Whenever we do a WSO2 training, one of the first labs is adding a user and a role to the system. In case of the ESB this is often a ‘tester’ user that has limited functionality. Originally we added just the following three pernissions:
What are we aiming to do?
We are going to investigate which permission is required by a user to be able to view the list of services. To do this we are adding a user, initially without any role. We take the following steps:
- Open a browser and access https://localhost:9443/carbon (allow access without a valid certificate if needed)
- Login to the ESB as default user admin and password admin
- Select Configure Tab
- Select User & Roles option from menu
- Choose Users and click Add New User action
- Complete with name tester and password tester
- Click on Finish to complete user creation
Now we have added a user, The next step is to actually give permissions since this user cannot do anything. Permissions are assigned to a user through roles. Roles group one or more permissions which are used by a particular jobrole. Roles are used in WSO2 products for various reasons. For instance to login to the API Manager store or publisher but also for runtime message mediation like when working with XACML Entitlements for services.
For now our user needs permissions to view the services list in the admin console.
To do that we will add a role to the system.
- Select User & Roles option from menu
- Choose Roles Management and click Add New Role
- Set the role name to Tester and click Nex
- Select Login, Tryit & Monitor permissions and click Next
- Select the user created on previous step to add to role
- Click Finish to complete role creation and assignation.
- Logout and Login as user tester, check the tabs and options this user is able to perform.
As said and show in the first screen shot, these permissions result in an empty list of services. So how do we go about making the list visible and the tester able to test the Axis2 Echo service?
Permissions and UI
Unfortunately, there is no list of permissions and what services they are linked to. We mention services since every Management UI will (under water) call one of the Admin Services in WSO2. It does not matter what product you use, all WSO2 products work this way with admin and even hidden services.
We asked WSO2 if such a list exists and the answer is NO. So it is either taking the source code and determining it from there or, less work and easier, trial and error.
So we started by adding permissions to the tester role to see if we can actually see the service.
In this case we started out with the high level permissions like Manage, added it and removed permissions until we ended up with the right permission to be added. In this case it was Mediation.
So the permissions looked like this:
Test the service
Now we can actually see the deployed services and we can start and TryIt.
- As user tester, select Services->List option from the Main tab
- Click on WSDL1.1 cell of echo service to access its definition (opens in a new browser tab).
- On ESB Console, in the Tools tab, select tryIt option and introduce the WSDL URL
On ESB Console, in the Tools tab, select tryIt option and introduce the WSDL URL
- Click on Try It to test the service (popup window will be opened showing service detailed information) Note that Internet Explorer browser does not support the TryIt tool. Use Chrome, Mozilla or Firefox for this step.
- Select echoString operation, introduce a text between <in> and </in> tags of the XML payload body.
- Click the Send button
- The service executes and returns the original string sent.
At this moment we have not found any other way to map permissions to Admin Services. The permissions are actually part of the registry (/_system/governance/permission) and can be set using the AdminServices (https://localhost:9443/services/UserAdmin).
So for now it is trial and error to find out what permissions need to be set for a product / role combination.
Read also our other WSO2 tutorials and blogs, written by our WSO2 Gurus. In case you need WSO2 support, contact the Yenlo WSO2 Guru team to get WSO2 Development Support or WSO2 Operational Support. Of course we do deliver excellent WSO2 training services as well, based on reallife WSO2 tutorials.
Thanks to Thijs Volders for his contributions to this blog.