[Red Hat JIRA] (WFLY-11933) Error when accessing metrics with RBAC enabled
by Claudio Weiler (Jira)
[ https://issues.redhat.com/browse/WFLY-11933?page=com.atlassian.jira.plugi... ]
Claudio Weiler edited comment on WFLY-11933 at 12/10/20 10:23 AM:
------------------------------------------------------------------
[~jmesnil], sorry if I'm been meddlesome, but I see that if metrics are available without RBAC , then, enabling RBAC should not change this behavior. What should change behavior is if {{security-enable}} atribute is set to true.
I've posted a PR (https://github.com/wildfly/wildfly/pull/13753) using the same approach that you used to solve WFLY-14034 .
was (Author: cweiler):
[~jmesnil], sorry if I'm been meddlesome, but I see that if metrics are available without RBAC , then, enabling RBAC should not change this behavior. What should change behavior is if {{security-enable}} atribute is set to true, right?
I've posted a PR (https://github.com/wildfly/wildfly/pull/13753) using the same approach that you used to solve WFLY-14034 .
> Error when accessing metrics with RBAC enabled
> ----------------------------------------------
>
> Key: WFLY-11933
> URL: https://issues.redhat.com/browse/WFLY-11933
> Project: WildFly
> Issue Type: Bug
> Components: Management, MP Metrics
> Affects Versions: 16.0.0.Final, 17.0.0.Final, 17.0.1.Final, 21.0.0.Final
> Reporter: Claudio Weiler
> Assignee: Jeff Mesnil
> Priority: Major
>
> Accordingly to https://docs.wildfly.org/17/Admin_Guide.html#http-endpoint-2 and https://wildscribe.github.io/WildFly/17.0/subsystem/microprofile-metrics-..., access to metrics endpoint is controlled by the security-enabled attribute.
> When this attribute is set to false, there is an Exception when metrics are accessed. By default, this attribute is set to false on standalone.xml config.
> Please, refer to steps to reproduce. This error occurs only when RBAC are enabled.
> When RBAC is enabled for management in Wildfly, metrics throws exception:
> java.lang.IllegalStateException: WFLYMETRICS0003: Unable to read attribute XAForgetAverageTime on [
> ("subsystem" => "datasources"),
> ("data-source" => "ExampleDS"),
> ("statistics" => "pool")
> ]: "WFLYCTL0216: Management resource '[
> (\"subsystem\" => \"datasources\"),
> (\"data-source\" => \"ExampleDS\"),
> (\"statistics\" => \"pool\")
> ]' not found".
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 7 months
[Red Hat JIRA] (WFLY-11933) Error when accessing metrics with RBAC enabled
by Claudio Weiler (Jira)
[ https://issues.redhat.com/browse/WFLY-11933?page=com.atlassian.jira.plugi... ]
Claudio Weiler edited comment on WFLY-11933 at 12/10/20 10:21 AM:
------------------------------------------------------------------
[~jmesnil], sorry if I'm been meddlesome, but I see that if metrics are available without RBAC , then, enabling RBAC should not change this behavior. What should change behavior is if {{security-enable}} atribute is set to true, right?
I've posted a PR (https://github.com/wildfly/wildfly/pull/13753) using the same approach that you used to solve WFLY-14034 .
was (Author: cweiler):
[~jmesnil], sorry if I'm been meddlesome, but I see that if metrics are available without RBAC , than, enabling RBAC should not change this behavior. What should change behavior is if {{security-enable}} atribute is set to true, right?
I've posted a PR (https://github.com/wildfly/wildfly/pull/13753) using the same approach that you used to solve WFLY-14034 .
> Error when accessing metrics with RBAC enabled
> ----------------------------------------------
>
> Key: WFLY-11933
> URL: https://issues.redhat.com/browse/WFLY-11933
> Project: WildFly
> Issue Type: Bug
> Components: Management, MP Metrics
> Affects Versions: 16.0.0.Final, 17.0.0.Final, 17.0.1.Final, 21.0.0.Final
> Reporter: Claudio Weiler
> Assignee: Jeff Mesnil
> Priority: Major
>
> Accordingly to https://docs.wildfly.org/17/Admin_Guide.html#http-endpoint-2 and https://wildscribe.github.io/WildFly/17.0/subsystem/microprofile-metrics-..., access to metrics endpoint is controlled by the security-enabled attribute.
> When this attribute is set to false, there is an Exception when metrics are accessed. By default, this attribute is set to false on standalone.xml config.
> Please, refer to steps to reproduce. This error occurs only when RBAC are enabled.
> When RBAC is enabled for management in Wildfly, metrics throws exception:
> java.lang.IllegalStateException: WFLYMETRICS0003: Unable to read attribute XAForgetAverageTime on [
> ("subsystem" => "datasources"),
> ("data-source" => "ExampleDS"),
> ("statistics" => "pool")
> ]: "WFLYCTL0216: Management resource '[
> (\"subsystem\" => \"datasources\"),
> (\"data-source\" => \"ExampleDS\"),
> (\"statistics\" => \"pool\")
> ]' not found".
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 7 months
[Red Hat JIRA] (WFLY-11933) Error when accessing metrics with RBAC enabled
by Claudio Weiler (Jira)
[ https://issues.redhat.com/browse/WFLY-11933?page=com.atlassian.jira.plugi... ]
Claudio Weiler commented on WFLY-11933:
---------------------------------------
[~jmesnil], sorry if I'm been meddlesome, but I see that if metrics are available without RBAC , than, enabling RBAC should not change this behavior. What should change behavior is if {{security-enable}} atribute is set to true, right?
I've posted a PR (https://github.com/wildfly/wildfly/pull/13753) using the same approach that you used to solve WFLY-14034 .
> Error when accessing metrics with RBAC enabled
> ----------------------------------------------
>
> Key: WFLY-11933
> URL: https://issues.redhat.com/browse/WFLY-11933
> Project: WildFly
> Issue Type: Bug
> Components: Management, MP Metrics
> Affects Versions: 16.0.0.Final, 17.0.0.Final, 17.0.1.Final, 21.0.0.Final
> Reporter: Claudio Weiler
> Assignee: Jeff Mesnil
> Priority: Major
>
> Accordingly to https://docs.wildfly.org/17/Admin_Guide.html#http-endpoint-2 and https://wildscribe.github.io/WildFly/17.0/subsystem/microprofile-metrics-..., access to metrics endpoint is controlled by the security-enabled attribute.
> When this attribute is set to false, there is an Exception when metrics are accessed. By default, this attribute is set to false on standalone.xml config.
> Please, refer to steps to reproduce. This error occurs only when RBAC are enabled.
> When RBAC is enabled for management in Wildfly, metrics throws exception:
> java.lang.IllegalStateException: WFLYMETRICS0003: Unable to read attribute XAForgetAverageTime on [
> ("subsystem" => "datasources"),
> ("data-source" => "ExampleDS"),
> ("statistics" => "pool")
> ]: "WFLYCTL0216: Management resource '[
> (\"subsystem\" => \"datasources\"),
> (\"data-source\" => \"ExampleDS\"),
> (\"statistics\" => \"pool\")
> ]' not found".
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 7 months
[Red Hat JIRA] (ELY-2049) Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial
by Darran Lofthouse (Jira)
[ https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse updated ELY-2049:
----------------------------------
Fix Version/s: 1.14.1.CR1
> Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial
> -----------------------------------------------------------------------
>
> Key: ELY-2049
> URL: https://issues.redhat.com/browse/ELY-2049
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Security Manager
> Affects Versions: 1.13.2.Final
> Reporter: Boris Unckel
> Priority: Major
> Fix For: 1.14.1.CR1
>
>
> The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
> Examples:
> [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
> [WildFly 1|https://issues.redhat.com/browse/WFLY-14072]
> [WildFly 1a, including Stacktrace|https://issues.redhat.com/browse/WFLY-14039]
> [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
> line 2048
> The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
> Current code:
> {code:java}
> public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
> ProtectionDomain deniedDomain = null;
> if (domains != null) for (ProtectionDomain domain : domains) {
> if (! domain.implies(permission)) {
> final CodeSource codeSource = domain.getCodeSource();
> final ClassLoader classLoader = domain.getClassLoader();
> final Principal[] principals = domain.getPrincipals();
> if (principals == null || principals.length == 0) {
> access.accessCheckFailed(permission, codeSource, classLoader);
> } else {
> access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
> }
> if (deniedDomain == null && ! LOG_ONLY) {
> deniedDomain = domain;
> }
> }
> }
> return deniedDomain;
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 7 months
[Red Hat JIRA] (WFLY-14202) wildfly-clustering-ee-cache/ConcurrentManager sets value on immutable Map.Entry
by Paul Ferraro (Jira)
[ https://issues.redhat.com/browse/WFLY-14202?page=com.atlassian.jira.plugi... ]
Paul Ferraro closed WFLY-14202.
-------------------------------
Resolution: Duplicate Issue
Duplicates WFLY-14118
> wildfly-clustering-ee-cache/ConcurrentManager sets value on immutable Map.Entry
> --------------------------------------------------------------------------------
>
> Key: WFLY-14202
> URL: https://issues.redhat.com/browse/WFLY-14202
> Project: WildFly
> Issue Type: Bug
> Components: Clustering
> Affects Versions: 21.0.1.Final
> Reporter: Oleksandr Demura
> Assignee: Paul Ferraro
> Priority: Major
>
>
>
> {noformat}
> ERROR [io.undertow.servlet.request] (default task-7) UT015005: Error invoking method requestInitialized on listener class org.jboss.weld.module.web.servlet.WeldInitialListener: java.lang.UnsupportedOperationException
> at java.base/java.util.AbstractMap$SimpleImmutableEntry.setValue(AbstractMap.java:794)
> at org.wildfly.clustering.ee.cache@21.0.1.Final//org.wildfly.clustering.ee.cache.ConcurrentManager.apply(ConcurrentManager.java:88)
> at org.wildfly.clustering.web.cache@21.0.1.Final//org.wildfly.clustering.web.cache.session.ConcurrentSessionManager.findSession(ConcurrentSessionManager.java:70)
> at org.wildfly.clustering.web.undertow@21.0.1.Final//org.wildfly.clustering.web.undertow.session.DistributableSessionManager.getSession(DistributableSessionManager.java:227)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:858)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:421)
> at org.jboss.weld.core@3.1.5.Final//org.jboss.weld.module.web.servlet.SessionHolder.requestInitialized(SessionHolder.java:47)
> at org.jboss.weld.core@3.1.5.Final//org.jboss.weld.module.web.servlet.HttpContextLifecycle.requestInitialized(HttpContextLifecycle.java:247)
> at org.jboss.weld.core@3.1.5.Final//org.jboss.weld.module.web.servlet.WeldInitialListener.requestInitialized(WeldInitialListener.java:146)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.core.ApplicationListeners.requestInitialized(ApplicationListeners.java:263)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:268)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow@21.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at org.wildfly.extension.undertow@21.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
> at org.wildfly.extension.undertow@21.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
> at org.wildfly.extension.undertow@21.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
> at org.wildfly.extension.undertow@21.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
> at org.wildfly.extension.undertow@21.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
> at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
> at io.undertow.core@2.2.2.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
> at io.undertow.core@2.2.2.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
> at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
> at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> at org.jboss.xnio@3.8.2.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
> at java.base/java.lang.Thread.run(Thread.java:834){noformat}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 7 months