[infinispan-issues] [JBoss JIRA] (ISPN-8940) Some JMX statistics are not available when activating authorization in CacheManager
Rafael Ruiz (JIRA)
issues at jboss.org
Wed Mar 14 07:21:00 EDT 2018
[ https://issues.jboss.org/browse/ISPN-8940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rafael Ruiz updated ISPN-8940:
------------------------------
Description:
1.- Unzip infinispan-server-9.2.0.Final-bin.zip
2.- Create an user in ApplicationRealm with bin/add-user.sh
3.- Add authorization to clustered.xml:
{code:xml}
{{ <cache-container name="clustered" default-cache="default" statistics="true">
<security>
<authorization>
<identity-role-mapper/>
<role name="jdguser" permissions="ALL"/>
<role name="admin" permissions="ALL BULK_READ BULK_WRITE ADMIN"/>
</authorization>
</security>
...
<replicated-cache name="repl" configuration="replicated">
<security>
<authorization roles="admin jdguser" />
</security>
</replicated-cache>}}
{code}
4.- Start with standalone.sh -c clustered.xml and try to access to CacheManager mbeans from JConsole. It will show Unavailable for most fields of
jboss.datagrid-infinispan:type=CacheManager,name="clustered",component=CacheContainerStats
In server logs:
WARN [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(7)-10.101.218.46) ISPN000036: Did not find attribute removeHits
One message for each unrecheable attribute.
If you set org.infinispan category to DEBUG level, it will show:
{noformat}
{{ DEBUG [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(3)-10.101.218.46) Exception while reading value of attribute evictions: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:395)
at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:299)
at org.infinispan.jmx.ResourceDMBean.getAttribute(ResourceDMBean.java:178)
...
Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:586)
{noformat}
was:
1.- Unzip infinispan-server-9.2.0.Final-bin.zip
2.- Create an user in ApplicationRealm with bin/add-user.sh
3.- Add authorization to clustered.xml:
{{ <cache-container name="clustered" default-cache="default" statistics="true">
<security>
<authorization>
<identity-role-mapper/>
<role name="jdguser" permissions="ALL"/>
<role name="admin" permissions="ALL BULK_READ BULK_WRITE ADMIN"/>
</authorization>
</security>
...
<replicated-cache name="repl" configuration="replicated">
<security>
<authorization roles="admin jdguser" />
</security>
</replicated-cache>}}
4.- Start with standalone.sh -c clustered.xml and try to access to CacheManager mbeans from JConsole. It will show Unavailable for most fields of
jboss.datagrid-infinispan:type=CacheManager,name="clustered",component=CacheContainerStats
In server logs:
WARN [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(7)-10.101.218.46) ISPN000036: Did not find attribute removeHits
One message for each unrecheable attribute.
If you set org.infinispan category to DEBUG level, it will show:
{{ DEBUG [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(3)-10.101.218.46) Exception while reading value of attribute evictions: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:395)
at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:299)
at org.infinispan.jmx.ResourceDMBean.getAttribute(ResourceDMBean.java:178)
...
Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:586)
}}
> Some JMX statistics are not available when activating authorization in CacheManager
> -----------------------------------------------------------------------------------
>
> Key: ISPN-8940
> URL: https://issues.jboss.org/browse/ISPN-8940
> Project: Infinispan
> Issue Type: Bug
> Components: JMX, reporting and management
> Affects Versions: 9.2.0.Final
> Reporter: Rafael Ruiz
>
> 1.- Unzip infinispan-server-9.2.0.Final-bin.zip
> 2.- Create an user in ApplicationRealm with bin/add-user.sh
> 3.- Add authorization to clustered.xml:
> {code:xml}
> {{ <cache-container name="clustered" default-cache="default" statistics="true">
> <security>
> <authorization>
> <identity-role-mapper/>
> <role name="jdguser" permissions="ALL"/>
> <role name="admin" permissions="ALL BULK_READ BULK_WRITE ADMIN"/>
> </authorization>
> </security>
> ...
> <replicated-cache name="repl" configuration="replicated">
> <security>
> <authorization roles="admin jdguser" />
> </security>
> </replicated-cache>}}
> {code}
> 4.- Start with standalone.sh -c clustered.xml and try to access to CacheManager mbeans from JConsole. It will show Unavailable for most fields of
> jboss.datagrid-infinispan:type=CacheManager,name="clustered",component=CacheContainerStats
> In server logs:
> WARN [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(7)-10.101.218.46) ISPN000036: Did not find attribute removeHits
> One message for each unrecheable attribute.
> If you set org.infinispan category to DEBUG level, it will show:
> {noformat}
> {{ DEBUG [org.infinispan.jmx.ResourceDMBean] (RMI TCP Connection(3)-10.101.218.46) Exception while reading value of attribute evictions: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:395)
> at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:299)
> at org.infinispan.jmx.ResourceDMBean.getAttribute(ResourceDMBean.java:178)
> ...
> Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
> at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
> at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
> at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:586)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the infinispan-issues
mailing list