[infinispan-issues] [JBoss JIRA] (ISPN-6261) CLI fails on secured caches
Vojtech Juranek (JIRA)
issues at jboss.org
Tue Mar 8 11:46:00 EST 2016
[ https://issues.jboss.org/browse/ISPN-6261?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vojtech Juranek updated ISPN-6261:
----------------------------------
Description:
When running CLI on secured caches, it fails with exception bellow. This exception is quite confusing, as user has properly defined ADMIN permission on given cache. What is actually happening is that some operation, like statistics, called by CLI, iterates over all defined caches, including internal caches, and user hasn't required permission on all these caches (in this case on internal script cache)
{noformat}
00:04:23,563 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
("subsystem" => "datagrid-infinispan"),
("cache-container" => "local")
]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [user at ManagementRealm, admin at ManagementRealm, admin, org.jboss.remoting3.security.UserPrincipal at 36ebcb, InetAddressPrincipal <127.0.0.1/127.0.0.1>, InetAddressPrincipal <127.0.0.1/127.0.0.1>]' lacks 'ADMIN' permission
at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:37)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:567)
at org.infinispan.stats.impl.CacheContainerStatsImpl.calculateAverageRemoveTime(CacheContainerStatsImpl.java:131)
at org.infinispan.stats.impl.CacheContainerStatsImpl.getAverageRemoveTime(CacheContainerStatsImpl.java:121)
at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:196)
at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
{noformat}
*Steps to reproduce:*
* create mgmt user using {{add-user.sh}} script (e.g. user {{user}}) and assign him role {{admin}} in {{standalone/configuration/mgmt-groups.properties}}
* create secure cache {{testcache}} with following configuration in {{standalone.xml}} (security enabled and admin user has admin rights):
{noformat}
<cache-container name="local" default-cache="testcache">
<security>
<authorization>
<identity-role-mapper/>
<role name="admin" permissions="ADMIN" />
</authorization>
</security>
<local-cache name="testcache" start="EAGER" batching="false">
<security>
<authorization roles="admin" enabled="true"/>
</security>
<transaction mode="NONE"/>
</local-cache>
</cache-container>
{noformat}
* start ISPN server in standalone mode
* start ISPN console in GUI mode ({{ispn-cli.sh --gui --user=user --password=pass}}) and navigate to {{subsystem=datagrid-infinispan -> cache-container=local}}
* once clicked on {{cache-container=local}} no cache should appear there (while there should be {{testcache}}) and exception above should appear in ISPN server log
was:
When running CLI on secured caches, it fails with exception bellow. This exception is quite confusing, as user has properly defined ADMIN permission on given cache. What is actually happening is that some operation, like statistics, called by CLI, iterates over all defined caches, including internal caches, and user hasn't required permission on all these caches (in this case on internal script cache)
{noformat}
00:04:23,563 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
("subsystem" => "datagrid-infinispan"),
("cache-container" => "local")
]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [user at ManagementRealm, admin at ManagementRealm, admin, org.jboss.remoting3.security.UserPrincipal at 36ebcb, InetAddressPrincipal <127.0.0.1/127.0.0.1>, InetAddressPrincipal <127.0.0.1/127.0.0.1>]' lacks 'ADMIN' permission
at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:37)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:567)
at org.infinispan.stats.impl.CacheContainerStatsImpl.calculateAverageRemoveTime(CacheContainerStatsImpl.java:131)
at org.infinispan.stats.impl.CacheContainerStatsImpl.getAverageRemoveTime(CacheContainerStatsImpl.java:121)
at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:196)
at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
{noformat}
> CLI fails on secured caches
> ---------------------------
>
> Key: ISPN-6261
> URL: https://issues.jboss.org/browse/ISPN-6261
> Project: Infinispan
> Issue Type: Bug
> Components: CLI, Security
> Reporter: Vojtech Juranek
> Assignee: Vojtech Juranek
>
> When running CLI on secured caches, it fails with exception bellow. This exception is quite confusing, as user has properly defined ADMIN permission on given cache. What is actually happening is that some operation, like statistics, called by CLI, iterates over all defined caches, including internal caches, and user hasn't required permission on all these caches (in this case on internal script cache)
> {noformat}
> 00:04:23,563 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
> ("subsystem" => "datagrid-infinispan"),
> ("cache-container" => "local")
> ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [user at ManagementRealm, admin at ManagementRealm, admin, org.jboss.remoting3.security.UserPrincipal at 36ebcb, InetAddressPrincipal <127.0.0.1/127.0.0.1>, InetAddressPrincipal <127.0.0.1/127.0.0.1>]' lacks 'ADMIN' permission
> at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
> at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:37)
> at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:567)
> at org.infinispan.stats.impl.CacheContainerStatsImpl.calculateAverageRemoveTime(CacheContainerStatsImpl.java:131)
> at org.infinispan.stats.impl.CacheContainerStatsImpl.getAverageRemoveTime(CacheContainerStatsImpl.java:121)
> at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:196)
> at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
> {noformat}
> *Steps to reproduce:*
> * create mgmt user using {{add-user.sh}} script (e.g. user {{user}}) and assign him role {{admin}} in {{standalone/configuration/mgmt-groups.properties}}
> * create secure cache {{testcache}} with following configuration in {{standalone.xml}} (security enabled and admin user has admin rights):
> {noformat}
> <cache-container name="local" default-cache="testcache">
> <security>
> <authorization>
> <identity-role-mapper/>
> <role name="admin" permissions="ADMIN" />
> </authorization>
> </security>
> <local-cache name="testcache" start="EAGER" batching="false">
> <security>
> <authorization roles="admin" enabled="true"/>
> </security>
> <transaction mode="NONE"/>
> </local-cache>
> </cache-container>
> {noformat}
> * start ISPN server in standalone mode
> * start ISPN console in GUI mode ({{ispn-cli.sh --gui --user=user --password=pass}}) and navigate to {{subsystem=datagrid-infinispan -> cache-container=local}}
> * once clicked on {{cache-container=local}} no cache should appear there (while there should be {{testcache}}) and exception above should appear in ISPN server log
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the infinispan-issues
mailing list