Hi,
Jay SenSharma
For “Deleting Users And Groups Using WLST NonStop” please click here
Here is a simple example of WLST Script which allows us to create Users and Groups and Assign different Users to Different Groups. Doing the same thing from admin console is very time consuming. The following WLST Script is just an example for the same but it can be enhance more to delete Users and Groups as well in the same manner.
The best thing here is the Administrator need to just edit the properties file with the users and group details, rest of the things will be taken care by the WLST Script. Administrator need to just change the Iteration of “for” Loop in the WLST Script sccording to the number of WebLogic Users and WebLogic Groups.
Step1). Create a Directory somewhere in your file system like : “C:WLST_MultiDomain_DS”
Step2). Write a Properties file “details.properties” inside “C:WLST_MultiDomain_DS” like following:
domain.name=Domain_8001 admin.url=t3://localhost:8001 admin.userName=weblogic admin.password=weblogic security.realmName=myrealm total.groups=2 total.username=3 create.group.name.1=GroupOne create.group.name.2=GroupTwo create.group.description.1= This is a Test Gropu One create.group.description.2= This is a Test Gropu Two create.user.name.1=TestUserOne create.user.password.1=TestUserOnePassword create.user.description.1= This is a Test User One create.user.name.2=TestUserTwo create.user.password.2=TestUserTwoPassword create.user.description.2= This is a Test User Two create.user.name.3=TestUserThree create.user.password.3=TestUserThreePassword create.user.description.3= This is a Test User Three create.group.name.1.members=TestUserOne,TestUserTwo, create.group.name.2.members=TestUserThree,
NOTE: The “create.group.name.1.members” Entries must end with a COMMA (,)
Step3). Write the WLST Script “users_groups.py” inside “C:WLST_MultiDomain_DS” directory.
#############################################################################
#
# @author Copyright (c) 2010 - 2011 by Middleware Magic, All Rights Reserved.
#
#############################################################################
from java.io import FileInputStream
propInputStream = FileInputStream("details.properties")
configProps = Properties()
configProps.load(propInputStream)
domainName=configProps.get("domain.name")
adminURL=configProps.get("admin.url")
adminUserName=configProps.get("admin.userName")
adminPassword=configProps.get("admin.password")
realmName=configProps.get("security.realmName")
totalGroups_to_Create=configProps.get("total.groups")
totalUsers_to_Create=configProps.get("total.username")
connect(adminUserName, adminPassword, adminURL)
serverConfig()
authenticatorPath= '/SecurityConfiguration/' + domainName + '/Realms/' + realmName + '/AuthenticationProviders/DefaultAuthenticator'
print authenticatorPath
cd(authenticatorPath)
print ' '
print ' '
print 'Creating Groups . . .'
i=1
while (i <= int(totalGroups_to_Create)) :
groupName = configProps.get("create.group.name."+ str(i))
groupDescription = configProps.get("create.group.description."+ str(i))
try:
cmo.createGroup(groupName , groupDescription)
print '-----------Group Created With Name : ' , groupName
except:
print '*************** Check If The Group With the Name : ' , groupName ,' already Exists...'
i = i + 1
print ' '
print ' '
print 'Creating Users . . .'
x=1
while (x <= int(totalUsers_to_Create)):
userName = configProps.get("create.user.name."+ str(x))
userPassword = configProps.get("create.user.password."+ str(x))
userDescription = configProps.get("create.user.description."+ str(x))
try:
cmo.createUser(userName , userPassword , userDescription)
print '-----------User Created With Name : ' , userName
except:
print '*************** Check If the User With the Name : ' , userName ,' already Exists...'
x = x + 1
print ' '
print ' '
print 'Adding Group Membership of the Users:'
for y in 1,2:
grpName = configProps.get("create.group.name."+ str(y))
groupMembers= configProps.get("create.group.name."+ str(y) + ".members")
usrName=''
for member in groupMembers:
if member == ",":
cmo.addMemberToGroup(grpName,usrName)
print 'USER:' , usrName , 'Added to GROUP: ' , grpName
usrName=''
else:
usrName=usrName+member
print ' '
print ' '
Step4). Run the “. ./setWLSEnv.sh” by adding two DOTs separated by a single space …..before the actual script like following : (use ‘cd’ command to move inside the <BEA_HOME>/wlserver_10.3/server/bin) then run the following command….
. ./setWLSEnv.sh
Note: the first DOT represents that set the Environment in the current Shell, AND the second ./ represents execute the script from the current directory.
Step5). Now run the WLS Script like following:
java weblogic.WLST users_groups.py
C:WLST_MultiDomain_DS>java weblogic.WLST users_groups.py Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to t3://localhost:8001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'Domain_8001'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Already in Config Runtime /SecurityConfiguration/Domain_8001/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator Creating Groups . . . -----------Group Created With Name : GroupOne -----------Group Created With Name : GroupTwo Creating Users . . . -----------User Created With Name : TestUserOne -----------User Created With Name : TestUserTwo -----------User Created With Name : TestUserThree Adding Group Membership of the Users: USER: TestUserOne Added to GROUP: GroupOne USER: TestUserTwo Added to GROUP: GroupOne USER: TestUserThree Added to GROUP: GroupTwo
If the Groups or Users are already exists then the following output would be seen
java weblogic.WLST users_groups.py Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to t3://localhost:8001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'Domain_8001'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Already in Config Runtime /SecurityConfiguration/Domain_8001/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator Creating Groups . . . *************** Check If The Group With the Name : GroupOne already Exists... *************** Check If The Group With the Name : GroupTwo already Exists... Creating Users . . . *************** Check If the User With the Name : TestUserOne already Exists... *************** Check If the User With the Name : TestUserTwo already Exists... *************** Check If the User With the Name : TestUserThree already Exists... Adding Group Membership of the Users: USER: TestUserOne Added to GROUP: GroupOne USER: TestUserTwo Added to GROUP: GroupOne USER: TestUserThree Added to GROUP: GroupTwo
.
.
Thanks
Jay SenSharma
December 22nd, 2010 on 12:22 am
I have been looking for this script for a long time :o)
Thanks!
February 25th, 2011 on 3:17 am
Hi,
Before creating the user how can I check if the user exists in weblogic or not and throw a message accordingly?
Thanks
Anup
February 25th, 2011 on 4:55 am
Figured it out 🙂
propInputStream = FileInputStream(“details.properties”)
configProps = Properties()
configProps.load(propInputStream)
domainName=configProps.get(“domain.name”)
adminURL=configProps.get(“admin.url”)
adminUserName=configProps.get(“admin.userName”)
adminPassword=configProps.get(“admin.password”)
realmName=configProps.get(“security.realmName”)
connect(adminUserName, adminPassword, adminURL)
serverConfig()
authenticatorPath= ‘/SecurityConfiguration/’ + domainName + ‘/Realms/’ + realmName + ‘/AuthenticationProviders/DefaultAuthenticator’
print authenticatorPath
cd(authenticatorPath)
print ‘Creating Users . . .’
#ls()
#print ‘Value of cmo is below—-‘
#print cmo
for x in 1,2:
userName = configProps.get(“user.name.”+ str(x))
userPassword = configProps.get(“user.password.”+ str(x))
userDescription = configProps.get(“user.description.”+ str(x))
#print cmo.userExists(userName)
if cmo.userExists(userName) != 1:
cmo.createUser(userName , userPassword , userDescription)
print ‘———–User Created With Name : ‘ , userName
else:
print ‘———–Use exists with Name : ‘ , userName
February 25th, 2011 on 10:13 am
Hi Testab,
You suggested a great enhancement in the above script. Thank you 🙂 Keep Sharing.
I will go ahead and will update the above WLST Script by adding the following lines which you suggested:
if cmo.userExists(userName) != 1: cmo.createUser(userName , userPassword , userDescription)We Share 20 Bonus Magic Points with you for suggesting the great enhancement. Thank you once again for your keen observation and sharing enhancements.
.
.
Keep Sharing 😉
Thanks
Jay SenSharma
March 4th, 2011 on 1:04 pm
hi jai,
How Are You? Actually i am trying to create new user and add to existing group using above script…but i am getting bellow error..will you please give me the sol’n…
C:test_wlst_script>java weblogic.WLST C:test_wlst_scriptusers_groups.py
Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to t3://vreddy35:8001 with userid weblogic …
Successfully connected to Admin Server ‘AdminServer’ that belongs to domain
.
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
Already in Config Runtime
/SecurityConfiguration/d2/Realms/myrealm/AuthenticationProviders/DefaultAut
cator
Creating Groups . . .
Check If The Group With the Name : Deployers already Exists…
Creating Users . . .
Check If the User With the Name : varun already Exists…
Adding Group Membership of the Users:
USER: varun Added to GROUP: Deployers
Problem invoking WLST – Traceback (innermost last):
File “C:test_wlst_scriptusers_groups.py”, line 58, in ?
TypeError: iteration over non-sequence
March 4th, 2011 on 7:33 pm
Hi varunkolanu,
From the output it looks that the new users name “varun” which you are trying to give already exists.
March 4th, 2011 on 9:51 pm
Hi Ravish,
Thanks for reply…
March 30th, 2011 on 2:50 pm
Hi Jay/Ravish,
This works perfectly fine for weblogic 9. But when i try this for weblogic 8.1.4 it is giving me NameError: serverConfig. Is there a way we can implement this for weblogic 8.1.4 as well?
Traceback (innermost last):
File “users.py”, line 21, in ?
NameError: serverConfig
March 30th, 2011 on 4:26 pm
Hi SahitiReddy,
WLS8.1.4 has certain limitations like it does not support all the WLST online commands. The above script is intended to be used from WLS9.x onwards. There has been many changes in the Security implementation of WebLogic after WLS9.x on wards. So you won;t be able to use the above script for WLS8.1.4.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
March 31st, 2011 on 2:53 pm
Do you have some script which works for Weblogic 8.1.4? Because we have to create many users in multiple domains 🙁
March 31st, 2011 on 4:34 pm
Hi sahitireddy,
We are sorry to say but WLS 8.x has reached its End Of Life hence we do not create any scripts for that version. However we would try our best but it would be really very hard to get all the stuff done which are done in WLST in higher version thus we can not commit anything. However you can try with Oracle Support Team if they can help you out with it.
Or the best option would be to upgrade to the latest version of WLS so that you can get the benefits from the scripts created by us.
Regards,
Ravish Mody
April 1st, 2011 on 8:34 am
Heyy i could do the script for weblogic 8.1.4.We have to go to the following location
cd(‘/SecurityConfiguration/’ + domainName + ‘/weblogic.security.providers.authentication.DefaultAuthenticator/’ + ‘/Security:Name=myrealmDefaultAuthenticator’)
and execute
cmo.createUser(”,”,”)
cmo.addMemberToGroup(”,”)
April 1st, 2011 on 12:48 pm
Hi sahitireddy,
We really appreciate your sharing with us, however we are yet to test it from our side. But we are happy to give your additional 20 Magic Points for sharing it with us and others about your finding.
Keep Posting 🙂
Regards,
Ravish Mody
April 12th, 2011 on 2:22 am
How can we these steps in WLST
Delegating MBean authorization to the realm
Before creating JMX policies, ensure that the security realm is set up to control access to MBeans. For more
information, refer to the WebLogic Administration Console documentation.
Follow these steps:
1. In the WebLogic Administration Console, click Domain Structure > Security Realms.
2. Click myrealm from the Realms list on the Summary of Security Realms page.
3. On the Configuration > General page, ensure that Use Authorization Providers to Protect JMX
Access is selected. If this option is not selected, perform the following steps:
? Click Lock & Edit in the Change Center.
? Select Use Authorization Providers to Protect JMX Access.
? Click Save.
? In the Change Center, click Activate Changes.
? Restart the admin server and the managed server.
C.4.2 Creating JMX policies
1. In the WebLogic Administration Console, click Domain Structure > Security Realms.
2. On the Summary of Security Realms page, click the name of the realm for which you want to modify
JMX policies.
3. On the Settings page, click the Roles and Policies tab and then click the Realm Policies sub tab.
4. In the Name column of the Policies table, click JMX Policy Editor.
5. On the JMX Policy Editor page, ensure that the GLOBAL SCOPE option is selected. Click Next.
6. Ensure that the ALL MBEANS TYPES option is selected on the next page. Click Next.
7. Select the Attributes: Permission to Write option and click Create Policy.
8. On the Edit JMX Policies page, click Add Conditions.
9. Select Role from the Predicate List drop-down menu and click Next.
10. In the Role Argument Name box, enter Anonymous and click Add.
Note: The Anonymous role is a default WebLogic role for all runtime process users
11. Click Finish.
12. On the Edit JMX Policies page, click Save.
13. Repeat steps 1 to 6.
14. On the JMX Policy Editor – Attributes and Operations page, select the Unregister instances of this
MBean using MBean server option and click Create Policy.
15. Repeat steps 8 to 12
April 18th, 2011 on 10:42 pm
Hi Magic1799,
Your requirement is very specific to your environment … we usually write generic scripts.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
May 17th, 2012 on 3:01 am
Hi
I am using the script as given above. Changed all the appropriate values i.e connection strings , username , password etc..
When I run the script only a few users are added i.e if I have 50 users only 20 or 30 users are added and it errors out during adding members to groups saying the member does not exists. So I have to manually add the users again.
Can anyone please explain why it does not add all the users. Should there not be any white spaces after each line.
Thanks
August 15th, 2012 on 11:56 pm
I am able to create a user with the above script, but the cerated user does not showup in http://localhost:7001/console (Security Realms->myrealm->Users and Groups tab). I also can’t login to http://localhost:7001/console with the created user.
WLST userExists() function returns true and listUsers() function is able to return the created user. Wondering why I can’t login to console with the user that is created with this script.
August 16th, 2012 on 6:50 pm
You probably have the role (read group) of the user wrong. With the following you can add users:
print 'ADD USERS AND GROUPS TO DEFAULT SECURITY REALM'; securityRealm = cmo.getSecurityConfiguration().getDefaultRealm(); authProvider = securityRealm.lookupAuthenticationProvider('DefaultAuthenticator'); authProvider.createUser('anemployee', 'welcome1', 'an employee of the videotheek'); authProvider.createUser('amanager', 'welcome1', 'a manager of the videotheek'); authProvider.createGroup('employees', 'employee group of the videotheek'); authProvider.createGroup('managers', 'manager group of the videotheek'); authProvider.addMemberToGroup('employees', 'anemployee'); authProvider.addMemberToGroup('managers', 'amanager');By using the following you can edit the roles (groups):
sr = cmo.getSecurityConfiguration().getDefaultRealm(); rm = sr.lookupRoleMapper('XACMLRoleMapper'); expr = rm.getRoleExpression(None,'Admin'); # important to see what expression is used print expr; # some setting the role examples rm.setRoleExpression(None,'Admin',expr+'|Usr(employee)'); rm.setRoleExpression(None,'Anonymous','Usr(employee)|Grp(everyone)'); rm.setRoleExpression(None,'Anonymous','Usr(employee)&Grp(everyone)'); rm.setRoleExpression(None,'Admin','Usr(employee)|Grp(Administrators)'); rm.setRoleExpression(None,'Admin','Grp(Deployers)|Grp(Administrators)');September 27th, 2012 on 12:40 pm
Hi
When ever i tried to execute the script the get the below error, please help:-
Problem invoking WLST – Traceback (innermost last):
File “/u01/SOA_DEV/SOAFilestore/HOME/RAJGR/WLSTScript/users_groups.py”, line 9, in ?
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:120)
at java.io.FileInputStream.(FileInputStream.java:79)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
java.io.FileNotFoundException: java.io.FileNotFoundException: details.properties (No such file or directory)
Thanks
Rajan Grover
September 27th, 2012 on 12:55 pm
Make sure the details.properties file can be found. The error is telling you: “java.io.FileNotFoundException: java.io.FileNotFoundException: details.properties (No such file or directory)”
September 27th, 2012 on 2:20 pm
Yes thats correct… but i have kept the detail.properties file in same folder…not sure why its not able to find the file…
is there any other way to check why the file is not being located by the script