[jboss-jira] [JBoss JIRA] (WFCORE-580) Recursive read-resource with include-runtime=true assumes all runtime singleton resources will be present.
Brian Stansberry (JIRA)
issues at jboss.org
Thu Apr 9 18:01:19 EDT 2015
[ https://issues.jboss.org/browse/WFCORE-580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry updated WFCORE-580:
------------------------------------
Description:
Take the following hierarchy: -
{code}
keystore=xxx
alias=yyy
certificate-chain=default
certificate-chain=x509
{code}
keystore is a regular resource with storage=configuration.
alias is a regular resource with storage=runtime
certificate-chain=default and certificate-chain=x509 are regular resources with storage=runtime.
So alias represents a single alias from a Java KeyStore, this may or may not have a certificate chain and it may be a default chain or it may be an x509 chain.
The recursive read-resource is fine with regular resources such as alias as it has to rely on the underlying resource implementation to identify the instances that actually exist.
For the singleton resources however the following method is called: -
{code}
org.jboss.as.controller.operations.global.GlobalOperationHandlers.getChildAddresses(OperationContext, PathAddress, ImmutableManagementResourceRegistration, Resource, String)
{code}
Within this method the following check takes place: -
{code}
if (resource != null && resource.hasChildren(childType)) {
Set<String> childNames = resource.getChildrenNames(childType);
if (element.isWildcard()) {
set.addAll(childNames);
} else if (childNames.contains(element.getValue())) {
set.add(element.getValue());
}
{code}
Up to this point all is fine, the children the resource claims are available are the only ones added.
But further down this happens: -
{code}
if (!element.isWildcard()) {
ImmutableManagementResourceRegistration childReg = registry.getSubModel(PathAddress.pathAddress(element));
if (childReg != null && childReg.isRuntimeOnly()) {
set.add(element.getValue());
}
}
{code}
So even though the resource was previously checked and missing children excluded they are now added back.
The end result in this example is that the recursive read resource attempts to read for certificate-chain=default when it should only be reading for certificate-chain=x509 as already reported by the resource implementation.
>From a discussion in HipChat yesterday there was general agreement this behaviour seems to be wrong, however support for Proxied resources may be (incorrectly) dependent on this.
was:
Take the following hierarchy: -
keystore=xxx
alias=yyy
certificate-chain=default
certificate-chain=x509
keystore is a regular resource with storage=configuration.
alias is a regular resource with storage=runtime
certificate-chain=default and certificate-chain=x509 are regular resources with storage=runtime.
So alias represents a single alias from a Java KeyStore, this may or may not have a certificate chain and it may be a default chain or it may be an x509 chain.
The recursive read-resource is fine with regular resources such as alias as it has to rely on the underlying resource implementation to identify the instances that actually exist.
For the singleton resources however the following method is called: -
{code}
org.jboss.as.controller.operations.global.GlobalOperationHandlers.getChildAddresses(OperationContext, PathAddress, ImmutableManagementResourceRegistration, Resource, String)
{code}
Within this method the following check takes place: -
{code}
if (resource != null && resource.hasChildren(childType)) {
Set<String> childNames = resource.getChildrenNames(childType);
if (element.isWildcard()) {
set.addAll(childNames);
} else if (childNames.contains(element.getValue())) {
set.add(element.getValue());
}
{code}
Up to this point all is fine, the children the resource claims are available are the only ones added.
But further down this happens: -
{code}
if (!element.isWildcard()) {
ImmutableManagementResourceRegistration childReg = registry.getSubModel(PathAddress.pathAddress(element));
if (childReg != null && childReg.isRuntimeOnly()) {
set.add(element.getValue());
}
}
{code}
So even though the resource was previously checked and missing children excluded they are now added back.
The end result in this example is that the recursive read resource attempts to read for certificate-chain=default when it should only be reading for certificate-chain=x509 as already reported by the resource implementation.
>From a discussion in HipChat yesterday there was general agreement this behaviour seems to be wrong, however support for Proxied resources may be (incorrectly) dependent on this.
> Recursive read-resource with include-runtime=true assumes all runtime singleton resources will be present.
> ----------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-580
> URL: https://issues.jboss.org/browse/WFCORE-580
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Affects Versions: 1.0.0.Alpha19
> Reporter: Darran Lofthouse
> Assignee: Brian Stansberry
> Labels: affects_elytron
> Fix For: 1.0.0.CR1
>
>
> Take the following hierarchy: -
> {code}
> keystore=xxx
> alias=yyy
> certificate-chain=default
> certificate-chain=x509
> {code}
> keystore is a regular resource with storage=configuration.
> alias is a regular resource with storage=runtime
> certificate-chain=default and certificate-chain=x509 are regular resources with storage=runtime.
> So alias represents a single alias from a Java KeyStore, this may or may not have a certificate chain and it may be a default chain or it may be an x509 chain.
> The recursive read-resource is fine with regular resources such as alias as it has to rely on the underlying resource implementation to identify the instances that actually exist.
> For the singleton resources however the following method is called: -
> {code}
> org.jboss.as.controller.operations.global.GlobalOperationHandlers.getChildAddresses(OperationContext, PathAddress, ImmutableManagementResourceRegistration, Resource, String)
> {code}
> Within this method the following check takes place: -
> {code}
> if (resource != null && resource.hasChildren(childType)) {
> Set<String> childNames = resource.getChildrenNames(childType);
> if (element.isWildcard()) {
> set.addAll(childNames);
> } else if (childNames.contains(element.getValue())) {
> set.add(element.getValue());
> }
> {code}
> Up to this point all is fine, the children the resource claims are available are the only ones added.
> But further down this happens: -
> {code}
> if (!element.isWildcard()) {
> ImmutableManagementResourceRegistration childReg = registry.getSubModel(PathAddress.pathAddress(element));
> if (childReg != null && childReg.isRuntimeOnly()) {
> set.add(element.getValue());
> }
> }
> {code}
> So even though the resource was previously checked and missing children excluded they are now added back.
> The end result in this example is that the recursive read resource attempts to read for certificate-chain=default when it should only be reading for certificate-chain=x509 as already reported by the resource implementation.
> From a discussion in HipChat yesterday there was general agreement this behaviour seems to be wrong, however support for Proxied resources may be (incorrectly) dependent on this.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list