[infinispan-issues] [JBoss JIRA] (ISPN-10327) REST endpoint authorization
Wolf-Dieter Fink (Jira)
issues at jboss.org
Wed Jun 19 11:14:00 EDT 2019
[ https://issues.jboss.org/browse/ISPN-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wolf-Dieter Fink updated ISPN-10327:
------------------------------------
Description:
The REST endpoint does not use the authenticated user to access authz caches. We need to:
- integrate with the ServerAuthenticationProvider as used by the Hot Rod endpoint so that we can use security callbacks and retrieve a fully populated subject (including groups)
- add SecurityActions within the rest code
- Return 403 forbidden where needed
If a authorization is added to the cache-container like followed the REST endpoint will fail with an Exception for any access and can't be used
<subsystem xmlns="urn:infinispan:server:core:9.4" default-cache-container="clustered">
<cache-container name="clustered" default-cache="default" statistics="true">
<transport lock-timeout="60000"/>
<security>
<authorization>
<identity-role-mapper/>
<role name="writer" permissions="ALL_WRITE"/>
<role name="reader" permissions="ALL_READ"/>
<role name="admin" permissions="ALL"/>
</authorization>
</security>
ERROR [org.infinispan.rest.Http20RequestHandler] (REST-ServerIO-3-1) ISPN012006: Uncaught exception in the pipeline: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:87)
at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:52)
at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:584)
at org.infinispan.cache.impl.AbstractDelegatingAdvancedCache.getComponentRegistry(AbstractDelegatingAdvancedCache.java:125)
at org.infinispan.rest.cachemanager.RestCacheManager.tryRegisterMigrationManager(RestCacheManager.java:146)
at org.infinispan.rest.cachemanager.RestCacheManager.getCache(RestCacheManager.java:67)
at org.infinispan.rest.operations.CacheOperations.putValueToCache(CacheOperations.java:251)
at org.infinispan.rest.InfinispanCacheAPIRequest.execute(InfinispanCacheAPIRequest.java:59)
at org.infinispan.rest.Http20RequestHandler.channelRead0(Http20RequestHandler.java:56)
at org.infinispan.rest.Http11RequestHandler.channelRead0(Http11RequestHandler.java:35)
at org.infinispan.rest.Http11RequestHandler.channelRead0(Http11RequestHandler.java:18)
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at org.infinispan.rest.cors.CorsHandler.channelRead(CorsHandler.java:75)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284)
at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at org.infinispan.server.core.transport.StatsChannelHandler.channelRead(StatsChannelHandler.java:26)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808)
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
was:
The REST endpoint does not use the authenticated user to access authz caches. We need to:
- integrate with the ServerAuthenticationProvider as used by the Hot Rod endpoint so that we can use security callbacks and retrieve a fully populated subject (including groups)
- add SecurityActions within the rest code
- Return 403 forbidden where needed
> REST endpoint authorization
> ---------------------------
>
> Key: ISPN-10327
> URL: https://issues.jboss.org/browse/ISPN-10327
> Project: Infinispan
> Issue Type: Enhancement
> Components: REST, Security, Server
> Reporter: Wolf-Dieter Fink
> Assignee: Tristan Tarrant
> Priority: Major
>
> The REST endpoint does not use the authenticated user to access authz caches. We need to:
> - integrate with the ServerAuthenticationProvider as used by the Hot Rod endpoint so that we can use security callbacks and retrieve a fully populated subject (including groups)
> - add SecurityActions within the rest code
> - Return 403 forbidden where needed
> If a authorization is added to the cache-container like followed the REST endpoint will fail with an Exception for any access and can't be used
> <subsystem xmlns="urn:infinispan:server:core:9.4" default-cache-container="clustered">
> <cache-container name="clustered" default-cache="default" statistics="true">
> <transport lock-timeout="60000"/>
> <security>
> <authorization>
> <identity-role-mapper/>
> <role name="writer" permissions="ALL_WRITE"/>
> <role name="reader" permissions="ALL_READ"/>
> <role name="admin" permissions="ALL"/>
> </authorization>
> </security>
> ERROR [org.infinispan.rest.Http20RequestHandler] (REST-ServerIO-3-1) ISPN012006: Uncaught exception in the pipeline: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
> at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:87)
> at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:52)
> at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:584)
> at org.infinispan.cache.impl.AbstractDelegatingAdvancedCache.getComponentRegistry(AbstractDelegatingAdvancedCache.java:125)
> at org.infinispan.rest.cachemanager.RestCacheManager.tryRegisterMigrationManager(RestCacheManager.java:146)
> at org.infinispan.rest.cachemanager.RestCacheManager.getCache(RestCacheManager.java:67)
> at org.infinispan.rest.operations.CacheOperations.putValueToCache(CacheOperations.java:251)
> at org.infinispan.rest.InfinispanCacheAPIRequest.execute(InfinispanCacheAPIRequest.java:59)
> at org.infinispan.rest.Http20RequestHandler.channelRead0(Http20RequestHandler.java:56)
> at org.infinispan.rest.Http11RequestHandler.channelRead0(Http11RequestHandler.java:35)
> at org.infinispan.rest.Http11RequestHandler.channelRead0(Http11RequestHandler.java:18)
> at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
> at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at org.infinispan.rest.cors.CorsHandler.channelRead(CorsHandler.java:75)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438)
> at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284)
> at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
> at org.infinispan.server.core.transport.StatsChannelHandler.channelRead(StatsChannelHandler.java:26)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
> at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317)
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
> at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Thread.java:748)
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the infinispan-issues
mailing list