Bug 1109583
| Summary: | CLI Roles Grant + Deny | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Data Grid 6 | Reporter: | Tristan Tarrant <ttarrant> | ||||||
| Component: | Library, Server | Assignee: | Tristan Tarrant <ttarrant> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Gencur <mgencur> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.3.0 | CC: | jdg-bugs, vchepeli | ||||||
| Target Milestone: | CR1 | ||||||||
| Target Release: | 6.3.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-01-26 14:06:23 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Tristan Tarrant
2014-06-15 17:08:19 UTC
Running standlone server with standalone-auth.xml. I changed only identity-role-mapper to cluster-role-mapper and then try to do following from console
[standalone@localhost:9999 cache-container=local] cache secured
[standalone@localhost:9999 local-cache=secured] roles
I got UnsupportedOperationException
16:36:24,259 ERROR [org.infinispan.cli.interpreter.Interpreter] (management-handler-thread - 1) ISPN019003: Interpreter error: java.lang.UnsupportedOperationException
at org.infinispan.security.impl.ClusterRoleMapper.listAll(ClusterRoleMapper.java:69) [infinispan-core-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.cli.interpreter.statement.RolesStatement.execute(RolesStatement.java:41) [infinispan-cli-server-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.cli.interpreter.Interpreter.execute(Interpreter.java:149) [infinispan-cli-server-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.server.infinispan.SecurityActions$5.run(SecurityActions.java:164) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.server.infinispan.SecurityActions$5.run(SecurityActions.java:161) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.security.Security.doPrivileged(Security.java:89) [infinispan-core-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.server.infinispan.SecurityActions.doPrivileged(SecurityActions.java:53) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.infinispan.server.infinispan.SecurityActions.executeInterpreter(SecurityActions.java:167) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.jboss.as.clustering.infinispan.subsystem.CliInterpreterHandler.execute(CliInterpreterHandler.java:49) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:601) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:479) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:283) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:278) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:231) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:137) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:173) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:105) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:125) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:121) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:121) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283)
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final-redhat-1.jar:2.1.1.Final-redhat-1]
Vitalii, this works on CR1. Please always test with the latest release. Created attachment 914652 [details]
hotrod secured with fix for users without roles
1) roles command is not showing users and roles correctly
Added two users
bin/add-user.sh -a -u user1 -p qwer1234@
bin/add-user.sh -a -u user2 -p qwer1234@
[standalone@localhost:9999 cache-container=local] roles
<<< Here should be map that user1 and user2 have no roles
[standalone@localhost:9999 cache-container=local] cache teams
[standalone@localhost:9999 local-cache=teams] grant writer to user1
[standalone@localhost:9999 local-cache=teams] grant reader to user2
[standalone@localhost:9999 local-cache=teams] roles
[reader][writer]
<<< So we actually do not see map {user, [roles]}, we see only that writer role is granted to some user and reader role is assigned to some user
2) Wrong roles are mapped to user
If I try to run hotrod-secured quickstart and call "grant writer to user1" I got following output from quickstart
Enter username: user1
Enter password: qwer1234@
Choose action:
=============
at - add a team
ap - add a player to a team
rt - remove a team
rp - remove a player from a team
p - print all teams and players
q - quit
>at
Enter team name: Real
ACCESS DENIED: at, PERMISSION RESTRICTED
So that means I cant write to cache,
But When I call "grant reader role to user1" then I am able to write to cache
>at
Enter team name: Real
>p
=== Team: Real ===
Players:
>ap
Enter team name: p1
The specified team "p1" does not exist, choose next operation
>ap
Enter team name: Real
Enter player's name(to stop adding, type "q"): p1
Enter player's name(to stop adding, type "q"): p2
Enter player's name(to stop adding, type "q"): p3
Enter player's name(to stop adding, type "q"): p4
Enter player's name(to stop adding, type "q"): p5
Enter player's name(to stop adding, type "q"): q
>p
=== Team: Real ===
Players:
- p1
- p2
- p3
- p4
- p5
>
3) Users not specified in ApplicationRealm should be now allowed to grant roles
[standalone@localhost:9999 local-cache=teams] grant reader to user3
[standalone@localhost:9999 local-cache=teams] roles
[reader][reader][reader, writer]
Use quickstart from attachment
Created attachment 914654 [details]
Add server configuration for quickstart
So I tested it again and this seems to work. In quickstart I use get() operation so I need [reader, writer] roles to be specified to add some new entries to cache. |