.