[jboss-jira] [JBoss JIRA] (WFCORE-2327) embed-server froze during start when RBAC used

Brian Stansberry (JIRA) issues at jboss.org
Sun Feb 26 09:37:00 EST 2017 

    [ https://issues.jboss.org/browse/WFCORE-2327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13369340#comment-13369340 ] 

Brian Stansberry commented on WFCORE-2327:
------------------------------------------

[~dlofthouse] I fixed this by cleaning up how in-VM ModelControllerClients are accessed, exposing a ModelControllerClientFactory as a capability. The factory has two methods for creating a client -- one that provides a client that always runs as superuser (using InVmAccess under the covers) and the other that does not. The existing internal client uses (Deployment scanner and offline CLI) use the SuperUser variant.

I don't want subsystem authors dealing with InVmAccess. That's internal. Hence the need for a factory that provides a suitable client for purely in-vm activity that should have SuperUser perms.

However, this "super user client" does not internally wrap its calls with AccessController.doPrivileged. So, in a security manager enabled VM, the code using the client will need to have ControllerPermission.PERFORM_IN_VM_CALL. This forces the code author to consider whether they are using the client appropriately.

For the deployment scanner, I wrapped its calls to "super user client" in a doPrivileged. (As you already had in your earlier work on this.)

For the offline CLI, I did not. This means that in a security manager environment offline CLI users will need permissions configured. 

> embed-server froze during start when RBAC used
> ----------------------------------------------
>
>                 Key: WFCORE-2327
>                 URL: https://issues.jboss.org/browse/WFCORE-2327
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: CLI
>    Affects Versions: 3.0.0.Alpha17
>            Reporter: Jan Kalina
>            Assignee: Brian Stansberry
>            Priority: Critical
>             Fix For: 3.0.0.Beta6
>
>         Attachments: standalone.xml
>
>
> When RBAC enabled, embed-server froze during start - CLI prompt of started server does not show and need to be interrupted by Ctrl+C.
> {code}
> bin/jboss-cli.sh
> You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
> [disconnected /] embed-server --std-out=echo
> 15:55:41,588 INFO  [org.jboss.modules] (AeshProcess: 1) JBoss Modules version 1.6.0.Beta3
> 15:55:41,650 INFO  [org.jboss.msc] (AeshProcess: 1) JBoss MSC version 1.2.7.Final
> 15:55:41,773 INFO  [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049: WildFly Core 3.0.0.Alpha18-SNAPSHOT "Kenny" starting
> 15:55:41,966 INFO  [org.jboss.as.domain.management] (MSC service thread 1-4) WFLYDM0136: Registered OpenSSL provider
> 15:55:42,302 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 15:55:42,367 INFO  [org.jboss.as.patching] (MSC service thread 1-8) WFLYPAT0050: WildFly cumulative patch ID is: base, one-off patches include: none
> 15:55:42,386 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-4) WFLYDM0111: Keystore /home/jkalina/wildfly/wildfly-core/build/target/wildfly-core-3.0.0.Alpha18-SNAPSHOT/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
> 15:55:42,466 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 5) WFLYSRV0212: Resuming server
> 15:55:42,469 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Core 3.0.0.Alpha18-SNAPSHOT "Kenny" started in 875ms - Started 37 of 46 services (17 services are lazy, passive or on-demand)
> {code}
> In this stage it froze and need to be interrupted by Ctrl+C.
> {code}
> Interrupted while waiting for embedded server to start
> [disconnected /]
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list