June 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (JGRP-2179) (7.0.z) SYM/ASYM_ENCRYPT: don't use WeakHashMap for old ciphers

by Bartosz Spyrko-Śmietanko (JIRA)

Bartosz Spyrko-Śmietanko created JGRP-2179: ---------------------------------------------- Summary: (7.0.z) SYM/ASYM_ENCRYPT: don't use WeakHashMap for old ciphers Key: JGRP-2179 URL: https://issues.jboss.org/browse/JGRP-2179 Project: JGroups Issue Type: Task Reporter: Bartosz Spyrko-Śmietanko Assignee: Bela Ban Priority: Minor Fix For: 3.6.11, 4.0 Currently we use WeakHashMap, but should not, reasons outlined below. We could replace it with a LazyRemovalCache. Andrew's email refers to SecretKeys but this probably also applies to Ciphers. Andrew Haley's email: {quote} TL/DR: Please don't use WeakReferences, SoftReferences, etc. to cache any data which might point to native memory. In particular, never do this with instances of java.security.Key. Instead, implement either some kind of ageing strategy or a fixed-size cache. ... This is a warning to anybody who might cache crypto keys. A customer has been having problems with the exhaustion of native memory before the Java heap is full. It was fun trying to track down the cause, but it's now happened several times to several customers, and it's a serious problem for real-world usage in app servers. PKCS#11 is a standard way to communicate between applications and crypto libraries. There is a Java crypto provider which supports PKCS#11. Some of our customers must use this provider in order to get FIPS certification. The problem is this: A crypto key is a buffer in memory, allocated by the PKCS#11 native library. It's accessed via a handle which is stored as an integer field in a Java object. This Java object is a PhantomReference, so when the garbage collector detects that a crypto key is no longer reachable it is closed and the associated native memory is freed. Modern garbage collectors don't much bother to process objects in the old generation because it's not usually worthwhile. Thus, crypto keys don't get recycled very quickly. They can pile up in the old generation. This isn't a problem for the Java heap because the objects containing the references to crypto keys are very small. Unfortunately, the native side of a crypto key is much bigger, maybe up to a thousand times bigger. So if we have 4000 stale crypto keys in the heap that's not a problem, a few kbytes. But the native memory may be a megabyte. This problem is made even worse by Tomcat because it uses SoftReferences to cache crypto keys. SoftReferences are processed lazily, and maybe not at all until the Java heap runs out of memory. Unfortunately it doesn't, but the machine runs out of native memory instead. We could solve this simply by making instances of PKCS#11 keys really big Java objects by padding with dummy fields. Then, the GC would collect them quickly. This does work but it seriously impacts performance. Also, we could tweak the garbage collectors to clear out stale references more enthusiastically, but this impacts performance even more. There are some controls with the G1 collector which process SoftReferences more aggressively and these help, but again at the cost of performance. Finally: the Shanandoah collector we're working on handles this problem much better than the older collectors, but it's some way off. {quote} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2178) (7.0.z) Add convenience method Rsp.readIn

by Bartosz Spyrko-Śmietanko (JIRA)

Bartosz Spyrko-Śmietanko created JGRP-2178: ---------------------------------------------- Summary: (7.0.z) Add convenience method Rsp.readIn Key: JGRP-2178 URL: https://issues.jboss.org/browse/JGRP-2178 Project: JGroups Issue Type: Enhancement Affects Versions: 3.6.10, 4.0 Reporter: Bartosz Spyrko-Śmietanko Assignee: Radim Vansa Priority: Minor Fix For: 3.6.11, 4.0 In Infinispan, during a staggered get we prepare several {{Rsp}} s in {{RspList}} and then for each {{Rsp}} we send one message. As the {{RspList}} can be accessed by multiple threads but we don't want to synchronize the access, we just get the {{Rsp}} and fill it from the (other) received {{Rsp}}. However the fill requires several ifs: {code} if (rsp.hasException()) { futureRsp.setException(rsp.getException()); } else if (rsp.wasSuspected()) { futureRsp.setSuspected(); } else if (rsp.wasUnreachable()) { futureRsp.setUnreachable(); } else { futureRsp.setValue(rsp.getValue()); } {code} Let's add a convenience method that will just read in the flags and value. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2177) (7.0.z) TYPE_STRING does not handle unicode

by Bartosz Spyrko-Śmietanko (JIRA)

Bartosz Spyrko-Śmietanko created JGRP-2177: ---------------------------------------------- Summary: (7.0.z) TYPE_STRING does not handle unicode Key: JGRP-2177 URL: https://issues.jboss.org/browse/JGRP-2177 Project: JGroups Issue Type: Bug Reporter: Bartosz Spyrko-Śmietanko Assignee: Bela Ban Priority: Minor Fix For: 3.6.11, 4.0 In several places throughout the org.jgroups.util.Util class, it is assumed that Strings are one byte per character. For example, see objectToByteBuffer lines 561-567: https://github.com/belaban/JGroups/blob/master/src/org/jgroups/util/Util.... {code:java} case TYPE_STRING: String str=(String)obj; int len=str.length(); ByteBuffer retval=ByteBuffer.allocate(Global.BYTE_SIZE + len).put(TYPE_STRING); for(int i=0; i < len; i++) retval.put((byte)str.charAt(i)); return retval.array(); {code} This code will incorrectly encode any String with non ASCII encoding. There are several options to fix. You could use str.getBytes(StandardCharsets.UTF_8) to get a proper byte encoding, or you could use the existing TYPE_SERIALIZABLE code path. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2176) (7.0.z) CENTRAL_LOCK: potential deadlock after cluster split

by Bartosz Spyrko-Śmietanko (JIRA)

Bartosz Spyrko-Śmietanko created JGRP-2176: ---------------------------------------------- Summary: (7.0.z) CENTRAL_LOCK: potential deadlock after cluster split Key: JGRP-2176 URL: https://issues.jboss.org/browse/JGRP-2176 Project: JGroups Issue Type: Bug Affects Versions: 3.6.10 Reporter: Bartosz Spyrko-Śmietanko Assignee: Bela Ban Fix For: 3.6.11, 4.0 We encountered deadlocks in some rare situations where a cluster split and/or merged. The dealocks happend when using the UDP transport protocol and where caused by received lock requests from members not present in the current view. We fixed this with: https://github.com/belaban/JGroups/pull/311 -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2175) (7.0.z) IndexOutOfBoundsException when trace logging

by Bartosz Spyrko-Śmietanko (JIRA)

Bartosz Spyrko-Śmietanko created JGRP-2175: ---------------------------------------------- Summary: (7.0.z) IndexOutOfBoundsException when trace logging Key: JGRP-2175 URL: https://issues.jboss.org/browse/JGRP-2175 Project: JGroups Issue Type: Bug Affects Versions: 3.6.9 Reporter: Bartosz Spyrko-Śmietanko Assignee: Bela Ban Priority: Minor Fix For: 3.6.11 When running with trace logging, I got couple of these STs: {code} Exception in thread "OOB-1,test-NodeE-13479" java.lang.IndexOutOfBoundsException: Index: 4, Size: 2 at java.util.ArrayList.rangeCheck(ArrayList.java:653) at java.util.ArrayList.get(ArrayList.java:429) at org.jgroups.protocols.pbcast.NAKACK2.handleMessages(NAKACK2.java:868) at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:705) at org.jgroups.stack.Protocol.up(Protocol.java:425) at org.jgroups.protocols.TP.passBatchUp(TP.java:1600) at org.jgroups.protocols.TP$BatchHandler.run(TP.java:1820) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} Seems that part of the list of received messages is removed in handleMessages:864 in {code} boolean added=loopback || buf.add(msgs, oob, oob? DUMMY_OOB_MSG : null); {code} But the {{size}} is not recomputed afterwards. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2766) Application server must be reloaded when is updated credential reference of credential store. There isn't any information that it needs reload.

by Yeray Borges (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2766?page=com.atlassian.jira.plugi... ] Yeray Borges commented on WFCORE-2766: -------------------------------------- The was discussed with [~pskopek] arriving at the following conclusions: * There might be different implementations of CS API which could be dynamically changed from outside and the reload not be required from WF point * Mark as reload-required resources which are referring other CS will create a mess between resources (e. g. resources being referred by other CS, which are being referred by other CS ...), even if they are fine because contain the same passwords. * Reloading on each alias update/remove of any CS, even if they are not being referred, is not an ideal situation For these reasons, is left to the user to take the decision if he needs to reload or doesn't after update an alias. This issue will be resolved once these two issues are merged: WFCORE-2426 and WFCORE-2867 Once those issues are merged, at least if the user updates the credential-reference of one CS, a reload will be required. > Application server must be reloaded when is updated credential reference of credential store. There isn't any information that it needs reload. > ----------------------------------------------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2766 > URL: https://issues.jboss.org/browse/WFCORE-2766 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Yeray Borges > > Application server must be reloaded when is updated credential reference of credential store. There isn't any information that it needs reload. > In model is "restart-required" => "no-services" and credential-reference update operation ends with success message without any information about reload. > {code:collapse} > "credential-reference" => { > "type" => OBJECT, > "description" => "Credential reference to be used to create protection parameter.", > "expressions-allowed" => false, > "required" => true, > "nillable" => false, > "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, > "value-type" => { > "store" => { > "type" => STRING, > "description" => "The name of the credential store holding the alias to credential.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "capability-reference" => "org.wildfly.security.credential-store", > "min-length" => 1L, > "max-length" => 2147483647L > }, > "alias" => { > "type" => STRING, > "description" => "The alias which denotes stored secret or credential in the store.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > }, > "type" => { > "type" => STRING, > "description" => "The type of credential this reference is denoting.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > }, > "clear-text" => { > "type" => STRING, > "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > } > }, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > }, > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2905) Server-identity/secret integration with credential reference is not correct.

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2905?page=com.atlassian.jira.plugi... ] ehsavoie Hugonnet reassigned WFCORE-2905: ----------------------------------------- Assignee: ehsavoie Hugonnet (was: Darran Lofthouse) > Server-identity/secret integration with credential reference is not correct. > ---------------------------------------------------------------------------- > > Key: WFCORE-2905 > URL: https://issues.jboss.org/browse/WFCORE-2905 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: ehsavoie Hugonnet > Priority: Blocker > > Server-identity/secret integration with credential reference is not correct. > When is set Server-identity/secret to use password obtained from credential-store then there is a problem with it. > I observe that SecretIdentityService expects password as constructor argument [1][2] and afterwards is resolved password from credential-store. But it fails because of regular password isn't defined and it is used as method argument [3]. > *Server log* > {code:collapse} > [Host Controller] [0m[31m12:27:48,205 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ManagementRealm.secret: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ManagementRealm.secret: Failed to start service[0m > [Host Controller] [31m at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)[0m > [Host Controller] [31m at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[0m > [Host Controller] [31m at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)[0m > [Host Controller] [31m at java.lang.Thread.run(Thread.java:745)[0m > [Host Controller] [31mCaused by: java.lang.IllegalArgumentException: Last unit does not have enough valid bits[0m > [Host Controller] [31m at java.util.Base64$Decoder.decode0(Base64.java:734)[0m > [Host Controller] [31m at java.util.Base64$Decoder.decode(Base64.java:526)[0m > [Host Controller] [31m at java.util.Base64$Decoder.decode(Base64.java:549)[0m > [Host Controller] [31m at org.jboss.as.domain.management.security.SecretIdentityService.start(SecretIdentityService.java:77)[0m > [Host Controller] [31m at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)[0m > [Host Controller] [31m at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)[0m > [Host Controller] [31m ... 3 more[0m > {code} > [1] https://github.com/wildfly/wildfly-core/blob/3.0.0.Beta22/domain-manageme... > [2] https://github.com/wildfly/wildfly-core/blob/3.0.0.Beta22/domain-manageme... > [3] https://github.com/wildfly/wildfly-core/blob/3.0.0.Beta22/domain-manageme... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2904) management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2904?page=com.atlassian.jira.plugi... ] ehsavoie Hugonnet commented on WFCORE-2904: ------------------------------------------- Using a batch is working properly : {code:java} [standalone@localhost:9990 /] batch [standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:undefine-attribute(name=password) [standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:write-attribute(name=credential-reference, value={clear-text=password123}) [standalone@localhost:9990 / #] run-batch The batch executed successfully process-state: reload-required {code} > management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option. > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2904 > URL: https://issues.jboss.org/browse/WFCORE-2904 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Darran Lofthouse > Priority: Blocker > > management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option. > "Value" and credential-reference are mutually exclusive and one of them must be set. > *There must be a way how to update existing management/security-realm/authentication/users for change "value" to credential-reference and vice versa.* > *Scenario* > Prerequisites > {code:collapse} > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=properties:remove() > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:add() > {code} > Add new user with password > {code} > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:add(password=testpassword) > {"outcome" => "success"} > {code} > Change password to credential-reference > {code} > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:undefine-attribute(name=password) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0172: password is required", > "rolled-back" => true > } > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:write-attribute(name=credential-reference, value={clear-text=password123}) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0105: password is invalid in combination with credential-reference", > "rolled-back" => true > } > {code} > *read-resource-description* > {code:collapse} > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:read-resource-description > { > "outcome" => "success", > "result" => { > "description" => "Configuration to use a list users stored directly within the standalone.xml or host.xml configuration file as the user repository.", > "deprecated" => { > "since" => "1.7.0", > "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." > }, > "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, > "attributes" => {}, > "operations" => undefined, > "notifications" => undefined, > "children" => {"user" => { > "description" => "An authorized user.", > "model-description" => undefined > }} > } > } > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:read-resource-description(recursive=true > { > "outcome" => "success", > "result" => { > "description" => "Configuration to use a list users stored directly within the standalone.xml or host.xml configuration file as the user repository.", > "deprecated" => { > "since" => "1.7.0", > "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." > }, > "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, > "attributes" => {}, > "operations" => undefined, > "notifications" => undefined, > "children" => {"user" => { > "description" => "An authorized user.", > "model-description" => {"*" => { > "description" => "An authorized user.", > "deprecated" => { > "since" => "1.7.0", > "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." > }, > "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, > "attributes" => { > "credential-reference" => { > "type" => OBJECT, > "description" => "The reference to credential for the password stored in CredentialStore under defined alias or clear text password.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["value"], > "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, > "value-type" => { > "store" => { > "type" => STRING, > "description" => "The name of the credential store holding the alias to credential.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["clear-text"], > "requires" => ["alias"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "alias" => { > "type" => STRING, > "description" => "The alias which denotes stored secret or credential in the store.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "requires" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "type" => { > "type" => STRING, > "description" => "The type of credential this reference is denoting.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > }, > "clear-text" => { > "type" => STRING, > "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "alternatives" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > } > }, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > }, > "password" => { > "type" => STRING, > "description" => "The user's password.", > "expressions-allowed" => true, > "required" => true, > "nillable" => true, > "alternatives" => ["credential-reference"], > "min-length" => 1L, > "max-length" => 2147483647L, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > } > }, > "operations" => undefined, > "notifications" => undefined, > "children" => {} > }} > }} > } > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2906) Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2906?page=com.atlassian.jira.plugi... ] ehsavoie Hugonnet reassigned WFCORE-2906: ----------------------------------------- Assignee: ehsavoie Hugonnet (was: Darran Lofthouse) > Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option. > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2906 > URL: https://issues.jboss.org/browse/WFCORE-2906 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: ehsavoie Hugonnet > Priority: Blocker > > Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option. > "Value" and credential-reference are mutually exclusive and one of them must be set. > *There must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa.* > *User is not able to do some like that:* > {code} > /core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=credential-reference, value={clear-text=pass123}) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0105: credential-reference is invalid in combination with value", > "rolled-back" => true > } > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=secret:undefine-attribute(name=value > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0172: value is required", > "rolled-back" => true > } > {code} > *resource-description* > {code:collapse} > [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description > { > "outcome" => "success", > "result" => { > "description" => "Configuration of the secret/password-based identity of a server or host controller.", > "deprecated" => { > "since" => "1.7.0", > "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." > }, > "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, > "attributes" => { > "credential-reference" => { > "type" => OBJECT, > "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["value"], > "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, > "value-type" => { > "store" => { > "type" => STRING, > "description" => "The name of the credential store holding the alias to credential.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["clear-text"], > "requires" => ["alias"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "alias" => { > "type" => STRING, > "description" => "The alias which denotes stored secret or credential in the store.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "requires" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "type" => { > "type" => STRING, > "description" => "The type of credential this reference is denoting.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > }, > "clear-text" => { > "type" => STRING, > "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "alternatives" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > } > }, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > }, > "value" => { > "type" => STRING, > "description" => "The secret / password - Base64 Encoded.", > "expressions-allowed" => true, > "required" => true, > "nillable" => true, > "alternatives" => ["credential-reference"], > "min-length" => 1L, > "max-length" => 2147483647L, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > } > }, > "operations" => undefined, > "notifications" => undefined, > "children" => {} > } > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2906) Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2906?page=com.atlassian.jira.plugi... ] ehsavoie Hugonnet commented on WFCORE-2906: ------------------------------------------- Using a batch is working properly : {code:java} [standalone@localhost:9990 /] batch [standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/server-identity=secret:undefine-attribute(name=value) [standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=credential-reference, value={clear-text=pass123}) [standalone@localhost:9990 / #] run-batch The batch executed successfully process-state: reload-required [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource { "outcome" => "success", "result" => { "credential-reference" => {"clear-text" => "pass123"}, "value" => undefined }, "response-headers" => {"process-state" => "reload-required"} } [standalone@localhost:9990 /] {code} > Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option. > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2906 > URL: https://issues.jboss.org/browse/WFCORE-2906 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: ehsavoie Hugonnet > Priority: Blocker > > Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option. > "Value" and credential-reference are mutually exclusive and one of them must be set. > *There must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa.* > *User is not able to do some like that:* > {code} > /core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=credential-reference, value={clear-text=pass123}) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0105: credential-reference is invalid in combination with value", > "rolled-back" => true > } > [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=secret:undefine-attribute(name=value > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0172: value is required", > "rolled-back" => true > } > {code} > *resource-description* > {code:collapse} > [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description > { > "outcome" => "success", > "result" => { > "description" => "Configuration of the secret/password-based identity of a server or host controller.", > "deprecated" => { > "since" => "1.7.0", > "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." > }, > "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, > "attributes" => { > "credential-reference" => { > "type" => OBJECT, > "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["value"], > "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, > "value-type" => { > "store" => { > "type" => STRING, > "description" => "The name of the credential store holding the alias to credential.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["clear-text"], > "requires" => ["alias"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "alias" => { > "type" => STRING, > "description" => "The alias which denotes stored secret or credential in the store.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "requires" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "type" => { > "type" => STRING, > "description" => "The type of credential this reference is denoting.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > }, > "clear-text" => { > "type" => STRING, > "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "alternatives" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > } > }, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > }, > "value" => { > "type" => STRING, > "description" => "The secret / password - Base64 Encoded.", > "expressions-allowed" => true, > "required" => true, > "nillable" => true, > "alternatives" => ["credential-reference"], > "min-length" => 1L, > "max-length" => 2147483647L, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > } > }, > "operations" => undefined, > "notifications" => undefined, > "children" => {} > } > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira June 2017