At a customer site, ansible is used to deploy the full Syrius stack. One of the requirements was to give the browse privileges to a group of people to monitor the JMS queues. I tried to follow the steps provided in the following Oracle documentation: Using XACML Documents to Secure WebLogic Resources
Those steps are complicated and were not fully working. I requested the help from the Oracle Support through a Service Request that was conclude with note Policy Not Available After Creating It Using WLST Script (Doc ID 2860074.1).
I finally find out that instead of using the XACML Documents to Secure WebLogic Resources and call the setPolicyExpression to save the XACML Documents already applied, I can use the createPolicyExpression and avoid the XACML Documents usage.
The action to grant browsing privilege to a group of users can be done in three steps:
1. Create a role that will be used to assign the JMS browsing privilege
2. Create the policy to allow JMS queues browsing
3. Assign the role to a group of users
For simplicity, the three steps have been split in three separate WLST scripts but of course they can be merged in one single WLST script.
- createRole.py
try:
#Connect to AdminServer
connect('<USERNAME>','<PASSWORD>','t3://<HOST>:<PORT>')
rm=cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper("XACMLRoleMapper")
rm.createRole(None,"MonitorJMSQueues",None,"")
print "MonitorJMSQueues Created"
disconnect()
except:
print "ERROR... check error messages for cause."
exit(exitcode=1)
finally:
print "end of role creation"
exit()
2. createPolicy.py
def allowJMSAccessForGroup():
try:
print "cd('/SecurityConfiguration/" + domainName + "/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer')"
cd('/SecurityConfiguration/' + domainName + '/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer')
cmo.createPolicyExpression('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean','{Rol(Admin) | Rol(MonitorJMSQueues)}')
print "Create policy done"
return True
except Exception, inst:
print inst
print sys.exc_info()[0]
dumpStack()
sys.stderr.write("unable to apply JMS access policy for domain " + domainName)
return False
connect('<USERNAME>','<PASSWORD>','t3s://<HOST>:<PORT>')
serverConfig()
allowJMSAccessForGroup()
disconnect()
exit()
3. assignRole.py
connect('<USERNAME>','<PASSWORD>','t3s://<HOST>:<PORT>')
rm=cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper("XACMLRoleMapper")
rm.setRoleExpression('','MonitorJMSQueues','Grp(JMS_MONITORING_GROUP)')
The JMS_MONITORING_GROUP needs to have the WebLogic monitoring role granted and then the members of this group can log to the WebLogic console and navigate to the JMS service to check the content of the JMS queues.
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/PBR_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/OLS_web-min-scaled.jpg)