Merge pull request #4565 from vramik/KEYCLOAK-5674
KEYCLOAK-5674 updated migration scripts
This commit is contained in:
Pavel Drozd
GitHub
commit
2a818947c2
4 changed files with 602 additions and 21 deletions
|
|
@ -50,16 +50,35 @@ if (result == []) of /profile=$clusteredProfile/subsystem=keycloak-server/:read-
|
|||
/profile=$clusteredProfile/subsystem=keycloak-server/:migrate-json(file=$pathToJson)
|
||||
echo
|
||||
end-if
|
||||
if (result == [expression "classpath:${jboss.server.config.dir}/providers/*"]) of /profile=$clusteredProfile/subsystem=keycloak-server/:read-attribute(name=providers)
|
||||
echo Updating provider to default value
|
||||
/profile=$clusteredProfile/subsystem=keycloak-server/:write-attribute(name=providers,value=[classpath:${jboss.home.dir}/providers/*])
|
||||
echo
|
||||
end-if
|
||||
if (result == keycloak) of /profile=$clusteredProfile/subsystem=keycloak-server/theme=defaults:read-attribute(name=default)
|
||||
echo Undefining default theme...
|
||||
/profile=$clusteredProfile/subsystem=keycloak-server/theme=defaults:undefine-attribute(name=default)
|
||||
echo
|
||||
end-if
|
||||
if (result == expression "${jboss.server.config.dir}/themes") of /profile=$clusteredProfile/subsystem=keycloak-server/theme=defaults:read-attribute(name=dir)
|
||||
echo Updating theme dir to default value
|
||||
/profile=$clusteredProfile/subsystem=keycloak-server/theme=defaults/:write-attribute(name=dir,value=${jboss.home.dir}/themes)
|
||||
echo
|
||||
end-if
|
||||
|
||||
set persistenceProvider=jpa
|
||||
|
||||
# Migrate from 2.1.0 to 2.2.0
|
||||
# Do not add distributed-cache=authorization. This is now removed.
|
||||
#if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
# echo Additing distributed-cache=authorization
|
||||
# /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
# echo
|
||||
#end-if
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
# In migration from 3.0.0 to 3.2.0 there is authorization distributed-cache replaced with local-cache
|
||||
try
|
||||
echo
|
||||
/profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
echo Added distributed-cache=authorization
|
||||
catch
|
||||
end-try
|
||||
end-if
|
||||
|
||||
if (result == update) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
|
||||
echo Updating connectionsJpa default properties...
|
||||
/profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
|
||||
|
|
@ -194,13 +213,16 @@ if (outcome == failed) of /profile=$clusteredProfile/subsystem=keycloak-server/s
|
|||
echo
|
||||
end-if
|
||||
|
||||
if ((result.default-provider == undefined) && (result.provider.default.enabled == true)) of /subsystem=keycloak-server/spi=connectionsInfinispan/:read-resource(recursive=true,include-defaults=false)
|
||||
if ((result.default-provider == undefined) && (result.provider.default.enabled == true)) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsInfinispan/:read-resource(recursive=true,include-defaults=false)
|
||||
echo Adding 'default' as default provider for connectionsInfinispan
|
||||
/profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsInfinispan/:write-attribute(name=default-provider,value=default)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.0.0 to 3.2.0
|
||||
# Migrate from 3.0.0 to 3.1.0
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.1.0 to 3.2.0
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:read-resource
|
||||
echo Adding distributed-cache=authenticationSessions to keycloak cache container...
|
||||
/profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:add(mode=SYNC,owners=1)
|
||||
|
|
@ -226,7 +248,120 @@ if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
# Migrate from 3.2.0 to 3.2.1
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.2.1 to 3.3.0
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=core-management/:read-resource
|
||||
try
|
||||
echo Trying to add core-management extension
|
||||
/extension=org.wildfly.extension.core-management/:add
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to add core-management extension, it should be already added by migrate-domain-standalone.cli
|
||||
echo
|
||||
end-try
|
||||
echo Adding subsystem core-management
|
||||
/profile=$clusteredProfile/subsystem=core-management/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=elytron/:read-resource
|
||||
try
|
||||
echo Trying to add elytron extension
|
||||
/extension=org.wildfly.extension.elytron/:add
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to add elytron extension, it should be already added by migrate-domain-standalone.cli
|
||||
echo
|
||||
end-try
|
||||
echo Adding subsystem elytron
|
||||
/profile=$clusteredProfile/subsystem=elytron/:add
|
||||
/profile=$clusteredProfile/subsystem=elytron/provider-loader=elytron/:add(module=org.wildfly.security.elytron)
|
||||
/profile=$clusteredProfile/subsystem=elytron/provider-loader=openssl/:add(module=org.wildfly.openssl)
|
||||
/profile=$clusteredProfile/subsystem=elytron/aggregate-providers=combined-providers/:add(providers=[elytron,openssl])
|
||||
/profile=$clusteredProfile/subsystem=elytron/file-audit-log=local-audit/:add(path=audit.log,relative-to=jboss.server.log.dir,format=JSON)
|
||||
/profile=$clusteredProfile/subsystem=elytron/identity-realm=local/:add(identity="$local")
|
||||
/profile=$clusteredProfile/subsystem=elytron/properties-realm=ApplicationRealm/:add(users-properties={path=application-users.properties,relative-to=jboss.domain.config.dir,digest-realm-name=ApplicationRealm},groups-properties={path=application-roles.properties,relative-to=jboss.domain.config.dir})
|
||||
/profile=$clusteredProfile/subsystem=elytron/simple-permission-mapper=anonymous-permission-mapper/:add(permission-mappings=[{principals=[anonymous],permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission}]}]
|
||||
/profile=$clusteredProfile/subsystem=elytron/constant-permission-mapper=constant-permission-mapper/:add(permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission},{class-name=org.wildfly.extension.batch.jberet.deployment.BatchPermission,module=org.wildfly.extension.batch.jberet,target-name=*},{class-name=org.wildfly.transaction.client.RemoteTransactionPermission,module=org.wildfly.transaction.client},{class-name=org.jboss.ejb.client.RemoteEJBPermission,module=org.jboss.ejb-client}])
|
||||
/profile=$clusteredProfile/subsystem=elytron/logical-permission-mapper=default-permission-mapper/:add(logical-operation=unless,left=constant-permission-mapper,right=anonymous-permission-mapper)
|
||||
/profile=$clusteredProfile/subsystem=elytron/constant-realm-mapper=local/:add(realm-name=local)
|
||||
/profile=$clusteredProfile/subsystem=elytron/simple-role-decoder=groups-to-roles/:add(attribute=groups)
|
||||
/profile=$clusteredProfile/subsystem=elytron/constant-role-mapper=super-user-mapper/:add(roles=[SuperUser])
|
||||
/profile=$clusteredProfile/subsystem=elytron/security-domain=ApplicationDomain/:add(default-realm=ApplicationRealm,permission-mapper=default-permission-mapper,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles},{realm=local}])
|
||||
/profile=$clusteredProfile/subsystem=elytron/provider-http-server-mechanism-factory=global/:add
|
||||
/profile=$clusteredProfile/subsystem=elytron/http-authentication-factory=application-http-authentication/:add(http-server-mechanism-factory=global,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=Application Realm}]},{mechanism-name=FORM}])
|
||||
/profile=$clusteredProfile/subsystem=elytron/provider-sasl-server-factory=global/:add
|
||||
/profile=$clusteredProfile/subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=elytron/:add(sasl-server-factory=global,filters=[{provider-name=WildFlyElytron}])
|
||||
/profile=$clusteredProfile/subsystem=elytron/configurable-sasl-server-factory=configured/:add(sasl-server-factory=elytron,properties={wildfly.sasl.local-user.default-user => "$local"})
|
||||
/profile=$clusteredProfile/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication/:add(sasl-server-factory=configured,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])
|
||||
/profile=$clusteredProfile/subsystem=elytron/:write-attribute(name=final-providers,value=combined-providers)
|
||||
/profile=$clusteredProfile/subsystem=elytron/:write-attribute(name=disallowed-providers,value=[OracleUcrypto])
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:read-resource
|
||||
echo Adding channel-creation-options READ_TIMEOUT and MAX_OUTBOUND_MESSAGES to ejb3 remote
|
||||
/profile=$clusteredProfile/subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:add(value="${prop.remoting-connector.read.timeout:20}",type=xnio)
|
||||
/profile=$clusteredProfile/subsystem=ejb3/service=remote/channel-creation-options=MAX_OUTBOUND_MESSAGES/:add(value=1234,type=remoting)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == ASYNC) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=web/distributed-cache=dist:read-attribute(name=mode)
|
||||
echo Setting SYNC mode for web cache-container
|
||||
/profile=$clusteredProfile/subsystem=infinispan/cache-container=web/distributed-cache=dist:write-attribute(name=mode,value=SYNC)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == ASYNC) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=ejb/distributed-cache=dist:read-attribute(name=mode)
|
||||
echo Setting SYNC mode for ejb cache-container
|
||||
/profile=$clusteredProfile/subsystem=infinispan/cache-container=ejb/distributed-cache=dist:write-attribute(name=mode,value=SYNC)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result != undefined) of /profile=$clusteredProfile/subsystem=jgroups/stack=udp/protocol=FD_SOCK/:read-attribute(name=socket-binding)
|
||||
echo Unsetting socket-binding from udp FD_SOCK protocol
|
||||
# it has to be done via remove and add, because socket-binding is not writable attribute
|
||||
/profile=$clusteredProfile/subsystem=jgroups/stack=udp/protocol=FD_SOCK/:remove
|
||||
/profile=$clusteredProfile/subsystem=jgroups/stack=udp/protocol=FD_SOCK/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$clusteredProfile/subsystem=jgroups/stack=tcp/protocol=FD/:read-resource
|
||||
echo Replacing tcp FD protocol with FD_ALL
|
||||
/profile=$clusteredProfile/subsystem=jgroups/stack=tcp/protocol=FD/:remove
|
||||
/profile=$clusteredProfile/subsystem=jgroups/stack=tcp/protocol=FD_ALL/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result != undefined) of /profile=$clusteredProfile/subsystem=jgroups/stack=tcp/protocol=FD_SOCK/:read-attribute(name=socket-binding)
|
||||
echo Unsetting socket-binding from tcp FD_SOCK protocol
|
||||
# it has to be done via remove and add, because socket-binding is not writable attribute
|
||||
/profile=$clusteredProfile/subsystem=jgroups/stack=tcp/protocol=FD_SOCK/:remove
|
||||
/profile=$clusteredProfile/subsystem=jgroups/stack=tcp/protocol=FD_SOCK/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:read-resource
|
||||
echo Adding http-invoker to default-host
|
||||
/profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:add(security-realm=ApplicationRealm)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == false) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=enable-http2)
|
||||
echo Enabling http2 for default http-listener
|
||||
/profile=$clusteredProfile/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=enable-http2,value=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/https-listener=https/:read-resource
|
||||
echo Adding https-listener
|
||||
/profile=$clusteredProfile/subsystem=undertow/server=default-server/https-listener=https/:add(socket-binding=https,security-realm=ApplicationRealm,enable-http2=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.3.0 to 3.4.0
|
||||
if (outcome == success) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
|
|
@ -235,4 +370,32 @@ if (outcome == success) of /profile=$clusteredProfile/subsystem=undertow/server=
|
|||
/profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$clusteredProfile/subsystem=jdr/:read-resource
|
||||
echo Removing jdr subsystem and extension
|
||||
/profile=$clusteredProfile/subsystem=jdr/:remove
|
||||
echo
|
||||
try
|
||||
echo Trying to remove jdr extension
|
||||
/extension=org.jboss.as.jdr/:remove
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to remove jdr extension, Should be removed by migrate-domain-standalone.cli
|
||||
echo
|
||||
end-try
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$clusteredProfile/subsystem=jsf/:read-resource
|
||||
echo Removing jsf subsystem and extension
|
||||
/profile=$clusteredProfile/subsystem=jsf/:remove
|
||||
echo
|
||||
try
|
||||
echo Trying to remove jsf extension
|
||||
/extension=org.jboss.as.jsf/:remove
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to remove jsf extension, Should be removed by migrate-domain-standalone.cli
|
||||
echo
|
||||
end-try
|
||||
end-if
|
||||
|
||||
echo *** End Migration of /profile=$clusteredProfile ***
|
||||
|
|
@ -62,6 +62,21 @@ if (result == []) of /profile=$standaloneProfile/subsystem=keycloak-server/:read
|
|||
/profile=$standaloneProfile/subsystem=keycloak-server/:migrate-json(file=$pathToJson)
|
||||
echo
|
||||
end-if
|
||||
if (result == [expression "classpath:${jboss.server.config.dir}/providers/*"]) of /profile=$standaloneProfile/subsystem=keycloak-server/:read-attribute(name=providers)
|
||||
echo Updating provider to default value
|
||||
/profile=$standaloneProfile/subsystem=keycloak-server/:write-attribute(name=providers,value=[classpath:${jboss.home.dir}/providers/*])
|
||||
echo
|
||||
end-if
|
||||
if (result == keycloak) of /profile=$standaloneProfile/subsystem=keycloak-server/theme=defaults:read-attribute(name=default)
|
||||
echo Undefining default theme...
|
||||
/profile=$standaloneProfile/subsystem=keycloak-server/theme=defaults:undefine-attribute(name=default)
|
||||
echo
|
||||
end-if
|
||||
if (result == expression "${jboss.server.config.dir}/themes") of /profile=$standaloneProfile/subsystem=keycloak-server/theme=defaults:read-attribute(name=dir)
|
||||
echo Updating theme dir to default value
|
||||
/profile=$standaloneProfile/subsystem=keycloak-server/theme=defaults/:write-attribute(name=dir,value=${jboss.home.dir}/themes)
|
||||
echo
|
||||
end-if
|
||||
|
||||
set persistenceProvider=jpa
|
||||
|
||||
|
|
@ -181,14 +196,16 @@ if (outcome == failed) of /profile=$standaloneProfile/subsystem=keycloak-server/
|
|||
echo
|
||||
end-if
|
||||
|
||||
if ((result.default-provider == undefined) && (result.provider.default.enabled == true)) of /subsystem=keycloak-server/spi=connectionsInfinispan/:read-resource(recursive=true,include-defaults=false)
|
||||
if ((result.default-provider == undefined) && (result.provider.default.enabled == true)) of /profile=$standaloneProfile/subsystem=keycloak-server/spi=connectionsInfinispan/:read-resource(recursive=true,include-defaults=false)
|
||||
echo Adding 'default' as default provider for connectionsInfinispan
|
||||
/profile=$standaloneProfile/subsystem=keycloak-server/spi=connectionsInfinispan/:write-attribute(name=default-provider,value=default)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.0.0 to 3.1.0
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.0.0 to 3.2.0
|
||||
# Migrate from 3.1.0 to 3.2.0
|
||||
if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:read-resource
|
||||
echo Adding local-cache=authenticationSessions to keycloak cache container...
|
||||
/profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:add(indexing=NONE,start=LAZY)
|
||||
|
|
@ -205,7 +222,109 @@ if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
if (result == 100L) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:read-attribute(name=max-entries)
|
||||
echo Updating eviction in local-cache=authorization...
|
||||
/profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=max-entries,value=10000)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.2.1
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.2.1 to 3.3.0
|
||||
if (outcome == failed) of /profile=$standaloneProfile/subsystem=core-management/:read-resource
|
||||
try
|
||||
echo Trying to add core-management extension
|
||||
/extension=org.wildfly.extension.core-management/:add
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to add core-management extension, it should be already added by migrate-domain-clustered.cli
|
||||
echo
|
||||
end-try
|
||||
echo Adding subsystem core-management
|
||||
/profile=$standaloneProfile/subsystem=core-management/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$standaloneProfile/subsystem=elytron/:read-resource
|
||||
try
|
||||
echo Trying to add elytron extension
|
||||
/extension=org.wildfly.extension.elytron/:add
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to add elytron extension, it should be already added by migrate-domain-clustered.cli
|
||||
echo
|
||||
end-try
|
||||
echo Adding subsystem elytron
|
||||
/profile=$standaloneProfile/subsystem=elytron/:add
|
||||
/profile=$standaloneProfile/subsystem=elytron/provider-loader=elytron/:add(module=org.wildfly.security.elytron)
|
||||
/profile=$standaloneProfile/subsystem=elytron/provider-loader=openssl/:add(module=org.wildfly.openssl)
|
||||
/profile=$standaloneProfile/subsystem=elytron/aggregate-providers=combined-providers/:add(providers=[elytron,openssl])
|
||||
/profile=$standaloneProfile/subsystem=elytron/file-audit-log=local-audit/:add(path=audit.log,relative-to=jboss.server.log.dir,format=JSON)
|
||||
/profile=$standaloneProfile/subsystem=elytron/identity-realm=local/:add(identity="$local")
|
||||
/profile=$standaloneProfile/subsystem=elytron/properties-realm=ApplicationRealm/:add(users-properties={path=application-users.properties,relative-to=jboss.domain.config.dir,digest-realm-name=ApplicationRealm},groups-properties={path=application-roles.properties,relative-to=jboss.domain.config.dir})
|
||||
/profile=$standaloneProfile/subsystem=elytron/simple-permission-mapper=anonymous-permission-mapper/:add(permission-mappings=[{principals=[anonymous],permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission}]}]
|
||||
/profile=$standaloneProfile/subsystem=elytron/constant-permission-mapper=constant-permission-mapper/:add(permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission},{class-name=org.wildfly.extension.batch.jberet.deployment.BatchPermission,module=org.wildfly.extension.batch.jberet,target-name=*},{class-name=org.wildfly.transaction.client.RemoteTransactionPermission,module=org.wildfly.transaction.client},{class-name=org.jboss.ejb.client.RemoteEJBPermission,module=org.jboss.ejb-client}])
|
||||
/profile=$standaloneProfile/subsystem=elytron/logical-permission-mapper=default-permission-mapper/:add(logical-operation=unless,left=constant-permission-mapper,right=anonymous-permission-mapper)
|
||||
/profile=$standaloneProfile/subsystem=elytron/constant-realm-mapper=local/:add(realm-name=local)
|
||||
/profile=$standaloneProfile/subsystem=elytron/simple-role-decoder=groups-to-roles/:add(attribute=groups)
|
||||
/profile=$standaloneProfile/subsystem=elytron/constant-role-mapper=super-user-mapper/:add(roles=[SuperUser])
|
||||
/profile=$standaloneProfile/subsystem=elytron/security-domain=ApplicationDomain/:add(default-realm=ApplicationRealm,permission-mapper=default-permission-mapper,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles},{realm=local}])
|
||||
/profile=$standaloneProfile/subsystem=elytron/provider-http-server-mechanism-factory=global/:add
|
||||
/profile=$standaloneProfile/subsystem=elytron/http-authentication-factory=application-http-authentication/:add(http-server-mechanism-factory=global,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=Application Realm}]},{mechanism-name=FORM}])
|
||||
/profile=$standaloneProfile/subsystem=elytron/provider-sasl-server-factory=global/:add
|
||||
/profile=$standaloneProfile/subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=elytron/:add(sasl-server-factory=global,filters=[{provider-name=WildFlyElytron}])
|
||||
/profile=$standaloneProfile/subsystem=elytron/configurable-sasl-server-factory=configured/:add(sasl-server-factory=elytron,properties={wildfly.sasl.local-user.default-user => "$local"})
|
||||
/profile=$standaloneProfile/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication/:add(sasl-server-factory=configured,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])
|
||||
/profile=$standaloneProfile/subsystem=elytron/:write-attribute(name=final-providers,value=combined-providers)
|
||||
/profile=$standaloneProfile/subsystem=elytron/:write-attribute(name=disallowed-providers,value=[OracleUcrypto])
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$standaloneProfile/subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:read-resource
|
||||
echo Adding channel-creation-options READ_TIMEOUT and MAX_OUTBOUND_MESSAGES to ejb3 remote
|
||||
/profile=$standaloneProfile/subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:add(value="${prop.remoting-connector.read.timeout:20}",type=xnio)
|
||||
/profile=$standaloneProfile/subsystem=ejb3/service=remote/channel-creation-options=MAX_OUTBOUND_MESSAGES/:add(value=1234,type=remoting)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=web/local-cache=persistent:read-resource
|
||||
echo Removing local-cache persistent from web cache-container
|
||||
/profile=$standaloneProfile/subsystem=infinispan/cache-container=web/local-cache=persistent:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=ejb/local-cache=persistent:read-resource
|
||||
echo Removing local-cache persistent from ejb cache-container
|
||||
/profile=$standaloneProfile/subsystem=infinispan/cache-container=ejb/local-cache=persistent:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == local-query) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=hibernate/:read-attribute(name=default-cache)
|
||||
echo Removing default-cache from hibernate cache-container
|
||||
/profile=$standaloneProfile/subsystem=infinispan/cache-container=hibernate/:undefine-attribute(name=default-cache)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:read-resource
|
||||
echo Adding http-invoker to default-host
|
||||
/profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:add(security-realm=ApplicationRealm)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == false) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=enable-http2)
|
||||
echo Enabling http2 for default http-listener
|
||||
/profile=$standaloneProfile/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=enable-http2,value=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/https-listener=https/:read-resource
|
||||
echo Adding https-listener
|
||||
/profile=$standaloneProfile/subsystem=undertow/server=default-server/https-listener=https/:add(socket-binding=https,security-realm=ApplicationRealm,enable-http2=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.3.0 to 3.4.0
|
||||
if (outcome == success) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
|
|
@ -214,4 +333,32 @@ if (outcome == success) of /profile=$standaloneProfile/subsystem=undertow/server
|
|||
/profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$standaloneProfile/subsystem=jdr/:read-resource
|
||||
echo Removing jdr subsystem and extension
|
||||
/profile=$standaloneProfile/subsystem=jdr/:remove
|
||||
echo
|
||||
try
|
||||
echo Trying to remove jdr extension
|
||||
/extension=org.jboss.as.jdr/:remove
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to remove jdr extension, it should be removed by migrate-domain-clustered.cli
|
||||
echo
|
||||
end-try
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /profile=$standaloneProfile/subsystem=jsf/:read-resource
|
||||
echo Removing jsf subsystem and extension
|
||||
/profile=$standaloneProfile/subsystem=jsf/:remove
|
||||
echo
|
||||
try
|
||||
echo Trying to remove jsf extension
|
||||
/extension=org.jboss.as.jsf/:remove
|
||||
echo
|
||||
catch
|
||||
echo Wasn't able to remove jsf extension, Should be removed by migrate-domain-clustered.cli
|
||||
echo
|
||||
end-try
|
||||
end-if
|
||||
|
||||
echo *** End Migration of /profile=$standaloneProfile ***
|
||||
|
|
@ -43,6 +43,21 @@ if (result == []) of /subsystem=keycloak-server/:read-children-names(child-type=
|
|||
end-if
|
||||
|
||||
set persistenceProvider=jpa
|
||||
if (result == [expression "classpath:${jboss.server.config.dir}/providers/*"]) of /subsystem=keycloak-server/:read-attribute(name=providers)
|
||||
echo Updating provider to default value
|
||||
/subsystem=keycloak-server/:write-attribute(name=providers,value=[classpath:${jboss.home.dir}/providers/*])
|
||||
echo
|
||||
end-if
|
||||
if (result == keycloak) of /subsystem=keycloak-server/theme=defaults:read-attribute(name=default)
|
||||
echo Undefining default theme...
|
||||
/subsystem=keycloak-server/theme=defaults:undefine-attribute(name=default)
|
||||
echo
|
||||
end-if
|
||||
if (result == expression "${jboss.server.config.dir}/themes") of /subsystem=keycloak-server/theme=defaults:read-attribute(name=dir)
|
||||
echo Updating theme dir to default value
|
||||
/subsystem=keycloak-server/theme=defaults/:write-attribute(name=dir,value=${jboss.home.dir}/themes)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 2.1.0 to 2.2.0
|
||||
if (outcome == failed) of /extension=org.jboss.as.deployment-scanner/:read-resource
|
||||
|
|
@ -60,12 +75,17 @@ if (outcome == failed) of /subsystem=deployment-scanner/scanner=default/:read-re
|
|||
/subsystem=deployment-scanner/scanner=default/:add(path=deployments,relative-to=jboss.server.base.dir,runtime-failure-causes-rollback=${jboss.deployment.scanner.rollback.on.failure:false},scan-interval=5000)
|
||||
echo
|
||||
end-if
|
||||
# Do not add. This is now removed.
|
||||
#if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
# echo Adding distributed-cache=authorization
|
||||
# /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
# echo
|
||||
#end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
# In migration from 3.0.0 to 3.2.0 there is authorization distributed-cache replaced with local-cache
|
||||
try
|
||||
echo
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
echo Added distributed-cache=authorization
|
||||
catch
|
||||
end-try
|
||||
end-if
|
||||
|
||||
if (result == update) of /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
|
||||
echo Updating connectionsJpa default properties...
|
||||
/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
|
||||
|
|
@ -231,13 +251,135 @@ if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distri
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
# Migrate from 3.2.0 to 3.2.1
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.2.1 to 3.3.0
|
||||
if (outcome == failed) of /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:read-resource
|
||||
echo Adding keystore to ApplicationRealm...
|
||||
/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir,keystore-password=password,alias=server,key-password=password,generate-self-signed-certificate-host=localhost)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /extension=org.wildfly.extension.elytron/:read-resource
|
||||
echo Adding elytron extension...
|
||||
/extension=org.wildfly.extension.elytron/:add(module=org.wildfly.extension.elytron)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=elytron/:read-resource
|
||||
echo Adding elytron subsystem
|
||||
/subsystem=elytron:add
|
||||
/subsystem=elytron/provider-loader=elytron/:add(module=org.wildfly.security.elytron)
|
||||
/subsystem=elytron/provider-loader=openssl/:add(module=org.wildfly.openssl)
|
||||
/subsystem=elytron/aggregate-providers=combined-providers/:add(providers=[elytron,openssl])
|
||||
/subsystem=elytron/file-audit-log=local-audit/:add(path=audit.log,relative-to=jboss.server.log.dir,format=JSON)
|
||||
/subsystem=elytron/identity-realm=local/:add(identity="$local")
|
||||
/subsystem=elytron/properties-realm=ApplicationRealm/:add(users-properties={path=application-users.properties,relative-to=jboss.server.config.dir,digest-realm-name=ApplicationRealm},groups-properties={path=application-roles.properties,relative-to=jboss.server.config.dir})
|
||||
/subsystem=elytron/properties-realm=ManagementRealm/:add(users-properties={path=mgmt-users.properties,relative-to=jboss.server.config.dir,digest-realm-name=ManagementRealm},groups-properties={path=mgmt-groups.properties,relative-to=jboss.server.config.dir})
|
||||
/subsystem=elytron/simple-permission-mapper=anonymous-permission-mapper/:add(permission-mappings=[{principals=[anonymous],permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission}]}]
|
||||
/subsystem=elytron/constant-permission-mapper=constant-permission-mapper/:add(permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission},{class-name=org.wildfly.extension.batch.jberet.deployment.BatchPermission,module=org.wildfly.extension.batch.jberet,target-name=*},{class-name=org.wildfly.transaction.client.RemoteTransactionPermission,module=org.wildfly.transaction.client},{class-name=org.jboss.ejb.client.RemoteEJBPermission,module=org.jboss.ejb-client}])
|
||||
/subsystem=elytron/logical-permission-mapper=default-permission-mapper/:add(logical-operation=unless,left=constant-permission-mapper,right=anonymous-permission-mapper)
|
||||
/subsystem=elytron/constant-realm-mapper=local/:add(realm-name=local)
|
||||
/subsystem=elytron/simple-role-decoder=groups-to-roles/:add(attribute=groups)
|
||||
/subsystem=elytron/constant-role-mapper=super-user-mapper/:add(roles=[SuperUser])
|
||||
/subsystem=elytron/security-domain=ApplicationDomain/:add(default-realm=ApplicationRealm,permission-mapper=default-permission-mapper,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles},{realm=local}])
|
||||
/subsystem=elytron/security-domain=ManagementDomain/:add(default-realm=ManagementRealm,permission-mapper=default-permission-mapper,realms=[{realm=ManagementRealm,role-decoder=groups-to-roles},{realm=local,role-mapper=super-user-mapper}])
|
||||
/subsystem=elytron/provider-http-server-mechanism-factory=global/:add
|
||||
/subsystem=elytron/http-authentication-factory=management-http-authentication/:add(http-server-mechanism-factory=global,security-domain=ManagementDomain,mechanism-configurations=[{mechanism-name=DIGEST,mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
|
||||
/subsystem=elytron/http-authentication-factory=application-http-authentication/:add(http-server-mechanism-factory=global,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=Application Realm}]},{mechanism-name=FORM}])
|
||||
/subsystem=elytron/provider-sasl-server-factory=global/:add
|
||||
/subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=elytron/:add(sasl-server-factory=global,filters=[{provider-name=WildFlyElytron}])
|
||||
/subsystem=elytron/configurable-sasl-server-factory=configured/:add(sasl-server-factory=elytron,properties={wildfly.sasl.local-user.default-user => "$local"})
|
||||
/subsystem=elytron/sasl-authentication-factory=management-sasl-authentication/:add(sasl-server-factory=configured,security-domain=ManagementDomain,mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
|
||||
/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication/:add(sasl-server-factory=configured,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])
|
||||
/subsystem=elytron/:write-attribute(name=final-providers,value=combined-providers)
|
||||
/subsystem=elytron/:write-attribute(name=disallowed-providers,value=[OracleUcrypto])
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:read-resource
|
||||
echo Adding channel-creation-options READ_TIMEOUT and MAX_OUTBOUND_MESSAGES to ejb3 remote
|
||||
/subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:add(value="${prop.remoting-connector.read.timeout:20}",type=xnio)
|
||||
/subsystem=ejb3/service=remote/channel-creation-options=MAX_OUTBOUND_MESSAGES/:add(value=1234,type=remoting)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == ASYNC) of /subsystem=infinispan/cache-container=web/distributed-cache=dist:read-attribute(name=mode)
|
||||
echo Setting SYNC mode for web cache-container
|
||||
/subsystem=infinispan/cache-container=web/distributed-cache=dist:write-attribute(name=mode,value=SYNC)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == ASYNC) of /subsystem=infinispan/cache-container=ejb/distributed-cache=dist:read-attribute(name=mode)
|
||||
echo Setting SYNC mode for ejb cache-container
|
||||
/subsystem=infinispan/cache-container=ejb/distributed-cache=dist:write-attribute(name=mode,value=SYNC)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result != undefined) of /subsystem=jgroups/stack=udp/protocol=FD_SOCK/:read-attribute(name=socket-binding)
|
||||
echo Unsetting socket-binding from udp FD_SOCK protocol
|
||||
# it has to be done via remove and add, because socket-binding is not writable attribute
|
||||
/subsystem=jgroups/stack=udp/protocol=FD_SOCK/:remove
|
||||
/subsystem=jgroups/stack=udp/protocol=FD_SOCK/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=jgroups/stack=tcp/protocol=FD/:read-resource
|
||||
echo Replacing tcp FD protocol with FD_ALL
|
||||
/subsystem=jgroups/stack=tcp/protocol=FD/:remove
|
||||
/subsystem=jgroups/stack=tcp/protocol=FD_ALL/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result != undefined) of /subsystem=jgroups/stack=tcp/protocol=FD_SOCK/:read-attribute(name=socket-binding)
|
||||
echo Unsetting socket-binding from tcp FD_SOCK protocol
|
||||
# it has to be done via remove and add, because socket-binding is not writable attribute
|
||||
/subsystem=jgroups/stack=tcp/protocol=FD_SOCK/:remove
|
||||
/subsystem=jgroups/stack=tcp/protocol=FD_SOCK/:add
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:read-resource
|
||||
echo Adding http-invoker to default-host
|
||||
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:add(security-realm=ApplicationRealm)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == false) of /subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=enable-http2)
|
||||
echo Enabling http2 for default http-listener
|
||||
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=enable-http2,value=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=undertow/server=default-server/https-listener=https/:read-resource
|
||||
echo Adding https-listener
|
||||
/subsystem=undertow/server=default-server/https-listener=https/:add(socket-binding=https,security-realm=ApplicationRealm,enable-http2=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.3.0 to 3.4.0
|
||||
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=jdr/:read-resource
|
||||
echo Removing jdr subsystem and extension
|
||||
/subsystem=jdr/:remove
|
||||
/extension=org.jboss.as.jdr/:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=jsf/:read-resource
|
||||
echo Removing jsf subsystem and extension
|
||||
/subsystem=jsf/:remove
|
||||
/extension=org.jboss.as.jsf/:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
echo *** End Migration ***
|
||||
|
|
@ -55,6 +55,21 @@ if (result == []) of /subsystem=keycloak-server/:read-children-names(child-type=
|
|||
/subsystem=keycloak-server/:migrate-json
|
||||
echo
|
||||
end-if
|
||||
if (result == [expression "classpath:${jboss.server.config.dir}/providers/*"]) of /subsystem=keycloak-server/:read-attribute(name=providers)
|
||||
echo Updating provider to default value
|
||||
/subsystem=keycloak-server/:write-attribute(name=providers,value=[classpath:${jboss.home.dir}/providers/*])
|
||||
echo
|
||||
end-if
|
||||
if (result == keycloak) of /subsystem=keycloak-server/theme=defaults:read-attribute(name=default)
|
||||
echo Undefining default theme...
|
||||
/subsystem=keycloak-server/theme=defaults:undefine-attribute(name=default)
|
||||
echo
|
||||
end-if
|
||||
if (result == expression "${jboss.server.config.dir}/themes") of /subsystem=keycloak-server/theme=defaults:read-attribute(name=dir)
|
||||
echo Updating theme dir to default value
|
||||
/subsystem=keycloak-server/theme=defaults/:write-attribute(name=dir,value=${jboss.home.dir}/themes)
|
||||
echo
|
||||
end-if
|
||||
|
||||
set persistenceProvider=jpa
|
||||
|
||||
|
|
@ -195,8 +210,10 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled =
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.0.0 to 3.1.0
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.0.0 to 3.2.0
|
||||
# Migrate from 3.1.0 to 3.2.0
|
||||
if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:read-resource
|
||||
echo Adding local-cache=authenticationSessions to keycloak cache container...
|
||||
/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:add(indexing=NONE,start=LAZY)
|
||||
|
|
@ -213,12 +230,124 @@ if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-c
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
if (result == 100L) of /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:read-attribute(name=max-entries)
|
||||
echo Updating eviction in local-cache=authorization...
|
||||
/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=max-entries,value=10000)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.2.1
|
||||
# NO CHANGES
|
||||
|
||||
# Migrate from 3.2.1 to 3.3.0
|
||||
if (outcome == failed) of /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:read-resource
|
||||
echo Adding keystore to ApplicationRealm...
|
||||
/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir,keystore-password=password,alias=server,key-password=password,generate-self-signed-certificate-host=localhost)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /extension=org.wildfly.extension.elytron/:read-resource
|
||||
echo Adding elytron extension...
|
||||
/extension=org.wildfly.extension.elytron/:add(module=org.wildfly.extension.elytron)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=elytron/:read-resource
|
||||
echo Adding elytron subsystem
|
||||
/subsystem=elytron:add
|
||||
/subsystem=elytron/provider-loader=elytron/:add(module=org.wildfly.security.elytron)
|
||||
/subsystem=elytron/provider-loader=openssl/:add(module=org.wildfly.openssl)
|
||||
/subsystem=elytron/aggregate-providers=combined-providers/:add(providers=[elytron,openssl])
|
||||
/subsystem=elytron/file-audit-log=local-audit/:add(path=audit.log,relative-to=jboss.server.log.dir,format=JSON)
|
||||
/subsystem=elytron/identity-realm=local/:add(identity="$local")
|
||||
/subsystem=elytron/properties-realm=ApplicationRealm/:add(users-properties={path=application-users.properties,relative-to=jboss.server.config.dir,digest-realm-name=ApplicationRealm},groups-properties={path=application-roles.properties,relative-to=jboss.server.config.dir})
|
||||
/subsystem=elytron/properties-realm=ManagementRealm/:add(users-properties={path=mgmt-users.properties,relative-to=jboss.server.config.dir,digest-realm-name=ManagementRealm},groups-properties={path=mgmt-groups.properties,relative-to=jboss.server.config.dir})
|
||||
/subsystem=elytron/simple-permission-mapper=anonymous-permission-mapper/:add(permission-mappings=[{principals=[anonymous],permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission}]}]
|
||||
/subsystem=elytron/constant-permission-mapper=constant-permission-mapper/:add(permissions=[{class-name=org.wildfly.security.auth.permission.LoginPermission},{class-name=org.wildfly.extension.batch.jberet.deployment.BatchPermission,module=org.wildfly.extension.batch.jberet,target-name=*},{class-name=org.wildfly.transaction.client.RemoteTransactionPermission,module=org.wildfly.transaction.client},{class-name=org.jboss.ejb.client.RemoteEJBPermission,module=org.jboss.ejb-client}])
|
||||
/subsystem=elytron/logical-permission-mapper=default-permission-mapper/:add(logical-operation=unless,left=constant-permission-mapper,right=anonymous-permission-mapper)
|
||||
/subsystem=elytron/constant-realm-mapper=local/:add(realm-name=local)
|
||||
/subsystem=elytron/simple-role-decoder=groups-to-roles/:add(attribute=groups)
|
||||
/subsystem=elytron/constant-role-mapper=super-user-mapper/:add(roles=[SuperUser])
|
||||
/subsystem=elytron/security-domain=ApplicationDomain/:add(default-realm=ApplicationRealm,permission-mapper=default-permission-mapper,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles},{realm=local}])
|
||||
/subsystem=elytron/security-domain=ManagementDomain/:add(default-realm=ManagementRealm,permission-mapper=default-permission-mapper,realms=[{realm=ManagementRealm,role-decoder=groups-to-roles},{realm=local,role-mapper=super-user-mapper}])
|
||||
/subsystem=elytron/provider-http-server-mechanism-factory=global/:add
|
||||
/subsystem=elytron/http-authentication-factory=management-http-authentication/:add(http-server-mechanism-factory=global,security-domain=ManagementDomain,mechanism-configurations=[{mechanism-name=DIGEST,mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
|
||||
/subsystem=elytron/http-authentication-factory=application-http-authentication/:add(http-server-mechanism-factory=global,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=Application Realm}]},{mechanism-name=FORM}])
|
||||
/subsystem=elytron/provider-sasl-server-factory=global/:add
|
||||
/subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=elytron/:add(sasl-server-factory=global,filters=[{provider-name=WildFlyElytron}])
|
||||
/subsystem=elytron/configurable-sasl-server-factory=configured/:add(sasl-server-factory=elytron,properties={wildfly.sasl.local-user.default-user => "$local"})
|
||||
/subsystem=elytron/sasl-authentication-factory=management-sasl-authentication/:add(sasl-server-factory=configured,security-domain=ManagementDomain,mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
|
||||
/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication/:add(sasl-server-factory=configured,security-domain=ApplicationDomain,mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])
|
||||
/subsystem=elytron/:write-attribute(name=final-providers,value=combined-providers)
|
||||
/subsystem=elytron/:write-attribute(name=disallowed-providers,value=[OracleUcrypto])
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:read-resource
|
||||
echo Adding channel-creation-options READ_TIMEOUT and MAX_OUTBOUND_MESSAGES to ejb3 remote
|
||||
/subsystem=ejb3/service=remote/channel-creation-options=READ_TIMEOUT/:add(value="${prop.remoting-connector.read.timeout:20}",type=xnio)
|
||||
/subsystem=ejb3/service=remote/channel-creation-options=MAX_OUTBOUND_MESSAGES/:add(value=1234,type=remoting)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=infinispan/cache-container=web/local-cache=persistent:read-resource
|
||||
echo Removing local-cache persistent from web cache-container
|
||||
/subsystem=infinispan/cache-container=web/local-cache=persistent:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=infinispan/cache-container=ejb/local-cache=persistent:read-resource
|
||||
echo Removing local-cache persistent from ejb cache-container
|
||||
/subsystem=infinispan/cache-container=ejb/local-cache=persistent:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == local-query) of /subsystem=infinispan/cache-container=hibernate/:read-attribute(name=default-cache)
|
||||
echo Removing default-cache from hibernate cache-container
|
||||
/subsystem=infinispan/cache-container=hibernate/:undefine-attribute(name=default-cache)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:read-resource
|
||||
echo Adding http-invoker to default-host
|
||||
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker/:add(security-realm=ApplicationRealm)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (result == false) of /subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=enable-http2)
|
||||
echo Enabling http2 for default http-listener
|
||||
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=enable-http2,value=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == failed) of /subsystem=undertow/server=default-server/https-listener=https/:read-resource
|
||||
echo Adding https-listener
|
||||
/subsystem=undertow/server=default-server/https-listener=https/:add(socket-binding=https,security-realm=ApplicationRealm,enable-http2=true)
|
||||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.3.0 to 3.4.0
|
||||
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=jdr/:read-resource
|
||||
echo Removing jdr subsystem and extension
|
||||
/subsystem=jdr/:remove
|
||||
/extension=org.jboss.as.jdr/:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
if (outcome == success) of /subsystem=jsf/:read-resource
|
||||
echo Removing jsf subsystem and extension
|
||||
/subsystem=jsf/:remove
|
||||
/extension=org.jboss.as.jsf/:remove
|
||||
echo
|
||||
end-if
|
||||
|
||||
echo *** End Migration ***
|
||||
Loading…
Reference in a new issue