[wildfly-dev] Subsystems changing their own configuration model

Wed Sep 14 05:24:05 EDT 2016

On 14/09/16 09:54, Tristan Tarrant wrote:
> On 13/09/16 22:40, Brian Stansberry wrote:
>>>
>>
>> There is nothing fundamental that says you can’t do this so long as you’re not trying to execute these ops as part of the start/stop of an MSC service. It doesn’t sound like that’s the case.
>
> Indeed.
>
>> It does sound though like you want to expose management over the non-management interface. That’s a significant security hole.
>
> Well, it is a protocol operation which has a management side-effect. The
> way we have approached that in other similar situations is to either
> require access through a loopback interface or require authentication
> and authorization be enabled on the endpoint and an Admin permission on
> the subject requesting the operation. Note however that the Hot Rod
> endpoint would be using a different security realm compared to the
> management one.

FYI for WildFly 11 if a call remains in-VM and goes from the application 
to the management tier we will have a mechanism for the identity to be 
inflowed to the security domain used for management which will allow 
management access control to be used.

>>> I guess that in standalone mode this wouldn't be too much of an issue,
>>> with two caveats:
>>> - all nodes in a cluster should apply the changes to their own
>>> configuration, leveraging the model rollback mechanism to handle
>>> failures on other nodes
>>
>> There is no multi-process model rollback mechanism with standalone servers.
>
> I know: this would have to be implemented by the subsystem using the
> cluster transport.
>
>>> - new nodes joining the cluster (and therefore with a possibly outdated
>>> configuration) would receive the configuration of caches already running
>>> in the cluster and applying them locally
>>>
>>
>> How does this happen?
>
> Again, via the cluster transport.
>
>>> The real tricky bit is obviously domain mode. The server receiving the
>>> cache creation request would need to delegate it to the DC who would
>>> then apply it across the profile. However this clashes with the fact
>>> that, as far as I know, there is no way for a server to communicate with
>>> its DC. Is this type of functionality planned ?
>>>
>>
>> Not actively. We looked into it a bit in the context of DOMAIN_PING but for that use case it became apparent that invoking a bunch of management ops against the DC was a non-scalable solution. This sounds different; a server would need to figure out what profile stores the infinispan subsystem config (it may not be the final one associated with the server group since profile x can include profile y) and then make a change to that profile. That’s scalable.
>>
>> If we set up this kind of connection we’d need to ensure the caller’s security context propagates. Having an external request come in to a server and then get treated by the DC as if it were from a trusted caller like a slave HC or server would be bad.
>
> As described above, the caller might not be in the same security realm
> as the management stuff.
>
>
>>> I have created a document which describes what we'd like to do at [1]
>>>
>>> Tristan
>>>
>>>
>>> [1] https://github.com/infinispan/infinispan/wiki/Create-Cache-over-HotRod
>>>
>>> --
>>> Tristan Tarrant
>>> Infinispan Lead
>>> JBoss, a division of Red Hat
>>> _______________________________________________
>>> wildfly-dev mailing list
>>> wildfly-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>