Bug 1161479 - HR size operation requires ADMIN permission
Summary: HR size operation requires ADMIN permission
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Data Grid 6
Classification: JBoss
Component: Server
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: 6.4.0
Assignee: Tristan Tarrant
QA Contact: Martin Gencur
URL:
Whiteboard:
Depends On:
Blocks: jdg64-GA-Blockers
TreeView+ depends on / blocked
 
Reported: 2014-11-07 08:29 UTC by Vojtech Juranek
Modified: 2015-02-23 00:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously in Red Hat JBoss Data Grid, the Map/reduce task missed security actions. As a result, users could not use the Hot Rod size() operation via the map/reduce approach unless they had ADMIN permissions. This issue is now resolved in JBoss Data Grid 6.4 by adding the required map/reduce security actions. As a result, users with EXEC permissions can now execute map/reduce operations as expected.
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Vojtech Juranek 2014-11-07 08:29:37 UTC 
Executing size operation via HR client requires ADMIN permission, while it should require BULK_READ. Having e.g. supervisor role with BULK_READ permission, size operation fails with 

testSupervisorWriteRead(org.infinispan.server.test.client.hotrod.security.HotRodPlainAuthLocalIT)  Time elapsed: 0.029 sec  <<< ERROR!
org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
        Principal: SimpleUserPrincipal [name=supervisor]
        Principal: supervisor@ApplicationRealm
        Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1]
        Principal: 127.0.0.1@ApplicationRealm
        Principal: supervisor@ApplicationRealm
        Principal: supervisor
' lacks 'ADMIN' permission
        at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:284)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:86)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:72)
        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
        at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:42)
        at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:22)
        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50)
        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207)
        at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSize(HotRodSaslAuthTestBase.java:156)
Comment 3 Vojtech Juranek 2015-01-06 15:18:03 UTC 
Still getting error when running size operation on remote cache:

testSupervisor(org.infinispan.server.test.client.hotrod.security.HotRodKrbAuthIT)  Time elapsed: 0.073 sec  <<< ERROR!
org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
        Principal: supervisor
        Principal: supervisor@ApplicationRealm
        Principal: supervisor@ApplicationRealm
        Principal: supervisor
        Principal: SimpleUserPrincipal [name=supervisor]
        Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1]
' lacks 'ADMIN' permission
        at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:298)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:88)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:74)
        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
        at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:29)
        at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:13)
        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50)
        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207)
        at org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testSize(HotRodAuthzOperationTests.java:178)
        at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSupervisor(HotRodSaslAuthTestBase.java:116)
Comment 4 Vojtech Juranek 2015-01-06 15:51:36 UTC 
Fails also for clear() and putAll() operations. Supervisor has following permissions which should be IMHO sufficient to perform these operations:

<role name="supervisor" permissions="READ WRITE EXEC BULK_READ BULK_WRITE"/>
Comment 5 Sebastian Łaskawiec 2015-01-09 15:43:17 UTC 
PR: https://github.com/infinispan/jdg/pull/430
Note You need to log in before you can comment on or make changes to this bug.