June 2014 - infinispan-issues - Jboss List Archives

[JBoss JIRA] (ISPN-4451) Missing ACCESS right

by Vojtech Juranek (JIRA)

[ https://issues.jboss.org/browse/ISPN-4451?page=com.atlassian.jira.plugin.... ] Vojtech Juranek commented on ISPN-4451: --------------------------------------- I was able to create new cache with any user, no matter if it has {{LIFECYCLE}} permission or not, so IMHO it's critical. Once it requires {{LIFECYCLE}} permission, {{ACCESS}} is IMHO not very important (or the issue is definitely not critical). > Missing ACCESS right > -------------------- > > Key: ISPN-4451 > URL: https://issues.jboss.org/browse/ISPN-4451 > Project: Infinispan > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Security > Reporter: Vojtech Juranek > Assignee: Tristan Tarrant > > When security is turned on ({{cacheConfig.security().authorization().enable()}}), any user can obtain/create a cache, even unauthorized users. This should be allowed only for users with right {{ACCESS}}. This right is actually not present in {{AuthorizationPermission}}. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4454) HR client SASL MD5 against LDAP fails

by RH Bugzilla Integration (JIRA)

[ https://issues.jboss.org/browse/ISPN-4454?page=com.atlassian.jira.plugin.... ] RH Bugzilla Integration updated ISPN-4454: ------------------------------------------ Bugzilla Update: Perform Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1114080 > HR client SASL MD5 against LDAP fails > ------------------------------------- > > Key: ISPN-4454 > URL: https://issues.jboss.org/browse/ISPN-4454 > Project: Infinispan > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Security > Reporter: Vojtech Juranek > Assignee: Tristan Tarrant > > When trying to authenticate HotRod client against LDAP using SASL DIGEST-MD5 auth, it fails with: > {noformat} > 31m18:21:40,265 ERROR [org.infinispan.server.hotrod.HotRodDecoder] (HotRodServerWorker-7-1) ISPN005009: Unexpected error before any request parameters read: io.netty.handler.codec.DecoderException: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm > at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:417) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at org.infinispan.server.core.AbstractProtocolDecoder.channelRead(AbstractProtocolDecoder.scala:471) [infinispan.jar:7.0.0-SNAPSHOT] > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:332) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:318) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:125) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:507) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:464) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:378) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) [netty-all-4.0.20.Final.jar:4.0.20.Final] > at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] > Caused by: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm > at org.infinispan.server.hotrod.HotRodDecoder.createServerException(HotRodDecoder.scala:204) [infinispan.jar:7.0.0-SNAPSHOT] > at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:118) [infinispan.jar:7.0.0-SNAPSHOT] > at org.infinispan.server.core.AbstractProtocolDecoder.decode(AbstractProtocolDecoder.scala:59) [infinispan.jar:7.0.0-SNAPSHOT] > at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:362) [netty-all-4.0.20.Final.jar:4.0.20.Final] > ... 12 more > Caused by: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm > at org.jboss.as.domain.management.security.SecurityRealmService.getCallbackHandlerService(SecurityRealmService.java:231) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final] > at org.jboss.as.domain.management.security.SecurityRealmService.getMechanismConfig(SecurityRealmService.java:128) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final] > at org.infinispan.server.endpoint.subsystem.EndpointServerAuthenticationProvider.getCallbackHandler(EndpointServerAuthenticationProvider.java:54) [infinispan-server-endpoints-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] > at org.infinispan.server.hotrod.Decoder2x$.customReadHeader(Decoder2x.scala:208) [infinispan.jar:7.0.0-SNAPSHOT] > at org.infinispan.server.hotrod.HotRodDecoder.customDecodeHeader(HotRodDecoder.scala:152) [infinispan.jar:7.0.0-SNAPSHOT] > at org.infinispan.server.core.AbstractProtocolDecoder.decodeHeader(AbstractProtocolDecoder.scala:148) [infinispan.jar:7.0.0-SNAPSHOT] > at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:96) [infinispan.jar:7.0.0-SNAPSHOT] > ... 14 more > {noformat} > When running same test, but using login/passwd store in properties file, everything works. Serve LDAP config: > {noformat} > <security-realms> > <security-realm name="ApplicationRealm"> > <authentication> > <ldap connection="ldap_connection" recursive="true" base-dn="ou=People,dc=infinispan,dc=org"> > <username-filter attribute="uid" /> > </ldap> > </authentication> > <authorization> > <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> > </authorization> > </security-realm> > </security-realms> > <outbound-connections> > <ldap name="ldap_connection" url="ldap://localhost:10389"/> > </outbound-connections> > {noformat} -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4454) HR client SASL MD5 against LDAP fails

by Vojtech Juranek (JIRA)

Vojtech Juranek created ISPN-4454: ------------------------------------- Summary: HR client SASL MD5 against LDAP fails Key: ISPN-4454 URL: https://issues.jboss.org/browse/ISPN-4454 Project: Infinispan Issue Type: Bug Security Level: Public (Everyone can see) Components: Security Reporter: Vojtech Juranek Assignee: Tristan Tarrant When trying to authenticate HotRod client against LDAP using SASL DIGEST-MD5 auth, it fails with: {noformat} 31m18:21:40,265 ERROR [org.infinispan.server.hotrod.HotRodDecoder] (HotRodServerWorker-7-1) ISPN005009: Unexpected error before any request parameters read: io.netty.handler.codec.DecoderException: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:417) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) [netty-all-4.0.20.Final.jar:4.0.20.Final] at org.infinispan.server.core.AbstractProtocolDecoder.channelRead(AbstractProtocolDecoder.scala:471) [infinispan.jar:7.0.0-SNAPSHOT] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:332) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:318) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:125) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:507) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:464) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:378) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350) [netty-all-4.0.20.Final.jar:4.0.20.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) [netty-all-4.0.20.Final.jar:4.0.20.Final] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] Caused by: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm at org.infinispan.server.hotrod.HotRodDecoder.createServerException(HotRodDecoder.scala:204) [infinispan.jar:7.0.0-SNAPSHOT] at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:118) [infinispan.jar:7.0.0-SNAPSHOT] at org.infinispan.server.core.AbstractProtocolDecoder.decode(AbstractProtocolDecoder.scala:59) [infinispan.jar:7.0.0-SNAPSHOT] at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:362) [netty-all-4.0.20.Final.jar:4.0.20.Final] ... 12 more Caused by: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm at org.jboss.as.domain.management.security.SecurityRealmService.getCallbackHandlerService(SecurityRealmService.java:231) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final] at org.jboss.as.domain.management.security.SecurityRealmService.getMechanismConfig(SecurityRealmService.java:128) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final] at org.infinispan.server.endpoint.subsystem.EndpointServerAuthenticationProvider.getCallbackHandler(EndpointServerAuthenticationProvider.java:54) [infinispan-server-endpoints-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] at org.infinispan.server.hotrod.Decoder2x$.customReadHeader(Decoder2x.scala:208) [infinispan.jar:7.0.0-SNAPSHOT] at org.infinispan.server.hotrod.HotRodDecoder.customDecodeHeader(HotRodDecoder.scala:152) [infinispan.jar:7.0.0-SNAPSHOT] at org.infinispan.server.core.AbstractProtocolDecoder.decodeHeader(AbstractProtocolDecoder.scala:148) [infinispan.jar:7.0.0-SNAPSHOT] at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:96) [infinispan.jar:7.0.0-SNAPSHOT] ... 14 more {noformat} When running same test, but using login/passwd store in properties file, everything works. Serve LDAP config: {noformat} <security-realms> <security-realm name="ApplicationRealm"> <authentication> <ldap connection="ldap_connection" recursive="true" base-dn="ou=People,dc=infinispan,dc=org"> <username-filter attribute="uid" /> </ldap> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> </security-realms> <outbound-connections> <ldap name="ldap_connection" url="ldap://localhost:10389"/> </outbound-connections> {noformat} -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4264) CLI should be able to manipulate role mapping

by RH Bugzilla Integration (JIRA)

[ https://issues.jboss.org/browse/ISPN-4264?page=com.atlassian.jira.plugin.... ] RH Bugzilla Integration commented on ISPN-4264: ----------------------------------------------- Tristan Tarrant <ttarrant(a)redhat.com> changed the Status of [bug 1109583|https://bugzilla.redhat.com/show_bug.cgi?id=1109583] from ASSIGNED to ON_QA > CLI should be able to manipulate role mapping > --------------------------------------------- > > Key: ISPN-4264 > URL: https://issues.jboss.org/browse/ISPN-4264 > Project: Infinispan > Issue Type: Sub-task > Security Level: Public(Everyone can see) > Components: Core, Remote Protocols, Security, Server > Reporter: Tristan Tarrant > Assignee: Tristan Tarrant > Fix For: 7.0.0.Beta1, 7.0.0.Final > > > The server CLI should have "grant" and "deny" commands to manipulate the role mapping: > [GRANT|DENY] role TO principal [ON container]? -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4451) Missing ACCESS right

by Tristan Tarrant (JIRA)

[ https://issues.jboss.org/browse/ISPN-4451?page=com.atlassian.jira.plugin.... ] Tristan Tarrant commented on ISPN-4451: --------------------------------------- Starting a cache (i.e. invoking getCache() on an unstarted cache) is only allowed if the Subject has LIFECYCLE permission. Once a cache has been started, subsequent getCache() invocations don't check permissions. However, invoking any operation on the returned cache requires a permission, so the SecureCache is useless without a valid permission. We could introduce an ACCESS permission which forbids a getCache() op on a started cache, but I don't see this as critical. > Missing ACCESS right > -------------------- > > Key: ISPN-4451 > URL: https://issues.jboss.org/browse/ISPN-4451 > Project: Infinispan > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Security > Reporter: Vojtech Juranek > Assignee: Tristan Tarrant > > When security is turned on ({{cacheConfig.security().authorization().enable()}}), any user can obtain/create a cache, even unauthorized users. This should be allowed only for users with right {{ACCESS}}. This right is actually not present in {{AuthorizationPermission}}. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4453) MapReduceTask#executeAsynchronously() isn't asynchronous

by Mircea Markus (JIRA)

[ https://issues.jboss.org/browse/ISPN-4453?page=com.atlassian.jira.plugin.... ] Mircea Markus updated ISPN-4453: -------------------------------- Assignee: Vladimir Blagojevic (was: Mircea Markus) > MapReduceTask#executeAsynchronously() isn't asynchronous > -------------------------------------------------------- > > Key: ISPN-4453 > URL: https://issues.jboss.org/browse/ISPN-4453 > Project: Infinispan > Issue Type: Bug > Security Level: Public(Everyone can see) > Affects Versions: 6.0.2.Final > Reporter: Rich DiCroce > Assignee: Vladimir Blagojevic > > Quote from the linked forum thread: > {quote} > MapReduceTask#executeAsynchronously() doesn't actually do anything asynchronously. It just returns a MapReduceTaskFuture containing a Callable that calls execute(). The only place I see that Callable being called is in MapReduceTaskFuture#get(). > > In other words, the task isn't actually started until you call Future#get(), which isn't asynchronous at all! On top of that, MapReduceTaskFuture extends AbstractInProcessFuture, which "implements" the get(long, TimeUnit) method by just calling get(). Which means that MapReduceTaskFuture doesn't respect the timeout parameters and will just run until it completes. > {quote} -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4453) MapReduceTask#executeAsynchronously() isn't asynchronous

by Rich DiCroce (JIRA)

Rich DiCroce created ISPN-4453: ---------------------------------- Summary: MapReduceTask#executeAsynchronously() isn't asynchronous Key: ISPN-4453 URL: https://issues.jboss.org/browse/ISPN-4453 Project: Infinispan Issue Type: Bug Security Level: Public (Everyone can see) Affects Versions: 6.0.2.Final Reporter: Rich DiCroce Assignee: Mircea Markus Quote from the linked forum thread: {quote} MapReduceTask#executeAsynchronously() doesn't actually do anything asynchronously. It just returns a MapReduceTaskFuture containing a Callable that calls execute(). The only place I see that Callable being called is in MapReduceTaskFuture#get(). In other words, the task isn't actually started until you call Future#get(), which isn't asynchronous at all! On top of that, MapReduceTaskFuture extends AbstractInProcessFuture, which "implements" the get(long, TimeUnit) method by just calling get(). Which means that MapReduceTaskFuture doesn't respect the timeout parameters and will just run until it completes. {quote} -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4401) OSGi - PAX-URL needs to work when the local mvn repo is passed from a configuration file

by Pedro Ruivo (JIRA)

[ https://issues.jboss.org/browse/ISPN-4401?page=com.atlassian.jira.plugin.... ] Pedro Ruivo updated ISPN-4401: ------------------------------ Status: Resolved (was: Pull Request Sent) Fix Version/s: 7.0.0.Alpha5 Resolution: Done > OSGi - PAX-URL needs to work when the local mvn repo is passed from a configuration file > ---------------------------------------------------------------------------------------- > > Key: ISPN-4401 > URL: https://issues.jboss.org/browse/ISPN-4401 > Project: Infinispan > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Ion Savin > Assignee: Ion Savin > Fix For: 7.0.0.Alpha5 > > > Custom local repos can be defined in configuration files also in addition to passing -Dmaven.local.repo on the cmdline. > PAX-URL will fail to resolve mvn: URLs in this case. > Looking again at the maven properties available "localRepository" seems to cover both case. Use this instead of maven.repo.local. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4264) CLI should be able to manipulate role mapping

by RH Bugzilla Integration (JIRA)

[ https://issues.jboss.org/browse/ISPN-4264?page=com.atlassian.jira.plugin.... ] RH Bugzilla Integration commented on ISPN-4264: ----------------------------------------------- Vitalii Chepeliuk <vchepeli(a)redhat.com> changed the Status of [bug 1109583|https://bugzilla.redhat.com/show_bug.cgi?id=1109583] from ON_QA to ASSIGNED > CLI should be able to manipulate role mapping > --------------------------------------------- > > Key: ISPN-4264 > URL: https://issues.jboss.org/browse/ISPN-4264 > Project: Infinispan > Issue Type: Sub-task > Security Level: Public(Everyone can see) > Components: Core, Remote Protocols, Security, Server > Reporter: Tristan Tarrant > Assignee: Tristan Tarrant > Fix For: 7.0.0.Beta1, 7.0.0.Final > > > The server CLI should have "grant" and "deny" commands to manipulate the role mapping: > [GRANT|DENY] role TO principal [ON container]? -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ISPN-4448) RHQ server plugin: synchronize data operation String casting to Byte array fails

by Tomas Sykora (JIRA)

[ https://issues.jboss.org/browse/ISPN-4448?page=com.atlassian.jira.plugin.... ] Tomas Sykora commented on ISPN-4448: ------------------------------------ Getting this errors during Synchronize Data: http://pastebin.com/R6zHDJyB I suspect some codec mismatch causing problems. What am I missing here? > RHQ server plugin: synchronize data operation String casting to Byte array fails > -------------------------------------------------------------------------------- > > Key: ISPN-4448 > URL: https://issues.jboss.org/browse/ISPN-4448 > Project: Infinispan > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: JMX, reporting and management > Affects Versions: 7.0.0.Alpha4 > Reporter: Tomas Sykora > Assignee: William Burns > Labels: rhq > > Invocation of rolling upgrades related operation -- Synchronize Data -- on a new node's cache fails with a following error: > java.lang.Exception: JBAS011002: Failed to invoke operation: java.lang.String cannot be cast to [B, rolled-back=true > at org.rhq.core.pc.operation.OperationInvocation.run(OperationInvocation.java:278) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) > at java.lang.Thread.run(Thread.java:722) > Note, that there is also ISPN-4447 which says, that we can't record known global keyset using RHQ. > In this issue, we proceed that operation using CLI interface console in order to create dumped keys. Then, we tried to synchronize data using RHQ cache operation and passing "hotrod" as a migrator. This was expected to work properly. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 10 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

infinispan-issues June 2014