[JBoss JIRA] (ISPN-8940) Some JMX statistics are not available when activating authorization in CacheManager
6:24 a.m.
[
https://issues.jboss.org/browse/ISPN-8940?page=com.atlassian.jira.plugin....
]
Rafael Ruiz updated ISPN-8940:
------------------------------
Description:
1.- Unzip infinispan-server-9.2.0.Final-bin.zip
2.- Create an user in ApplicationRealm with _bin/add-user.sh_
3.- Add authorization to clustered.xml:
{code:xml}
<cache-container name="clustered" default-cache="default"
statistics="true">
<security>
<authorization>
<identity-role-mapper/>
<role name="jdguser" permissions="ALL"/>
<role name="admin" permissions="ALL BULK_READ
BULK_WRITE ADMIN"/>
</authorization>
</security>
...
<replicated-cache name="repl"
configuration="replicated">
<security>
<authorization roles="admin jdguser" />
</security>
</replicated-cache>
{code}
4.- Start with _standalone.sh -c clustered.xml _ and try to access to CacheManager mbeans
from JConsole. It will show _Unavailable_ for most fields of
_jboss.datagrid-infinispan:type=CacheManager,name="clustered",component=CacheContainerStats_
In server logs:
WARN [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(7)-10.101.218.46)
ISPN000036: Did not find attribute removeHits
One message for each unrecheable attribute.
If you set org.infinispan category to DEBUG level, it will show:
{noformat}
{{ DEBUG [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(3)-10.101.218.46)
Exception while reading value of attribute evictions:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:395)
at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:299)
at org.infinispan.jmx.ResourceDMBean.getAttribute(ResourceDMBean.java:178)
...
Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject
'null' lacks 'ADMIN' permission
at
org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at
org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:586)
{noformat}
was:
1.- Unzip infinispan-server-9.2.0.Final-bin.zip
2.- Create an user in ApplicationRealm with _bin/add-user.sh_
3.- Add authorization to clustered.xml:
{code:xml}
<cache-container name="clustered" default-cache="default"
statistics="true">
<security>
<authorization>
<identity-role-mapper/>
<role name="jdguser" permissions="ALL"/>
<role name="admin" permissions="ALL BULK_READ
BULK_WRITE ADMIN"/>
</authorization>
</security>
...
<replicated-cache name="repl"
configuration="replicated">
<security>
<authorization roles="admin jdguser" />
</security>
</replicated-cache>
{code}
4.- Start with _standalone.sh -c clustered.xml _and try to access to CacheManager mbeans
from JConsole. It will show _Unavailable_ for most fields of
jboss.datagrid-infinispan:type=CacheManager,name="clustered",component=CacheContainerStats
In server logs:
WARN [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(7)-10.101.218.46)
ISPN000036: Did not find attribute removeHits
One message for each unrecheable attribute.
If you set org.infinispan category to DEBUG level, it will show:
{noformat}
{{ DEBUG [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(3)-10.101.218.46)
Exception while reading value of attribute evictions:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:395)
at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:299)
at org.infinispan.jmx.ResourceDMBean.getAttribute(ResourceDMBean.java:178)
...
Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject
'null' lacks 'ADMIN' permission
at
org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at
org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:586)
{noformat}
Some JMX statistics are not available when activating authorization
in CacheManager
-----------------------------------------------------------------------------------
Key: ISPN-8940
URL: https://issues.jboss.org/browse/ISPN-8940
Project: Infinispan
Issue Type: Bug
Components: JMX, reporting and management
Affects Versions: 9.2.0.Final
Reporter: Rafael Ruiz
1.- Unzip infinispan-server-9.2.0.Final-bin.zip
2.- Create an user in ApplicationRealm with _bin/add-user.sh_
3.- Add authorization to clustered.xml:
{code:xml}
<cache-container name="clustered" default-cache="default"
statistics="true">
<security>
<authorization>
<identity-role-mapper/>
<role name="jdguser"
permissions="ALL"/>
<role name="admin" permissions="ALL BULK_READ
BULK_WRITE ADMIN"/>
</authorization>
</security>
...
<replicated-cache name="repl"
configuration="replicated">
<security>
<authorization roles="admin jdguser" />
</security>
</replicated-cache>
{code}
4.- Start with _standalone.sh -c clustered.xml _ and try to access to CacheManager mbeans
from JConsole. It will show _Unavailable_ for most fields of
_jboss.datagrid-infinispan:type=CacheManager,name="clustered",component=CacheContainerStats_
In server logs:
WARN [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(7)-10.101.218.46)
ISPN000036: Did not find attribute removeHits
One message for each unrecheable attribute.
If you set org.infinispan category to DEBUG level, it will show:
{noformat}
{{ DEBUG [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(3)-10.101.218.46)
Exception while reading value of attribute evictions:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:395)
at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:299)
at org.infinispan.jmx.ResourceDMBean.getAttribute(ResourceDMBean.java:178)
...
Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject
'null' lacks 'ADMIN' permission
at
org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at
org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:586)
{noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
2945
days inactive
2945
days old
infinispan-issues@lists.jboss.org
0 comments
1 participants
participants (1)
-
Rafael Ruiz (JIRA)