[JBoss JIRA] (WFCORE-2497) Convert *-authentication-factory resources to be child resources of security-domain
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2497?page=com.atlassian.jira.plugi... ]
Brian Stansberry updated WFCORE-2497:
-------------------------------------
Fix Version/s: 4.0.0.CR1
(was: 4.0.0.Beta2)
> Convert *-authentication-factory resources to be child resources of security-domain
> -----------------------------------------------------------------------------------
>
> Key: WFCORE-2497
> URL: https://issues.jboss.org/browse/WFCORE-2497
> Project: WildFly Core
> Issue Type: Task
> Components: Security
> Reporter: Darran Lofthouse
> Fix For: 4.0.0.CR1
>
>
> This is a good example of where child resources work.
> The authentication factory resources have a mandatory dependency on a single security domain.
> The configuration within the factory is related to it's security domain.
> There is only a single resource that can provide security domains.
> The behaviour of the parent is unaffected by the existence or configuration of the child.
> The parent and child manage their own services independently with the child's service depending on the parent's service.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 7 months
[JBoss JIRA] (WFCORE-3479) Deploying an empty deployment and adding content later fails in a composite
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3479?page=com.atlassian.jira.plugi... ]
Brian Stansberry updated WFCORE-3479:
-------------------------------------
Fix Version/s: 4.0.0.CR1
(was: 4.0.0.Beta2)
> Deploying an empty deployment and adding content later fails in a composite
> ---------------------------------------------------------------------------
>
> Key: WFCORE-3479
> URL: https://issues.jboss.org/browse/WFCORE-3479
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Affects Versions: 3.0.10.Final
> Reporter: Kabir Khan
> Assignee: ehsavoie Hugonnet
> Fix For: 4.0.0.CR1
>
>
> When adding mixed domain tests for EAP 7.1.0 I could not get the MixedDomainDeployment710TestCase.testExplodedDeployment() test to work. Comparing with the core domain ExplodedDeploymentTestCase.testInstallAndExplodeDeploymentOnDCFromScratch(), they both do the following:
> {code}
> 1) Create an empty deployment
> 2) Add some content to the deployment using input streams
> 3) Add the deployment to a server group
> {code}
> However, they differ in that ExplodedDeploymentTestCase does this as individual steps, while MixedDomainDeployment710TestCase does this in a composite. I have a branch at https://github.com/kabir/wildfly-core/tree/WFCORE-3479 which expands ExplodedDeploymentTestCase to demonstrate the problem.
> Going back to MixedDomainDeploymentTestCase, the testExplodedDeployment() test pushes the following composite to the DC:
> {code}
> {
> "operation" => "composite",
> "address" => [],
> "steps" => [
> {
> "operation" => "add",
> "address" => [("deployment" => "test.war")],
> "content" => [{"empty" => true}]
> },
> {
> "operation" => "add-content",
> "address" => [("deployment" => "test.war")],
> "content" => [
> {
> "target-path" => "index.html",
> "input-stream-index" => 0
> },
> {
> "target-path" => "index2.html",
> "input-stream-index" => 1
> }
> ]
> },
> {
> "operation" => "add",
> "address" => [
> ("server-group" => "other-server-group"),
> ("deployment" => "test.war")
> ],
> "enabled" => true
> },
> {
> "operation" => "add",
> "address" => [
> ("server-group" => "main-server-group"),
> ("deployment" => "test.war")
> ],
> "enabled" => true
> }
> ],
> "operation-headers" => {
> "caller-type" => "user",
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "b016e0a3-4175-4f40-b6b9-779fc0fd1745",
> "execute-for-coordinator" => true
> }
> }
> {code}
> What ends up being pushed to the slave is:
> {code}
> {
> "operation" => "composite",
> "address" => [],
> "steps" => [
> {
> "operation" => "add",
> "address" => [("deployment" => "test.war")],
> "content" => [{
> "hash" => bytes {
> 0x8f, 0x7c, 0x8c, 0x80, 0x35, 0x88, 0x36, 0x16,
> 0x61, 0xfa, 0x0a, 0x10, 0x30, 0xf9, 0x13, 0x29,
> 0x04, 0x05, 0x9d, 0x82
> },
> "archive" => false
> }],
> "operation-headers" => {
> "caller-type" => "user",
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "9f6d874e-24f8-41ec-a1d0-9c98509964fc"
> },
> "runtime-name" => undefined
> },
> {
> "operation" => "add-content",
> "address" => [("deployment" => "test.war")],
> "content" => [{
> "hash" => bytes {
> 0x52, 0x3a, 0x0a, 0x7b, 0x3b, 0xae, 0x1c, 0x67,
> 0x22, 0x51, 0xf6, 0x34, 0xb5, 0x3b, 0xe7, 0xf9,
> 0x78, 0x59, 0x91, 0x63
> },
> "target-path" => "."
> }],
> "operation-headers" => {
> "caller-type" => "user",
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "9f6d874e-24f8-41ec-a1d0-9c98509964fc"
> },
> "path" => [
> "index.html",
> "index2.html"
> ]
> },
> {
> "operation" => "add",
> "address" => [
> ("server-group" => "other-server-group"),
> ("deployment" => "test.war")
> ],
> "enabled" => true
> },
> {
> "operation" => "add",
> "address" => [
> ("server-group" => "main-server-group"),
> ("deployment" => "test.war")
> ],
> "enabled" => true
> }
> ],
> "operation-headers" => {
> "caller-type" => "user",
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "9f6d874e-24f8-41ec-a1d0-9c98509964fc",
> "execute-for-coordinator" => true
> }
> }
> {code}
> The error reported by the DC is:
> {code}
> {
> "outcome" => "failed",
> "result" => {
> "step-1" => {
> "outcome" => "failed",
> "rolled-back" => true
> },
> "step-2" => {
> "outcome" => "failed",
> "rolled-back" => true
> },
> "step-3" => {
> "outcome" => "failed",
> "rolled-back" => true
> },
> "step-4" => {
> "outcome" => "failed",
> "rolled-back" => true
> }
> },
> "failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"other-server-group" => {"host" => {"slave" => {"server-one" => {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => "WFLYCTL0216: Management resource '[(\"deployment\" => \"test.war\")]' not found"}}}}}}}},
> "rolled-back" => true,
> "server-groups" => {"other-server-group" => {"host" => {"slave" => {"server-one" => {"response" => {
> "outcome" => "failed",
> "result" => {
> "step-1" => {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0216: Management resource '[(\"deployment\" => \"test.war\")]' not found",
> "rolled-back" => true
> },
> "step-2" => {"outcome" => undefined}
> },
> "failure-description" => {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => "WFLYCTL0216: Management resource '[(\"deployment\" => \"test.war\")]' not found"}},
> "rolled-back" => true
> }}}}}}
> }
> {code}
> Having debugged the slave process a bit, I *believe* the following is what is passed to the servers by the slave HC:
> {code}
> {
> "operation" => "composite",
> "steps" => [
> {
> "operation" => "add-content",
> "address" => [("deployment" => "test.war")],
> "content" => [{
> "hash" => bytes {
> 0x52, 0x3a, 0x0a, 0x7b, 0x3b, 0xae, 0x1c, 0x67,
> 0x22, 0x51, 0xf6, 0x34, 0xb5, 0x3b, 0xe7, 0xf9,
> 0x78, 0x59, 0x91, 0x63
> },
> "target-path" => "."
> }],
> "operation-headers" => {
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "2bd6c01d-a844-43fc-8d10-7d6e4c32e5b1"
> },
> "path" => [
> "index.html",
> "index2.html"
> ]
> },
> {
> "operation" => "add",
> "address" => [("deployment" => "test.war")],
> "enabled" => true,
> "operation-headers" => {
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "2bd6c01d-a844-43fc-8d10-7d6e4c32e5b1"
> },
> "runtime-name" => "test.war",
> "content" => [{
> "hash" => bytes {
> 0x52, 0x3a, 0x0a, 0x7b, 0x3b, 0xae, 0x1c, 0x67,
> 0x22, 0x51, 0xf6, 0x34, 0xb5, 0x3b, 0xe7, 0xf9,
> 0x78, 0x59, 0x91, 0x63
> },
> "archive" => false
> }]
> }
> ],
> "operation-headers" => {
> "access-mechanism" => "NATIVE",
> "domain-uuid" => "2bd6c01d-a844-43fc-8d10-7d6e4c32e5b1"
> },
> "address" => []
> }
> {code}
> Note that 'add-content' now comes BEFORE 'add', which would explain the "Management resource '[(\"deployment\" => \"test.war\")]' not found".
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 7 months
[JBoss JIRA] (WFCORE-3382) Further Enhance Elytron Permission Configuration
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3382?page=com.atlassian.jira.plugi... ]
Brian Stansberry updated WFCORE-3382:
-------------------------------------
Fix Version/s: 4.0.0.CR1
(was: 4.0.0.Beta2)
> Further Enhance Elytron Permission Configuration
> ------------------------------------------------
>
> Key: WFCORE-3382
> URL: https://issues.jboss.org/browse/WFCORE-3382
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Security
> Reporter: Darran Lofthouse
> Fix For: 4.0.0.CR1
>
>
> This has currently been simplified to a single resource for the out of the box configuration, however this brings issues as now permissions are duplicated so modifications need to be replicated instead of to a single location.
> Finding a way for the default required permissions to be defined in one location could help eliminate the duplication.
> We could also consider going one step further and subsystems register the default permissions that should be granted.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 7 months
[JBoss JIRA] (WFCORE-3579) ERROR log occurs during CLI reload operation on server
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3579?page=com.atlassian.jira.plugi... ]
Brian Stansberry updated WFCORE-3579:
-------------------------------------
Fix Version/s: 4.0.0.CR1
(was: 4.0.0.Beta2)
> ERROR log occurs during CLI reload operation on server
> ------------------------------------------------------
>
> Key: WFCORE-3579
> URL: https://issues.jboss.org/browse/WFCORE-3579
> Project: WildFly Core
> Issue Type: Bug
> Components: CLI, Domain Management
> Affects Versions: 4.0.0.Alpha9
> Reporter: Marek Kopecký
> Assignee: Brian Stansberry
> Priority: Blocker
> Fix For: 4.0.0.CR1
>
> Attachments: cli.script.txt
>
>
> *Description of the issue:*
> ERROR log occurs during CLI reload operation on server:
> {{ERROR \[org.jboss.as.controller.management-operation\] (pool-3-thread-2) WFLYCTL0013: Operation ("read-attribute") failed - address: (\[("host" => "master")\]) - failure description: "WFLYCTL0201: Unknown attribute 'host-state'"}}
> This issue is regression against WF11
> Reload handler and its "host-state" code is [here|https://github.com/wildfly/wildfly-core/blob/master/cli/src/main/jav...], but this issue is probably caused by some "debug -> error" logging change ...
> I'm able to reproduce this only on embedded server. Non-embedded server is probably too slow to hit this issue
> *How reproducible:*
> I see this intermittently on fast virtual machines
> *Steps to Reproduce:*
> # ./jboss-cli.sh --file=cli.script.txt
> *Content of cli.script.txt file*
> This file is attached to this jira, beginning of this file:
> {noformat}
> embed-host-controller --std-out=echo
> reload --host=master --admin-only=true
> reload --host=master --admin-only=true
> reload --host=master --admin-only=true
> reload --host=master --admin-only=true
> reload --host=master --admin-only=true
> reload --host=master --admin-only=true
> reload --host=master --admin-only=true
> {noformat}
> *Actual results:*
> Standard output:
> {noformat}
> ...
> [0m[0m01:36:06,021 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: WildFly Full 12.0.0.Alpha1-SNAPSHOT (WildFly Core 4.0.0.Alpha9) starting
> [0m[31m01:36:06,061 ERROR [org.jboss.as.controller.management-operation] (CLI command executor) WFLYCTL0013: Operation ("read-attribute") failed - address: ([("host" => "master")]) - failure description: "WFLYCTL0201: Unknown attribute 'host-state'"
> [0m[0m01:36:06,072 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/host=master/core-service=management/management-interface=native-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> [0m[0m01:36:06,073 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/host=master/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> [0m[0m01:36:06,097 INFO [org.jboss.as.patching] (MSC service thread 1-3) WFLYPAT0050: WildFly Full cumulative patch ID is: base, one-off patches include: none
> [0m[33m01:36:06,102 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111: Keystore /home/hudson/hudson_workspace/workspace/early-testing-cli-embedded-manual/4b767fc2/wildfly/domain/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
> [0m[0m01:36:06,185 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/profile=default/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> [0m[0m01:36:06,196 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/profile=ha/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> [0m[0m01:36:06,204 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/profile=full/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> [0m[0m01:36:06,217 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/profile=full-ha/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> [0m[0m01:36:06,287 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 12.0.0.Alpha1-SNAPSHOT (WildFly Core 4.0.0.Alpha9) (Host Controller) started in 266ms - Started 54 of 59 services (18 services are lazy, passive or on-demand)
> ...
> {noformat}
> *Expected results:*
> No errors in logs
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 7 months
[JBoss JIRA] (WFCORE-3542) Elytron JDBC realm password mapping is not consistent with underlying implementation
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3542?page=com.atlassian.jira.plugi... ]
Brian Stansberry updated WFCORE-3542:
-------------------------------------
Fix Version/s: 4.0.0.CR1
(was: 4.0.0.Beta2)
> Elytron JDBC realm password mapping is not consistent with underlying implementation
> ------------------------------------------------------------------------------------
>
> Key: WFCORE-3542
> URL: https://issues.jboss.org/browse/WFCORE-3542
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: David Lloyd
> Assignee: Darran Lofthouse
> Fix For: 4.0.0.CR1
>
>
> There is no way to configure the JDBC realm to use modular crypt in WildFly, even though the underlying realm does support it.
> The problem is that the {{salt-index}} and {{itereration-count-index}} attributes should be optional, and if they not given, a value of {{-1}} should be passed to the mapper. By omitting both of these values, the database column values will then be recognized as modular-crypt strings.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 7 months