Bug 1161479
Summary: | HR size operation requires ADMIN permission | ||
---|---|---|---|
Product: | [JBoss] JBoss Data Grid 6 | Reporter: | Vojtech Juranek <vjuranek> |
Component: | Server | Assignee: | Tristan Tarrant <ttarrant> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Gencur <mgencur> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4.0 | CC: | dstahl, jdg-bugs, mhusnain, slaskawi |
Target Milestone: | CR1 | ||
Target Release: | 6.4.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Previously in Red Hat JBoss Data Grid, the Map/reduce task missed security actions. As a result, users could not use the Hot Rod size() operation via the map/reduce approach unless they had ADMIN permissions.
This issue is now resolved in JBoss Data Grid 6.4 by adding the required map/reduce security actions. As a result, users with EXEC permissions can now execute map/reduce operations as expected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1153111 |
Description
Vojtech Juranek
2014-11-07 08:29:37 UTC
Still getting error when running size operation on remote cache: testSupervisor(org.infinispan.server.test.client.hotrod.security.HotRodKrbAuthIT) Time elapsed: 0.073 sec <<< ERROR! org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject: Principal: supervisor Principal: supervisor@ApplicationRealm Principal: supervisor@ApplicationRealm Principal: supervisor Principal: SimpleUserPrincipal [name=supervisor] Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1] ' lacks 'ADMIN' permission at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:298) at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:88) at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:74) at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56) at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:29) at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:13) at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50) at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207) at org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testSize(HotRodAuthzOperationTests.java:178) at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSupervisor(HotRodSaslAuthTestBase.java:116) Fails also for clear() and putAll() operations. Supervisor has following permissions which should be IMHO sufficient to perform these operations: <role name="supervisor" permissions="READ WRITE EXEC BULK_READ BULK_WRITE"/> |