[ https://issues.jboss.org/browse/ISPN-6261?page=com.atlassian.jira.plugin.... ] Vojtech Juranek updated ISPN-6261: ---------------------------------- Description: When running CLI on secured caches, it fails with exception bellow. This exception is quite confusing, as user has properly defined ADMIN permission on given cache. What is actually happening is that some operation, like statistics, called by CLI, iterates over all defined caches, including internal caches, and user hasn't required permission on all these caches (in this case on internal script cache) {noformat} 00:04:23,563 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("read-attribute") failed - address: ([ ("subsystem" => "datagrid-infinispan"), ("cache-container" => "local") ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [user@ManagementRealm, admin@ManagementRealm, admin, org.jboss.remoting3.security.UserPrincipal@36ebcb, InetAddressPrincipal <127.0.0.1/127.0.0.1>, InetAddressPrincipal <127.0.0.1/127.0.0.1>]' lacks 'ADMIN' permission at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86) at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:37) at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:567) at org.infinispan.stats.impl.CacheContainerStatsImpl.calculateAverageRemoveTime(CacheContainerStatsImpl.java:131) at org.infinispan.stats.impl.CacheContainerStatsImpl.getAverageRemoveTime(CacheContainerStatsImpl.java:121) at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:196) at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53) {noformat} *Steps to reproduce:* * create mgmt user using {{add-user.sh}} script (e.g. user {{user}}) and assign him role {{admin}} in {{standalone/configuration/mgmt-groups.properties}} * create secure cache {{testcache}} with following configuration in {{standalone.xml}} (security enabled and admin user has admin rights): {noformat} <cache-container name="local" default-cache="testcache"> <security> <authorization> <identity-role-mapper/> <role name="admin" permissions="ADMIN" /> </authorization> </security> <local-cache name="testcache" start="EAGER" batching="false"> <security> <authorization roles="admin" enabled="true"/> </security> <transaction mode="NONE"/> </local-cache> </cache-container> {noformat} * start ISPN server in standalone mode * start ISPN console in GUI mode ({{ispn-cli.sh --gui --user=user --password=pass}}) and navigate to {{subsystem=datagrid-infinispan -> cache-container=local}} * once clicked on {{cache-container=local}} no cache should appear there (while there should be {{testcache}}) and exception above should appear in ISPN server log Alternatively, you can run CLI without GUI and run {noformat} cd subsystem=datagrid-infinispan/cache-container=local ls {noformat} was: When running CLI on secured caches, it fails with exception bellow. This exception is quite confusing, as user has properly defined ADMIN permission on given cache. What is actually happening is that some operation, like statistics, called by CLI, iterates over all defined caches, including internal caches, and user hasn't required permission on all these caches (in this case on internal script cache) {noformat} 00:04:23,563 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("read-attribute") failed - address: ([ ("subsystem" => "datagrid-infinispan"), ("cache-container" => "local") ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [user@ManagementRealm, admin@ManagementRealm, admin, org.jboss.remoting3.security.UserPrincipal@36ebcb, InetAddressPrincipal <127.0.0.1/127.0.0.1>, InetAddressPrincipal <127.0.0.1/127.0.0.1>]' lacks 'ADMIN' permission at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86) at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:37) at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:567) at org.infinispan.stats.impl.CacheContainerStatsImpl.calculateAverageRemoveTime(CacheContainerStatsImpl.java:131) at org.infinispan.stats.impl.CacheContainerStatsImpl.getAverageRemoveTime(CacheContainerStatsImpl.java:121) at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:196) at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53) {noformat} *Steps to reproduce:* * create mgmt user using {{add-user.sh}} script (e.g. user {{user}}) and assign him role {{admin}} in {{standalone/configuration/mgmt-groups.properties}} * create secure cache {{testcache}} with following configuration in {{standalone.xml}} (security enabled and admin user has admin rights): {noformat} <cache-container name="local" default-cache="testcache"> <security> <authorization> <identity-role-mapper/> <role name="admin" permissions="ADMIN" /> </authorization> </security> <local-cache name="testcache" start="EAGER" batching="false"> <security> <authorization roles="admin" enabled="true"/> </security> <transaction mode="NONE"/> </local-cache> </cache-container> {noformat} * start ISPN server in standalone mode * start ISPN console in GUI mode ({{ispn-cli.sh --gui --user=user --password=pass}}) and navigate to {{subsystem=datagrid-infinispan -> cache-container=local}} * once clicked on {{cache-container=local}} no cache should appear there (while there should be {{testcache}}) and exception above should appear in ISPN server log -- This message was sent by Atlassian JIRA (v6.4.11#64026)