|
Replies:
12
-
Last Post:
Aug 13, 2008 12:03 PM
by: sashafirsov
|
|
|
|
|
|
|
GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 10:24 AM
|
|
|
Dear all,
Q. How to run different virtual domains under own unix user credentials?
My server runs several domains and few apps on each.
Applications belong to different development groups and having direct access to file system. For security reasons I want restrict web applications in same domain by applying unix user/group on process.
As I understand, virtual domain in GF is served by separate process anyway.
Any idea how to control those processe's owner user ?
I could install independent GF for each domain on different ports. In this case, each GF instance will run under own user credentials. It will take 40 Mb and inability to have common admin UI for all.
Any hint is quite appreciated.
Sasha
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 11:56 AM
in response to: sashafirsov
|
|
|
> As I understand, virtual domain in GF is served by
> separate process anyway.
No, a GF domain runs as a single monolithic process on the server.
You could run a single instance of GF for several developers. If they're submitting full boat WARs to the server, there's no separation of the users and files at that level -- the server will explode the WAR files in to an internal directory, but they'll be owned by the GF process user.
If the users are simply deploying WARs in a pre-populated directory, then you can maintain your user ownership, assuming the GF server has privileges to read the files.
But, frankly, for development, I wouldn't use a shared server. As robust as it is, there's just too many things that developers can do that might require a server restart, though in theory that restart could be scheduled, but even still there are things that developers can possible do that can affect the server on an unscheduled basis that can impact other developers (PermGen leaks come to mind here).
Really depends on how sophisticated your development is and what the users are doing.
> I could install independent GF for each domain on
> different ports. In this case, each GF instance will
> run under own user credentials. It will take 40 Mb
> and inability to have common admin UI for all.
You can't have a common GUI, but you could easily script the CLI with some common shortcuts to do common tasks, where you can specify the domain name and have the work done, or for some common task you can simply loop through the "known" domains and execute each command on the respective domains.
If you're using root only ports, you can use SMF on Solaris to still let GF use the lower numbered ports, but have the process actually owned by a non-root user.
|
|
|
|
|
|
|
|
|
RE: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 11:56 AM
in response to: whartung
|
|
|
I do pretty rapid deployments to my GF dev server and atleast once a day I have to restart it due to an apparent PermGen memory leak, which eventually doesn't allow any more deployment of an app.
This occurs when I'm deploying EARs and WARs all day... probably atleast 25-30 times, or more.
Other then that, I rarely have to restart my GF server. But, I still wouldn’t want to share the server, for example when I want to experiment with different JDBC drivers etc. At the moment I don't have to dynamically change much config, but there are times when my development is closely dependant on config changes in the app server, which may require many restarts.
What's wrong with simply creating a new domain in a single GlassFish install for each developer?
Alex Sherwin
alex.sherwin@acadiasoft.com
-----Original Message-----
From: glassfish@javadesktop.org [mailto:glassfish@javadesktop.org]
Sent: Monday, August 11, 2008 2:57 PM
To: users@glassfish.dev.java.net
Subject: Re: GlassFish domains on same server under own unix user credetials?
> As I understand, virtual domain in GF is served by
> separate process anyway.
No, a GF domain runs as a single monolithic process on the server.
You could run a single instance of GF for several developers. If they're submitting full boat WARs to the server, there's no separation of the users and files at that level -- the server will explode the WAR files in to an internal directory, but they'll be owned by the GF process user.
If the users are simply deploying WARs in a pre-populated directory, then you can maintain your user ownership, assuming the GF server has privileges to read the files.
But, frankly, for development, I wouldn't use a shared server. As robust as it is, there's just too many things that developers can do that might require a server restart, though in theory that restart could be scheduled, but even still there are things that developers can possible do that can affect the server on an unscheduled basis that can impact other developers (PermGen leaks come to mind here).
Really depends on how sophisticated your development is and what the users are doing.
> I could install independent GF for each domain on
> different ports. In this case, each GF instance will
> run under own user credentials. It will take 40 Mb
> and inability to have common admin UI for all.
You can't have a common GUI, but you could easily script the CLI with some common shortcuts to do common tasks, where you can specify the domain name and have the work done, or for some common task you can simply loop through the "known" domains and execute each command on the respective domains.
If you're using root only ports, you can use SMF on Solaris to still let GF use the lower numbered ports, but have the process actually owned by a non-root user.
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=292653
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
|
|
|
|
Re: RE: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 13, 2008 10:30 AM
in response to: Alex Sherwin
|
|
|
The solution exist. It was painful and local experts have shown pessimistic attitude rather help. The glass is half FULL !:)
Back to independent deployments on same server.
If you want to have on same machine:
- independent VM for DNS domain or subset of apps
- run this VM in unix user restricted jail (under windows will work as well)
- have same administration GUI
- have access separation for admins of those VMs
- all of them served on same port 80
You CAN do that. It is quite tricky.
First of all, your apps shall work as "Standalone Servers" in cluster-profiled server. Even if none clusters are in use.
Individual control of for user rights is defined in Node Agent.
It has own administrator and binaries for start/stop process.
There you will be assigning unix user for executables and folders/files.
Each NA will have own "Standalone Instance" server.
When you deploying app, make sure to put the app in proper server/NA.
Each server/NA running on own port. You can select it or let system to define randomly available. Now you have HTTP server instances w/ own unix credentials, individually controllable served on own port.
Now how to fit all of them to same port 80? Right - LoadBalanser plugin! It has URL rewright rules and part of admin UI.
So you have all on your hands.
And you probably follow my advise: screw it! It is way easier to tune Apache with Tomcat instances. In a year later to pick this knowledge back will take same if not more time with GF. It evolves, you know. Apache+tomcat for likely reason - not much.
|
|
|
|
|
|
|
|
|
Re: RE: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 13, 2008 11:18 AM
in response to: sashafirsov
|
|
|
So, I'm puzzled. Did you get this working to your satisfaction or not?
If you did, how is the common administration GUI working for you and what kinds of tasks are you doing with it? I'm curious how the common Admin GUI isn't stomping on the local instances, since the Node Agents are supposed to sync up config information with the master DAS.
|
|
|
|
|
|
|
|
|
Re: RE: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 13, 2008 12:03 PM
in response to: whartung
|
|
|
I have got it working on test environment as planed. Satisfaction is not the best description for it. The amount of memorizing and tricks is above of reasonable use. So configuration will not be deployed in real environent.
> how is the common administration GUI working for you.
It does not. For each DNS doain I still need to do bunch of manual work. Beginning from creation of NA. That is "native" GF feature. And there are some extra steps towards it's insolation on system level. Alltogether is too complex.
> how the common Admin GUI isn't stomping on the local instances
It does, but each NA has own admin, and it's passwords are not shared.
So you can not alter someone else's NA. At least I have been thiking that way.
The showstopper for me was not lack of this feature, but number of steps in comparison to alternative solution(Apache+Tomcat). It is significantly more.
If someone interested, details come with beer (somewhere in Valley).
Cheers,
Sasha
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 12:31 PM
in response to: whartung
|
|
|
Thanks for prompt response.
> GF domain runs as a single monolithic process on the server
I have expected so. Is that true for multiple domains?
I am OK with single process per domain, but for different domains I like to have separate credentials.
I.e. same server has domains: pika.boo.com and nano.boo.com,
Server has pika and nano users and groups with /home/pika and /home/nano hoe folders.
Developers of each group could go wild, messing each other within same domain.
But they do not have even read permission on another domain.
And processes could take as much CPU as given for user. Same for file system: size quota per-user applied by Unix.
> Really depends on how sophisticated your development is and what the users are doing
Nothing unusual: unlimited log, imaging(CPU) with cached in memory any FS(size)
But it is happen at once. Potentially, they could write in wrong place and block other services like email. Not to mention regular security issues: read other user's content.
> You can't have a common GUI.
Strange. If you allow same UI for clusters(different servers), how much it is different from different domain instances on same server? Same JMF interfaces, is it?
> you could easily script the CLI with some common shortcuts
Or change GF to support this feature  I guess it will have same complexity.
At the moment there is a solution:
Apache server to redirect(ProxyPass/ProxyPassReverse) port 80 requests to appropriate GF instances. Each GF is independent installation.
What is missing there, that nice admin UI for domain redirect and per-domain administration. A little thing which makes my admin life much easier. I prefer to write apps rather httpd.conf or admin scripts :))
PS. On my Solaris 8 there is no SMF...
Sasha Firsov
Sr. Systems Analyst
510.985.8158 - direct
925.407.7596 - mobile
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 3:42 PM
in response to: sashafirsov
|
|
|
> I am OK with single process per domain, but for
> different domains I like to have separate
> credentials.
In your original post, you used the phrase virtual domains. Unfortunately, "domain" is a bit overloaded here as GF calls it's running "instances" domains.
So, to be clear, a GF Domain is a singular instance of GF, and it would run in its own process. You can have as many GF domains running under their own credentials as you like.
However, this is not the same with virtual host HTTP domains, which are all bound under a single GF server instance. Specifically, you can not have more than one instance of GF listening to port 80 on the same IP on the same machine.
> I.e. same server has domains: pika.boo.com and
> nano.boo.com,
> Server has pika and nano users and groups with
> /home/pika and /home/nano hoe folders.
> Developers of each group could go wild, messing each
> other within same domain.
> But they do not have even read permission on another
> domain.
> And processes could take as much CPU as given for
> user. Same for file system: size quota per-user
> applied by Unix.
Sure, but that's at the process level. Applications running within the GF server all share the same process, so you don't get that kind of individual control within GF.
> At the moment there is a solution:
> Apache server to redirect(ProxyPass/ProxyPassReverse)
> port 80 requests to appropriate GF instances. Each GF
> is independent installation.
> What is missing there, that nice admin UI for domain
> redirect and per-domain administration. A little
> thing which makes my admin life much easier. I prefer
> to write apps rather httpd.conf or admin scripts :))
Or you can multi-home the server, give each group their own IP on the same server, give each of them their own interface, and let them administer it -- and you can play help desk and lock down their processes using Unix tools. The UI makes GF pretty easy to use, I've even seen programmers and web designers themselves use it.
> PS. On my Solaris 8 there is no SMF...
Ah, yea, I've heard Solaris was upgraded once or twice in the past 8 years.
Feel free to make RFIs for parts you think are lacking, teams are always looking for input.
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 4:38 PM
in response to: whartung
|
|
|
> GF Domain is a singular instance of GF, and it would run in its own process. You can have as many GF domains running under their own credentials as you like.
So I could run several GF instances serving each own domain under own unix credentials?
They definitely will be listening for different IP/port(internally).
> Applications running within the GF server all share the same process
You confused me. I am fine to have same VM under same domain.
But could (I under same GF admin UI):
1. control port 80 and do redirects to domain IP/port?
2. Administer domain's parameters.
I have a filling that it is possible. At least docs say so.
One thing is missing: how to run domain under restricted user.
The references:
According to http://wiki.glassfish.java.net/Wiki.jsp?page=GlassFishV2Architecture
Domain Admin server(DAS) could reside in own VM and control independent Node Agent(one per domain. Its primary purpose will be to start, stop, and create server instances as instructed by the DAS... Domain Administration Server (DAS) ... )
That gives us unified admin UI for all my domains. Isn't it?
DAS is able to administer instances running on remote hosts
And local ones as well (if they under different VM)?
The Node Agent will also act as a watchdog and restart failed processes
... will be configured to be started by the native O/S node bootstrap
I.e. here I could assign process/unix user relation?
There can be multiple Node Agents on a machine for different versions of the product or in cases where the instances on the machine reside in multiple domains
Exactly what I want: multiple domains(under own NA).
What is missing:
1. Association NA w/ unix User
2. port 80 redirector
As for 1), NA source could be modified. Not a big deal.
2) More tricky. I guess that is some kind of web app which will comunicate with DAS and do port 80 redirects accordingly. Using JMX for DAS communication and somehow proxyPass to local instance of domain...
Q. Is that what I need to do in order to achieve easier implementation?
>> PS. On my Solaris 8 there is no SMF...
>Ah, yea, I've heard Solaris was upgraded once or twice in the past 8 years.
And you know, it still works! 8+ years, 24/7 non-stop. I am scared to do OS upgrades, too much hassle.
Thanks,
Sasha
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 5:52 PM
in response to: sashafirsov
|
|
|
Here's the key point I think in all this. It all boils down to Node Agents.
The document you linked to says:
"# There is at least one NA on each machine, and an NA must be able to start all server instances on the machine (independent of the clusters to which the instances belong).
# There can be multiple Node Agents on a machine for different versions of the product or in cases where the instances on the machine reside in multiple domains."
Basically the way this reads to me is that a Node Agent is bound to a domain. If you have multiple domains, you need multiple Node Agents. If you want to run different versions of Glassfish, they would each need their own Node Agent.
It is not clear to me whether you can have more the one Node Agent for a single domain on the same machine, and that's the crux of the matter.
If you can have more than one NA on the same IP, then you can easily have each NA start up with it own user credentials, and when it fires off the appropriate Glassfish instance, that process will inherit the parent NA credentials. That's potentially a mechanism you might leverage to get each instance of GF running under a different user.
And with the NAs all running under the same Domain, you will get a single UI.
You must appreciate, however, that everything in the domain is shared, however. There is but one central configuration for all of the resources. So, if you have a Connection Pool for jdbc/mydatabase, ALL instances of the domain will have the same Connection pool. This is important if you're trying to limit sharing of these kinds of things. User A will have ready access to User B's JEE resources.
Also, all of the application deployments will need to go through the central admin. Which means "everyone" will have an admin credential on that domain (which means everyone can see things like db pool passwords etc.). Dunno if that's an issue for you or not either. I also don't think that they'll be able to use, say, Netbeans, to deploy their application. They'll need to use a command line script, (perhaps an ant task, but I don't recall if there's a native "asadmin" ant task or not, rather than just calling the command shell from ant), or the gui.
You'll need to handle the "load balancing" to direct the traffic to their respective instances. That part won't be done by your larger domain. It will need to be a separate application (like perhaps Apache, or a proxy).
So, in the end, you could have very centralized administration, but perhaps too centralized, and your instances all running under individual user settings.
Mind I've never used the cluster/node agent facilities of GF.
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 6:26 PM
in response to: whartung
|
|
|
There is confusion what I want to achieve. Under domain everything shall stay the same. Only difference is that domain will be in jailed environment: it runs from own NA. In same domain all recourses are shared. And use same domain administration login. The chain: One domain - one unix account/goup - one NA - multiple apps. That is OK. For another domain I will have another chain.
Different domains will have own admin pages. But one "superadmin" will perform cross-domain tuning. Same way as current DAS does. Except of specific domain details will be delegated to own domain admin.
That way "superadmin" could do all, domain-specific admins will be able to play with own domain only.
> all of the application deployments will need to go through the central admin
No, apps will go via domain-specific admin.
Central is designed to control domains, not apps.
It is still OK to pass up/down to domain admin app details. In that way superadmin could control as domains as apps within.
But I thought that superadmin logic is already in place: you can define own domain admins from global UI.
> you could have very centralized administration, but perhaps too centralized, and your instances all running under individual user settings.
That is right. I want to.
But domain in that terms will be insolated and in addition to centralized UI could have own admins and UI.
Let me play with GlassFish a bit more, I guess answer is already there.
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 10:29 PM
in response to: sashafirsov
|
|
|
Glassfish doesn't have that concept of a "superadmin". The administration level is at the Domain (and by Domain, I mean Glassfish Domain, not HTTP domain).
The Glassfish Domain is a single entity containing and configuring all of the resources for the Domain. This includes all of the classic JEE resources (connection pools, java mail, etc.). It also includes ALL of the applications that you wish deployed within the Domain.
With a clustered deployment leveraging the Domain Admin Server, you can/will have several different systems equipped with Node Agents. One configured, you will then be able to designate which components of your Domain will run on which instances, including Applications, HTTP listeners, etc. This means you can have a cluster with a DAS system, and System A, and System B. System A can be running application X and have a virtual HTTP server cofigured for "xxx.host.com", while System B will have application Y deployed to it, while its virtual HTTP server is configured to "yyy.host.com".
Even though you have 3 systems (DAS, System A, and System B), 2 applications and 2 virtual hosts, you have a single Domain, and a single Administration contact point -- the DAS. That DAS manages the entire Domain, all the systems, all of the resources, and all of the applications.
What you are suggesting with the "superadmin" and other user specific admins can't be configured with Glassfish today the way you want.
With the scenario you present, you may as well run individual instances in each of your jails. If you require that kind of isolation between users, the DAS gives you nothing here. It actually complicates it.
I would give each user their own instance, give each one their own admin user as well as a common admin user. Then I'd right scripts that send the same asadmin commands to each server for my "superadmin", using the the common admin credentials. I think that's as close as you're going to get out of the box.
|
|
|
|
|
|
|
|
|
Re: GlassFish domains on same server under own unix user credetials?
Posted:
Aug 11, 2008 11:42 PM
in response to: whartung
|
|
|
Yes, "domain" is overloaded. You should take the term in the
"administrative" sense and not in the DNS sense.
If using the developer profile, then yes, the domain is a single
instance (one JVM) which happens to be running the GUI admin tool, the
config repository and your applications.
If using the cluster profile, the members of the cluster are all part
of the same administrative domain spreading across multiple JVM's and
machines. They use node agents to refresh local repository caches from
the main repository located on the DAS. Administration happens ideally
at the DAS level only. The DAS is not required to run the cluster,
only to modify its config.
hth,
-Alexis
On Aug 12, 2008, at 24:42, glassfish@javadesktop.org wrote:
>> I am OK with single process per domain, but for
>> different domains I like to have separate
>> credentials.
>
> In your original post, you used the phrase virtual domains.
> Unfortunately, "domain" is a bit overloaded here as GF calls it's
> running "instances" domains.
>
> So, to be clear, a GF Domain is a singular instance of GF, and it
> would run in its own process. You can have as many GF domains
> running under their own credentials as you like.
>
> However, this is not the same with virtual host HTTP domains, which
> are all bound under a single GF server instance. Specifically, you
> can not have more than one instance of GF listening to port 80 on
> the same IP on the same machine.
>
>> I.e. same server has domains: pika.boo.com and
>> nano.boo.com,
>> Server has pika and nano users and groups with
>> /home/pika and /home/nano hoe folders.
>> Developers of each group could go wild, messing each
>> other within same domain.
>> But they do not have even read permission on another
>> domain.
>> And processes could take as much CPU as given for
>> user. Same for file system: size quota per-user
>> applied by Unix.
>
> Sure, but that's at the process level. Applications running within
> the GF server all share the same process, so you don't get that kind
> of individual control within GF.
>
>> At the moment there is a solution:
>> Apache server to redirect(ProxyPass/ProxyPassReverse)
>> port 80 requests to appropriate GF instances. Each GF
>> is independent installation.
>> What is missing there, that nice admin UI for domain
>> redirect and per-domain administration. A little
>> thing which makes my admin life much easier. I prefer
>> to write apps rather httpd.conf or admin scripts :))
>
> Or you can multi-home the server, give each group their own IP on
> the same server, give each of them their own interface, and let them
> administer it -- and you can play help desk and lock down their
> processes using Unix tools. The UI makes GF pretty easy to use, I've
> even seen programmers and web designers themselves use it.
>
>> PS. On my Solaris 8 there is no SMF...
>
> Ah, yea, I've heard Solaris was upgraded once or twice in the past 8
> years.
>
> Feel free to make RFIs for parts you think are lacking, teams are
> always looking for input.
> [Message sent by forum member 'whartung' (whartung)]
>
> http://forums.java.net/jive/thread.jspa?messageID=292711
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
java.net RSS
