Executing size operation via HR client requires ADMIN permission, while it should require BULK_READ. Having e.g. supervisor role with BULK_READ permission, size operation fails with testSupervisorWriteRead(org.infinispan.server.test.client.hotrod.security.HotRodPlainAuthLocalIT) Time elapsed: 0.029 sec <<< ERROR! org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject: Principal: SimpleUserPrincipal [name=supervisor] Principal: supervisor@ApplicationRealm Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1] Principal: 127.0.0.1@ApplicationRealm Principal: supervisor@ApplicationRealm Principal: supervisor ' lacks 'ADMIN' permission at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:284) at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:86) at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:72) at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56) at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:42) at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:22) at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50) at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207) at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSize(HotRodSaslAuthTestBase.java:156)
Still getting error when running size operation on remote cache: testSupervisor(org.infinispan.server.test.client.hotrod.security.HotRodKrbAuthIT) Time elapsed: 0.073 sec <<< ERROR! org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject: Principal: supervisor Principal: supervisor@ApplicationRealm Principal: supervisor@ApplicationRealm Principal: supervisor Principal: SimpleUserPrincipal [name=supervisor] Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1] ' lacks 'ADMIN' permission at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:298) at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:88) at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:74) at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56) at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:29) at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:13) at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50) at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207) at org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testSize(HotRodAuthzOperationTests.java:178) at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSupervisor(HotRodSaslAuthTestBase.java:116)
Fails also for clear() and putAll() operations. Supervisor has following permissions which should be IMHO sufficient to perform these operations: <role name="supervisor" permissions="READ WRITE EXEC BULK_READ BULK_WRITE"/>
PR: https://github.com/infinispan/jdg/pull/430