[JBoss JIRA] (ISPN-4451) Missing ACCESS right
by Vojtech Juranek (JIRA)
[ https://issues.jboss.org/browse/ISPN-4451?page=com.atlassian.jira.plugin.... ]
Vojtech Juranek commented on ISPN-4451:
---------------------------------------
I was able to create new cache with any user, no matter if it has {{LIFECYCLE}} permission or not, so IMHO it's critical. Once it requires {{LIFECYCLE}} permission, {{ACCESS}} is IMHO not very important (or the issue is definitely not critical).
> Missing ACCESS right
> --------------------
>
> Key: ISPN-4451
> URL: https://issues.jboss.org/browse/ISPN-4451
> Project: Infinispan
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Reporter: Vojtech Juranek
> Assignee: Tristan Tarrant
>
> When security is turned on ({{cacheConfig.security().authorization().enable()}}), any user can obtain/create a cache, even unauthorized users. This should be allowed only for users with right {{ACCESS}}. This right is actually not present in {{AuthorizationPermission}}.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months
[JBoss JIRA] (ISPN-4454) HR client SASL MD5 against LDAP fails
by RH Bugzilla Integration (JIRA)
[ https://issues.jboss.org/browse/ISPN-4454?page=com.atlassian.jira.plugin.... ]
RH Bugzilla Integration updated ISPN-4454:
------------------------------------------
Bugzilla Update: Perform
Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1114080
> HR client SASL MD5 against LDAP fails
> -------------------------------------
>
> Key: ISPN-4454
> URL: https://issues.jboss.org/browse/ISPN-4454
> Project: Infinispan
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Reporter: Vojtech Juranek
> Assignee: Tristan Tarrant
>
> When trying to authenticate HotRod client against LDAP using SASL DIGEST-MD5 auth, it fails with:
> {noformat}
> 31m18:21:40,265 ERROR [org.infinispan.server.hotrod.HotRodDecoder] (HotRodServerWorker-7-1) ISPN005009: Unexpected error before any request parameters read: io.netty.handler.codec.DecoderException: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm
> at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:417) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at org.infinispan.server.core.AbstractProtocolDecoder.channelRead(AbstractProtocolDecoder.scala:471) [infinispan.jar:7.0.0-SNAPSHOT]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:332) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:318) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:125) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:507) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:464) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:378) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
> Caused by: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm
> at org.infinispan.server.hotrod.HotRodDecoder.createServerException(HotRodDecoder.scala:204) [infinispan.jar:7.0.0-SNAPSHOT]
> at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:118) [infinispan.jar:7.0.0-SNAPSHOT]
> at org.infinispan.server.core.AbstractProtocolDecoder.decode(AbstractProtocolDecoder.scala:59) [infinispan.jar:7.0.0-SNAPSHOT]
> at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:362) [netty-all-4.0.20.Final.jar:4.0.20.Final]
> ... 12 more
> Caused by: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm
> at org.jboss.as.domain.management.security.SecurityRealmService.getCallbackHandlerService(SecurityRealmService.java:231) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final]
> at org.jboss.as.domain.management.security.SecurityRealmService.getMechanismConfig(SecurityRealmService.java:128) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final]
> at org.infinispan.server.endpoint.subsystem.EndpointServerAuthenticationProvider.getCallbackHandler(EndpointServerAuthenticationProvider.java:54) [infinispan-server-endpoints-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]
> at org.infinispan.server.hotrod.Decoder2x$.customReadHeader(Decoder2x.scala:208) [infinispan.jar:7.0.0-SNAPSHOT]
> at org.infinispan.server.hotrod.HotRodDecoder.customDecodeHeader(HotRodDecoder.scala:152) [infinispan.jar:7.0.0-SNAPSHOT]
> at org.infinispan.server.core.AbstractProtocolDecoder.decodeHeader(AbstractProtocolDecoder.scala:148) [infinispan.jar:7.0.0-SNAPSHOT]
> at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:96) [infinispan.jar:7.0.0-SNAPSHOT]
> ... 14 more
> {noformat}
> When running same test, but using login/passwd store in properties file, everything works. Serve LDAP config:
> {noformat}
> <security-realms>
> <security-realm name="ApplicationRealm">
> <authentication>
> <ldap connection="ldap_connection" recursive="true" base-dn="ou=People,dc=infinispan,dc=org">
> <username-filter attribute="uid" />
> </ldap>
> </authentication>
> <authorization>
> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
> </authorization>
> </security-realm>
> </security-realms>
> <outbound-connections>
> <ldap name="ldap_connection" url="ldap://localhost:10389"/>
> </outbound-connections>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months
[JBoss JIRA] (ISPN-4454) HR client SASL MD5 against LDAP fails
by Vojtech Juranek (JIRA)
Vojtech Juranek created ISPN-4454:
-------------------------------------
Summary: HR client SASL MD5 against LDAP fails
Key: ISPN-4454
URL: https://issues.jboss.org/browse/ISPN-4454
Project: Infinispan
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Reporter: Vojtech Juranek
Assignee: Tristan Tarrant
When trying to authenticate HotRod client against LDAP using SASL DIGEST-MD5 auth, it fails with:
{noformat}
31m18:21:40,265 ERROR [org.infinispan.server.hotrod.HotRodDecoder] (HotRodServerWorker-7-1) ISPN005009: Unexpected error before any request parameters read: io.netty.handler.codec.DecoderException: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm
at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:417) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at org.infinispan.server.core.AbstractProtocolDecoder.channelRead(AbstractProtocolDecoder.scala:471) [infinispan.jar:7.0.0-SNAPSHOT]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:332) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:318) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:125) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:507) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:464) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:378) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) [netty-all-4.0.20.Final.jar:4.0.20.Final]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Caused by: org.infinispan.server.hotrod.HotRodException: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm
at org.infinispan.server.hotrod.HotRodDecoder.createServerException(HotRodDecoder.scala:204) [infinispan.jar:7.0.0-SNAPSHOT]
at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:118) [infinispan.jar:7.0.0-SNAPSHOT]
at org.infinispan.server.core.AbstractProtocolDecoder.decode(AbstractProtocolDecoder.scala:59) [infinispan.jar:7.0.0-SNAPSHOT]
at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:362) [netty-all-4.0.20.Final.jar:4.0.20.Final]
... 12 more
Caused by: java.lang.IllegalStateException: JBAS015259: No CallbackHandler available for mechanism DIGEST in realm ApplicationRealm
at org.jboss.as.domain.management.security.SecurityRealmService.getCallbackHandlerService(SecurityRealmService.java:231) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.domain.management.security.SecurityRealmService.getMechanismConfig(SecurityRealmService.java:128) [wildfly-domain-management-8.1.0.Final.jar:8.1.0.Final]
at org.infinispan.server.endpoint.subsystem.EndpointServerAuthenticationProvider.getCallbackHandler(EndpointServerAuthenticationProvider.java:54) [infinispan-server-endpoints-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]
at org.infinispan.server.hotrod.Decoder2x$.customReadHeader(Decoder2x.scala:208) [infinispan.jar:7.0.0-SNAPSHOT]
at org.infinispan.server.hotrod.HotRodDecoder.customDecodeHeader(HotRodDecoder.scala:152) [infinispan.jar:7.0.0-SNAPSHOT]
at org.infinispan.server.core.AbstractProtocolDecoder.decodeHeader(AbstractProtocolDecoder.scala:148) [infinispan.jar:7.0.0-SNAPSHOT]
at org.infinispan.server.core.AbstractProtocolDecoder.secureDecodeDispatch(AbstractProtocolDecoder.scala:96) [infinispan.jar:7.0.0-SNAPSHOT]
... 14 more
{noformat}
When running same test, but using login/passwd store in properties file, everything works. Serve LDAP config:
{noformat}
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<ldap connection="ldap_connection" recursive="true" base-dn="ou=People,dc=infinispan,dc=org">
<username-filter attribute="uid" />
</ldap>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap_connection" url="ldap://localhost:10389"/>
</outbound-connections>
{noformat}
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months
[JBoss JIRA] (ISPN-4451) Missing ACCESS right
by Tristan Tarrant (JIRA)
[ https://issues.jboss.org/browse/ISPN-4451?page=com.atlassian.jira.plugin.... ]
Tristan Tarrant commented on ISPN-4451:
---------------------------------------
Starting a cache (i.e. invoking getCache() on an unstarted cache) is only allowed if the Subject has LIFECYCLE permission. Once a cache has been started, subsequent getCache() invocations don't check permissions. However, invoking any operation on the returned cache requires a permission, so the SecureCache is useless without a valid permission.
We could introduce an ACCESS permission which forbids a getCache() op on a started cache, but I don't see this as critical.
> Missing ACCESS right
> --------------------
>
> Key: ISPN-4451
> URL: https://issues.jboss.org/browse/ISPN-4451
> Project: Infinispan
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Reporter: Vojtech Juranek
> Assignee: Tristan Tarrant
>
> When security is turned on ({{cacheConfig.security().authorization().enable()}}), any user can obtain/create a cache, even unauthorized users. This should be allowed only for users with right {{ACCESS}}. This right is actually not present in {{AuthorizationPermission}}.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months
[JBoss JIRA] (ISPN-4453) MapReduceTask#executeAsynchronously() isn't asynchronous
by Mircea Markus (JIRA)
[ https://issues.jboss.org/browse/ISPN-4453?page=com.atlassian.jira.plugin.... ]
Mircea Markus updated ISPN-4453:
--------------------------------
Assignee: Vladimir Blagojevic (was: Mircea Markus)
> MapReduceTask#executeAsynchronously() isn't asynchronous
> --------------------------------------------------------
>
> Key: ISPN-4453
> URL: https://issues.jboss.org/browse/ISPN-4453
> Project: Infinispan
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 6.0.2.Final
> Reporter: Rich DiCroce
> Assignee: Vladimir Blagojevic
>
> Quote from the linked forum thread:
> {quote}
> MapReduceTask#executeAsynchronously() doesn't actually do anything asynchronously. It just returns a MapReduceTaskFuture containing a Callable that calls execute(). The only place I see that Callable being called is in MapReduceTaskFuture#get().
>
> In other words, the task isn't actually started until you call Future#get(), which isn't asynchronous at all! On top of that, MapReduceTaskFuture extends AbstractInProcessFuture, which "implements" the get(long, TimeUnit) method by just calling get(). Which means that MapReduceTaskFuture doesn't respect the timeout parameters and will just run until it completes.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months
[JBoss JIRA] (ISPN-4453) MapReduceTask#executeAsynchronously() isn't asynchronous
by Rich DiCroce (JIRA)
Rich DiCroce created ISPN-4453:
----------------------------------
Summary: MapReduceTask#executeAsynchronously() isn't asynchronous
Key: ISPN-4453
URL: https://issues.jboss.org/browse/ISPN-4453
Project: Infinispan
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 6.0.2.Final
Reporter: Rich DiCroce
Assignee: Mircea Markus
Quote from the linked forum thread:
{quote}
MapReduceTask#executeAsynchronously() doesn't actually do anything asynchronously. It just returns a MapReduceTaskFuture containing a Callable that calls execute(). The only place I see that Callable being called is in MapReduceTaskFuture#get().
In other words, the task isn't actually started until you call Future#get(), which isn't asynchronous at all! On top of that, MapReduceTaskFuture extends AbstractInProcessFuture, which "implements" the get(long, TimeUnit) method by just calling get(). Which means that MapReduceTaskFuture doesn't respect the timeout parameters and will just run until it completes.
{quote}
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months
[JBoss JIRA] (ISPN-4448) RHQ server plugin: synchronize data operation String casting to Byte array fails
by Tomas Sykora (JIRA)
[ https://issues.jboss.org/browse/ISPN-4448?page=com.atlassian.jira.plugin.... ]
Tomas Sykora commented on ISPN-4448:
------------------------------------
Getting this errors during Synchronize Data:
http://pastebin.com/R6zHDJyB
I suspect some codec mismatch causing problems.
What am I missing here?
> RHQ server plugin: synchronize data operation String casting to Byte array fails
> --------------------------------------------------------------------------------
>
> Key: ISPN-4448
> URL: https://issues.jboss.org/browse/ISPN-4448
> Project: Infinispan
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JMX, reporting and management
> Affects Versions: 7.0.0.Alpha4
> Reporter: Tomas Sykora
> Assignee: William Burns
> Labels: rhq
>
> Invocation of rolling upgrades related operation -- Synchronize Data -- on a new node's cache fails with a following error:
> java.lang.Exception: JBAS011002: Failed to invoke operation: java.lang.String cannot be cast to [B, rolled-back=true
> at org.rhq.core.pc.operation.OperationInvocation.run(OperationInvocation.java:278)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> at java.lang.Thread.run(Thread.java:722)
> Note, that there is also ISPN-4447 which says, that we can't record known global keyset using RHQ.
> In this issue, we proceed that operation using CLI interface console in order to create dumped keys. Then, we tried to synchronize data using RHQ cache operation and passing "hotrod" as a migrator. This was expected to work properly.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
9 years, 10 months