[infinispan-issues] [JBoss JIRA] (ISPN-10722) Mgmt console: home page load fails in case secured cache container

Dan Berindei (Jira) issues at jboss.org
Thu Oct 10 07:59:00 EDT 2019 

    [ https://issues.jboss.org/browse/ISPN-10722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13797322#comment-13797322 ] 

Dan Berindei commented on ISPN-10722:
-------------------------------------

Trying to reproduce JDG-3214 I got another exception: when I tried to add security to the cache, it told me I should first enable it for the cache container, and I did so, but apparently it did not restart the cache container.

I went back to the cache and I enabled security, and the cache got restarted with security enabled causing this exception in the log (and part of it in a mgmt console popup):
{noformat}
14:45:11,812 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service jboss.datagrid-infinispan.local.namedCache.config: org.jboss.msc.service.StartException in service jboss.datagrid-infinispan.local.namedCache.config: Failed to start service
    at org.jboss.msc at 1.4.3.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1728)
    at org.jboss.msc at 1.4.3.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
    at org.jboss.threads at 2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
    at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
    at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.infinispan.commons.CacheConfigurationException: ISPN000414: Global security authorization should be enabled if cache authorization enabled.
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.configuration.cache.AuthorizationConfigurationBuilder.validate(AuthorizationConfigurationBuilder.java:60)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.configuration.cache.SecurityConfigurationBuilder.validate(SecurityConfigurationBuilder.java:26)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.configuration.cache.ConfigurationBuilder.validate(ConfigurationBuilder.java:271)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.configuration.cache.ConfigurationBuilder.build(ConfigurationBuilder.java:286)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.configuration.ConfigurationManager.putConfiguration(ConfigurationManager.java:97)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.manager.DefaultCacheManager.doDefineConfiguration(DefaultCacheManager.java:399)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.manager.DefaultCacheManager.defineConfiguration(DefaultCacheManager.java:358)
    at org.infinispan.extension:ispn-9.4 at 9.4.16-SNAPSHOT//org.jboss.as.clustering.infinispan.DefaultCacheContainer.defineConfiguration(DefaultCacheContainer.java:67)
    at org.infinispan.extension:ispn-9.4 at 9.4.16-SNAPSHOT//org.jboss.as.clustering.infinispan.subsystem.SecurityActions.lambda$defineContainerConfiguration$2(SecurityActions.java:117)
    at org.infinispan.core:ispn-9.4 at 9.4.16-SNAPSHOT//org.infinispan.security.Security.doPrivileged(Security.java:46)
    at org.infinispan.extension:ispn-9.4 at 9.4.16-SNAPSHOT//org.jboss.as.clustering.infinispan.subsystem.SecurityActions.doPrivileged(SecurityActions.java:76)
    at org.infinispan.extension:ispn-9.4 at 9.4.16-SNAPSHOT//org.jboss.as.clustering.infinispan.subsystem.SecurityActions.defineContainerConfiguration(SecurityActions.java:120)
    at org.infinispan.extension:ispn-9.4 at 9.4.16-SNAPSHOT//org.jboss.as.clustering.infinispan.subsystem.AbstractCacheConfigurationService.start(AbstractCacheConfigurationService.java:76)
    at org.jboss.msc at 1.4.3.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
    at org.jboss.msc at 1.4.3.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
    ... 6 more
{noformat}

There's another twist: after I restarted the server I enabled security on the cache again, and this time I got a warning in the console that the change will only be applied after I restart the server

> Mgmt console: home page load fails in case secured cache container
> ------------------------------------------------------------------
>
>                 Key: ISPN-10722
>                 URL: https://issues.jboss.org/browse/ISPN-10722
>             Project: Infinispan
>          Issue Type: Bug
>          Components: Console, JMX, reporting and management
>    Affects Versions: 9.4.16.Final, 10.0.0.CR2
>            Reporter: Dan Berindei
>            Assignee: Dan Berindei
>            Priority: Major
>
> The following exception appears in server logs and hanging screen is visible in browser when mgmt console home page is accessed, in case when the server is started with secured cache-container.
> {noformat}
> 12:53:09,199 ERROR [org.jboss.as.controller.management-operation] (External Management Request Threads -- 2) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
>     ("subsystem" => "datagrid-infinispan"),
>     ("cache-container" => "local")
> ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
> 	at org.infinispan.core:ispn-9.4 at 9.4.16.Final//org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:87)
> 	at org.infinispan.core:ispn-9.4 at 9.4.16.Final//org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:57)
> 	at org.infinispan.core:ispn-9.4 at 9.4.16.Final//org.infinispan.manager.DefaultCacheManager.getDefaultCacheConfiguration(DefaultCacheManager.java:847)
> 	at org.infinispan.core:ispn-9.4 at 9.4.16.Final//org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:135)
> 	at org.infinispan.core:ispn-9.4 at 9.4.16.Final//org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:86)
> 	at org.infinispan.extension:ispn-9.4 at 9.4.16.Final//org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:342)
> 	at org.infinispan.extension:ispn-9.4 at 9.4.16.Final//org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:296)
> {noformat}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the infinispan-issues mailing list