[jboss-jira] [JBoss JIRA] (WFCORE-2767) Elytron Keystore resource needs restart when is changed credential-reference attribute but restart-required is set to "no-services"
Yeray Borges (JIRA)
issues at jboss.org
Mon May 29 11:10:00 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yeray Borges updated WFCORE-2767:
---------------------------------
Steps to Reproduce:
{code}
/subsystem=elytron/credential-store=cs001:add(credential-reference={clear-text=pass123}, create=true, location=cs001.jceks)
{code}
{code}
/subsystem=elytron/credential-store=cs001:add-alias(alias=ff,secret-value=Elytron)
{code}
Copy firefly.keystore from attachment to JBOSS_HOME/standalone/data
{code}
/subsystem=elytron/key-store=firefly:add(path=firefly.keystore,relative-to=jboss.server.data.dir,type=JKS,credential-reference= {store=cs001,alias=ff})
{code}
You can list all aliases in keystore
{code}
/subsystem=elytron/key-store=firefly:read-children-names(child-type=alias)
{
"outcome" => "success",
"result" => [
"ca",
"firefly"
]
}
{code}
We create another credential store with same alias entry but different value
{code}
/subsystem=elytron/credential-store=cs002:add(credential-reference={clear-text=pass123}, create=true, location=cs002.jceks)
{code}
{code}
/subsystem=elytron/credential-store=cs002/alias=ff:add(secret-value=ElytronWrong)
{code}
*Now we change credential-reference for keystore to second credential store with invalid password to keystore access.*
{code}
/subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002)
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{code}
Reload is required for credential-reference but in model we see "restart-required" => "no-services"
{code:collapse}
"credential-reference" => {
"type" => OBJECT,
"description" => "The reference to credential stored in CredentialStore under defined alias or clear text password.",
"expressions-allowed" => false,
"required" => true,
"nillable" => false,
"access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
"value-type" => {
"store" => {
"type" => STRING,
"description" => "The name of the credential store holding the alias to credential.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.credential-store",
"min-length" => 1L,
"max-length" => 2147483647L
},
"alias" => {
"type" => STRING,
"description" => "The alias which denotes stored secret or credential in the store.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
},
"type" => {
"type" => STRING,
"description" => "The type of credential this reference is denoting.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
},
"clear-text" => {
"type" => STRING,
"description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
}
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
}
{code}
*Set allow-resource-service-restart header property to true doesn't help*
{code}
/subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002){allow-resource-service-restart=true}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{code}
was:
{code}
/subsystem=elytron/credential-store=cs001:add(credential-reference={clear-text=pass123}, create=true, location=cs001.jceks)
{code}
{code}
/subsystem=elytron/credential-store=cs001/alias=ff:add(secret-value=Elytron)
{code}
Copy firefly.keystore from attachment to JBOSS_HOME/standalone/data
{code}
/subsystem=elytron/key-store=firefly:add(path=firefly.keystore,relative-to=jboss.server.data.dir,type=JKS,credential-reference= {store=cs001,alias=ff})
{code}
You can list all aliases in keystore
{code}
/subsystem=elytron/key-store=firefly:read-children-names(child-type=alias)
{
"outcome" => "success",
"result" => [
"ca",
"firefly"
]
}
{code}
We create another credential store with same alias entry but different value
{code}
/subsystem=elytron/credential-store=cs002:add(credential-reference={clear-text=pass123}, create=true, location=cs002.jceks)
{code}
{code}
/subsystem=elytron/credential-store=cs002/alias=ff:add(secret-value=ElytronWrong)
{code}
*Now we change credential-reference for keystore to second credential store with invalid password to keystore access.*
{code}
/subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002)
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{code}
Reload is required for credential-reference but in model we see "restart-required" => "no-services"
{code:collapse}
"credential-reference" => {
"type" => OBJECT,
"description" => "The reference to credential stored in CredentialStore under defined alias or clear text password.",
"expressions-allowed" => false,
"required" => true,
"nillable" => false,
"access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
"value-type" => {
"store" => {
"type" => STRING,
"description" => "The name of the credential store holding the alias to credential.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.credential-store",
"min-length" => 1L,
"max-length" => 2147483647L
},
"alias" => {
"type" => STRING,
"description" => "The alias which denotes stored secret or credential in the store.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
},
"type" => {
"type" => STRING,
"description" => "The type of credential this reference is denoting.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
},
"clear-text" => {
"type" => STRING,
"description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
}
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
}
{code}
*Set allow-resource-service-restart header property to true doesn't help*
{code}
/subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002){allow-resource-service-restart=true}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{code}
> Elytron Keystore resource needs restart when is changed credential-reference attribute but restart-required is set to "no-services"
> -----------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2767
> URL: https://issues.jboss.org/browse/WFCORE-2767
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Yeray Borges
> Priority: Critical
>
> Elytron Keystore resource needs restart when is changed credential-reference attribute but restart-required is set to "no-services"
> There should be rather restart-required set to "resource-services" and ability to use allow-resource-service-restart=true header property
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list