[jboss-jira] [JBoss JIRA] (WFLY-8340) Resuming a batch job after server resume requires the anonymous identity to have RunAsPrincipalPermission of the original user

James Perkins (JIRA) issues at jboss.org
Fri Mar 10 14:39:00 EST 2017 

     [ https://issues.jboss.org/browse/WFLY-8340?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Perkins moved JBEAP-9493 to WFLY-8340:
--------------------------------------------

        Project: WildFly  (was: JBoss Enterprise Application Platform)
            Key: WFLY-8340  (was: JBEAP-9493)
       Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
    Component/s: Batch
                 Security
                     (was: Batch)
                     (was: Security)


> Resuming a batch job after server resume requires the anonymous identity to have RunAsPrincipalPermission of the original user 
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-8340
>                 URL: https://issues.jboss.org/browse/WFLY-8340
>             Project: WildFly
>          Issue Type: Bug
>          Components: Batch, Security
>            Reporter: James Perkins
>            Assignee: James Perkins
>            Priority: Critical
>         Attachments: jbeap9452reproducer.zip
>
>
> - Batch job is submitted by user A
> - While the job is running, the server gets suspended
> - When user B calls the {{resume}} operation, the Batch execution is attempted to be restarted. However, this only works if anonymous identity has the permission {{org.wildfly.security.auth.permission.RunAsPrincipalPermission}} for user A, which is not the case in the default configuration. 
> I find this a UX issue because you have to add a special permission to make this work when it should work out-of-the-box, and also one might not want to give this permission to {{anonymous}} because it could be potentially abused in other places.
> {noformat}
> 14:59:53,729 TRACE [org.wildfly.security] (management-handler-thread - 4) Permission mapping: identity [anonymous] with roles [] implies ("org.wildfly.security.auth.permission.RunAsPrincipalPermission" "user1") = false
> 14:19:53,842 ERROR [org.wildfly.extension.batch] (management-handler-thread - 4) WFLYBATCH000016: Failed to restart execution 1 for job server-suspend on deployment server-suspend.war: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as "user1" authorization operation failed
> 	at org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:628)
> 	at org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:603)
> 	at org.wildfly.extension.batch.jberet.deployment.JobOperatorService$BatchJobServerActivity.privilegedRunAs(JobOperatorService.java:520)
> 	at org.wildfly.extension.batch.jberet.deployment.JobOperatorService$BatchJobServerActivity.restartStoppedJobs(JobOperatorService.java:495)
> 	at org.wildfly.extension.batch.jberet.deployment.JobOperatorService$BatchJobServerActivity.resume(JobOperatorService.java:430)
> 	at org.jboss.as.server.suspend.SuspendController.resume(SuspendController.java:127)
> 	at org.jboss.as.server.operations.ServerResumeHandler$1$1.handleResult(ServerResumeHandler.java:79)
> 	at org.jboss.as.controller.AbstractOperationContext$Step.invokeResultHandler(AbstractOperationContext.java:1493)
> 	at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1475)
> 	at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1437)
> 	at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1410)
> 	at org.jboss.as.controller.AbstractOperationContext$Step.access$400(AbstractOperationContext.java:1284)
> 	at org.jboss.as.controller.AbstractOperationContext.executeResultHandlerPhase(AbstractOperationContext.java:856)
> 	at org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:842)
> 	at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:748)
> 	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
> 	at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388)
> 	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
> 	at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
> 	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:258)
> 	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
> 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
> 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
> 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
> 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
> 	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:277)
> 	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
> 	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
> 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
> 	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
> 	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)
> 	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list