Bug 1161479

Summary: HR size operation requires ADMIN permission
Product: [JBoss] JBoss Data Grid 6 Reporter: Vojtech Juranek <vjuranek>
Component: ServerAssignee: Tristan Tarrant <ttarrant>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Gencur <mgencur>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: dstahl, jdg-bugs, mhusnain, slaskawi
Target Milestone: CR1   
Target Release: 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously in Red Hat JBoss Data Grid, the Map/reduce task missed security actions. As a result, users could not use the Hot Rod size() operation via the map/reduce approach unless they had ADMIN permissions. This issue is now resolved in JBoss Data Grid 6.4 by adding the required map/reduce security actions. As a result, users with EXEC permissions can now execute map/reduce operations as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1153111    

Description Vojtech Juranek 2014-11-07 08:29:37 UTC 
Executing size operation via HR client requires ADMIN permission, while it should require BULK_READ. Having e.g. supervisor role with BULK_READ permission, size operation fails with 

testSupervisorWriteRead(org.infinispan.server.test.client.hotrod.security.HotRodPlainAuthLocalIT)  Time elapsed: 0.029 sec  <<< ERROR!
org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
        Principal: SimpleUserPrincipal [name=supervisor]
        Principal: supervisor@ApplicationRealm
        Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1]
        Principal: 127.0.0.1@ApplicationRealm
        Principal: supervisor@ApplicationRealm
        Principal: supervisor
' lacks 'ADMIN' permission
        at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:284)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:86)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:72)
        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
        at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:42)
        at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:22)
        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50)
        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207)
        at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSize(HotRodSaslAuthTestBase.java:156)
Comment 3 Vojtech Juranek 2015-01-06 15:18:03 UTC 
Still getting error when running size operation on remote cache:

testSupervisor(org.infinispan.server.test.client.hotrod.security.HotRodKrbAuthIT)  Time elapsed: 0.073 sec  <<< ERROR!
org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
        Principal: supervisor
        Principal: supervisor@ApplicationRealm
        Principal: supervisor@ApplicationRealm
        Principal: supervisor
        Principal: SimpleUserPrincipal [name=supervisor]
        Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1]
' lacks 'ADMIN' permission
        at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:298)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:88)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:74)
        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
        at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:29)
        at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:13)
        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50)
        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207)
        at org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testSize(HotRodAuthzOperationTests.java:178)
        at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSupervisor(HotRodSaslAuthTestBase.java:116)
Comment 4 Vojtech Juranek 2015-01-06 15:51:36 UTC 
Fails also for clear() and putAll() operations. Supervisor has following permissions which should be IMHO sufficient to perform these operations:

<role name="supervisor" permissions="READ WRITE EXEC BULK_READ BULK_WRITE"/>
Comment 5 Sebastian Ɓaskawiec 2015-01-09 15:43:17 UTC 
PR: https://github.com/infinispan/jdg/pull/430