WSO2 User Core deployment patterns with WSO2 Identity Server

This is my second blog post about user management functionality of WSO2 Carbon.  It is better, if you can go through my first blog post before you are reading this. Here we are going to talk about deployment pattern of WSO2 Identity Server’s User kernel (Or any WSO2 Carbon product) with default user realm implementations.  i.e with

DefaultRealm
JDBCUserStoreManager or LDAPUserStoreManager or ApacheDSUserStoreManager
JDBCAuthorizationManager
DefaultClaimManager
DefaultProfileConfigurationManager

Before mention about deployment patterns, It is better,  If we can clearly understand following two things. Database schema and user-mgt.xml file

Database schema

All database schemas  can be found at <CARBON_HOME>/dbscripts directory

WSO2 Carbon platform supports and tested with most of the JDBC databases. If you just go through these database scripts, you can find many tables which are logically can be separated in to three types.

  • Registry tables – which are associated with WSO2 registry component. Lets forget about registry for moment ?
  • User Management tables – which are associated with JDBCAuthorizationManager , DefaultClaimManager , DefaultProfileConfigurationManager and some user management specific meta data     Ex – UM_ROLE_PERMISSION, UM_PERMISSION , UM_DIALECT, UM_CLAIM, UM_PROFILE_CONFIG, UM_CLAIM_BEHAVIOR , UM_HYBRID_ROLE and etc…
  • User Store tables – which are associated with JDBCUserStoreManager. As i mentioned in my previous blog post, there are four tables associated with it.

Some import notes……..

Default WSO2 Carbon distribution uses a H2 database for storing those data.

In a deployment, you can use all three types of tables in same database. or different databases. Default WSO2 Carbon distribution uses only one H2 database for all tables. But is a good practice to separate them in to different databases.

Most of the deployments, two database are used, one for registry data and other for both user management and user store data.

If LDAP or AD is used as underline user store, User store tables are not used. (as they are consumed by JDBCUserStoreManager). But still User management tables are used. If user store is configured as “Read Only” , then internal roles (called as Hybrid roles) can be created in user management database.

user-mgt.xml file.

This file contains the realm configuration;  which can be found at <CARBON_HOME>/repository/conf directory. It is very easy to understand the user-mgt.xml file.    Following; i have defined the sample structure of it with some detail.

<UserManager>

<Realm>

Define the realm configuration under this element

<Configuration>

Define user management datasource properties
Define admin user name
Define admin user password (If you are connecting to fresh database or fresh LDAP)
Define admin role name
Define everyone role name

</Configuration>

<UserStoreManager class=”org.wso2.carbon.user.core.ldap.LDAPUserStoreManager”>

Define the user store manager class as the attribute.
Define User store properties. Any property value can be added.
If user store is a JDBC, Define the JDBC datasource properties. (If datasource properties are not defined here, realm configuration builder assume user store datasource properties are same as the user management datasource properties which has configured above )
If user store is a LDAP or AD, Define the LDAP properties.

</UserStoreManager>

<AuthorizationManager class=”org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager”>

Define the authorization manager class as the attribute.
Define authorization manager specific properties

</AuthorizationManager>

</Realm>

</UserManager>

Now lets go through deployment patterns of user kernel

Pattern 1 : Deploy WSO2 user kernel with fresh H2 JDBC user store (Read/Write mode) with default Carbon user store schema and default configuration.

You just can start the extracted distribution to deployed WSO2 Kernel in this pattern. However  i will list down the steps as a verification

Step1. Unzip any WSO2 Carbon product distribution

Step2. Please make sure following user store manager class is uncommented and all other user store managers are commented.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">

Step3. Started server by running wso2carbon script

> sh wso2carbon.sh (in UNIX)
 

Pattern2 : Deploy WSO2 user kernel with any fresh JDBC user store with default Carbon user store schema (Read/Write mode)

This is same as the pattern1 except we are deploying with different JDBC database and also we can change the default configuration such as admin role. user….

Step1. Unzip any WSO2 Carbon product distribution

Step2. Configure following datasource configuration properties under //UserManager/Realm/Configuration element of user-mgt.xml file. By default this has been configured for H2. Please change it according to your configuration

<Property name="url">jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE</Property>
 <Property name="userName">wso2carbon</Property>
 <Property name="password">wso2carbon</Property>
 <Property name="driverName">org.h2.Driver</Property>

Step3. Define

Admin role name which will be created in JDBC user store
Admin user name which will be created in JDBC user store
Please note admin user will be assigned to admin role defined above.
Admin user password which will be created in JDBC user store
Every one role name which will be created in JDBC user store and which is the role that all users are assigned by default.

<AdminRole>admin</AdminRole>
 <AdminUser>
 <UserName>admin</UserName>
 <Password>admin</Password>
 </AdminUser>
 <EveryOneRoleName>everyone</EveryOneRoleName>

Step4. Uncomment following user store manager class and comment all others.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">

Step5. Copy JDBC driver jar file in to <CARBON_HOME>/repository/components/lib directory

Step6. Started server by running wso2carbon script with -Dsetup command, which can be found at <CARBON_HOME>/bin directory. by using -Dsetup command we can create all tables in the pointed database according to the desired schema defined in <CARBON_HOME>/dbscripts directory or else you can manually create using the appropriate script

> sh wso2carbon.sh -Dsetup (in UNIX)

Pattern3 : Deploy WSO2 User kernel with existing LDAP User store such as OpenLdap (Read/Write mode) and user management database with JDBC database

Step1. Unzip any WSO2 Carbon product distribution

Step2. Configure following datasource configuration properties under //UserManager/Realm/Configuration element of user-mgt.xml file. By default this has been configured for H2. Please change it according to your configuration

<Property name="url">jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE</Property>
 <Property name="userName">wso2carbon</Property>
 <Property name="password">wso2carbon</Property>
 <Property name="driverName">org.h2.Driver</Property>

Step3. Configure admin role name as an existing LDAP group in your LDAP group search base.
Configure admin user name as an existing user in your LDAP user search base.
Please note admin user must be a member of admin group defined above.
Configure every one role name which is the role that all users are assigned by default.

<AdminRole>ldapadmin</AdminRole>
 <AdminUser>
 <UserName>ldapadmin</UserName>
 <Password></Password>
 </AdminUser>
 <EveryOneRoleName>ldapeveryone</EveryOneRoleName>

Step4. Uncomment following user store manager class and comment all others. Change your LDAP user store properties according to your configurations.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.ApacheDSUserStoreManager">

Step5. Copy JDBC driver jar file in to <CARBON_HOME>/repository/components/lib directory

Step6. Started server by running wso2carbon script with -Dsetup command, which can be found at <CARBON_HOME>/bin directory. by using -Dsetup command we can create all tables in the pointed database according to the desired schema defined in <CARBON_HOME>/dbscripts directory or else you can manually create using the appropriate script

> sh wso2carbon.sh -Dsetup (in UNIX)

Pattern4: Deploy WSO2 user kernel with existing LDAP user store such as OpenLdap (Read only mode) and user management database with JDBC 

This is same as the pattern3  except  user store is operated in read only mode…

Step1. Unzip any WSO2 Carbon product distribution

Step2. Configure following datasource configuration properties under //UserManager/Realm/Configuration element of user-mgt.xml file. By default this has been configured for H2. Please change it according to your configuration

<Property name="url">jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE</Property>
 <Property name="userName">wso2carbon</Property>
 <Property name="password">wso2carbon</Property>
 <Property name="driverName">org.h2.Driver</Property>

Step3. Configure admin role name as an existing LDAP group in your LDAP group search base.
Configure admin user name as an existing user in your LDAP user search base.
Please note admin user must be a member of admin group defined above.
Configure every one role name which is the role that all users are assigned by default.

<AdminRole>ldapadmin</AdminRole>
 <AdminUser>
 <UserName>ldapadmin</UserName>
 <Password></Password>
 </AdminUser>
 <EveryOneRoleName>ldapeveryone</EveryOneRoleName>

Step4. Uncomment following user store manager class and comment all others. Change your LDAP user store properties according to your configurations. Also make sure that you have configure following property under user store configurations

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.LDAPUserStoreManager">
<Property name="ReadOnly">true</Property>

Step5. Copy JDBC driver jar file in to <CARBON_HOME>/repository/components/lib directory

Step6. Started server by running wso2carbon script with -Dsetup command, which can be found at <CARBON_HOME>/bin directory. by using -Dsetup command we can create all tables in the pointed database according to the desired schema defined in <CARBON_HOME>/dbscripts directory or else you can manually create using the appropriate script

> sh wso2carbon.sh -Dsetup (in UNIX)

Although this is Read Only user store, you can still create users using user management UI and API. But these roles are not actually created in the LDAP and created under the user management database under UM_HYBRID_ROLE table. We call them as Hybrid roles.

Discuss this article on Stack Overflow