Bug 783065

Summary: security-domain don't works
Product: OKD Reporter: elesne <elesne>
Component: ContainersAssignee: Bill DeCoste <wdecoste>
Status: CLOSED NOTABUG QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.x   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-24 16:08:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
persistence.xml file
none
Standalone whith security-domain's working none

Description elesne@anteo-consulting.com 2012-01-19 08:57:54 UTC 
Description of problem:
When I had 2 new security-domains into .openshift/config/standalone.xml, my app can't start.

My new security-domain are:
1. A DB domain:
<security-domain name="alfa-db" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName">java:jboss/datasources/MysqlDS</module-option>
      <module-option name="principalsQuery">SELECT password FROM User WHERE username=?</module-option>
      <module-option name="rolesQuery">SELECT role, 'Roles' FROM UserRoles, User WHERE User.username=? AND User.id = UserRoles.user_id</module-option>
    </login-module>
  </authentication>
</security-domain>
				

2. A properties files domain:
<security-domain name="alfa-prop" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="usersProperties">utilisateurs.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
    </login-module>
  </authentication>
</security-domain>

Version-Release number of selected component (if applicable):


How reproducible:
Add this security domain into .openshift/config/standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.0">
    <security-domains>
      <security-domain name="other" cache-type="default">
        <authentication>
          <login-module code="UsersRoles" flag="required"/>
        </authentication>
    </security-domain>
    <!-- Add security domains here -->
  </security-domains>
</subsystem>

Steps to Reproduce:
1. Modify file
2. Push this file into openshift app
3. Start or retart app
  
Actual results:
rhc-ctl-app -a alfa -l elesne -c start -d
Password: ###

Contacting https://openshift.redhat.com
Problem reported from server. Response code was 500.

DEBUG:
Cartridge return code: 121

Exit Code: 1
broker_c: ["namespace", "rhlogin", "ssh", "app_uuid", "debug", "alter", "cartridge", "cart_type", "action", "app_name",
"api"]
api_c: ["placeholder"]
API version:    1.1.2
Broker version: 1.1.1

RESULT:
Node execution failure (invalid exit code from node).  If the problem persists please contact Red Hat support.

rhc-ctl-app -a alfa -l elesne -c status -d
Password: ####

Contacting https://openshift.redhat.com
Response from server:
DEBUG:
tailing /var/lib/libra/2d25d1289668403db7a9addd81c1ce37/alfa//jbossas-7.0/standalone/log/server.log
------ Tail of alfa application server.log ------
13:48:41,160 ERROR [org.hibernate.tool.hbm2ddl.SchemaExport] (MSC service thread 1-4) Sequence "HIBERNATE_SEQUENCE" not
found; SQL statement:
drop sequence hibernate_sequence [90036-145]
13:48:41,235 INFO  [org.hibernate.tool.hbm2ddl.SchemaExport] (MSC service thread 1-4) HHH00230:Schema export complete
13:48:41,454 INFO  [org.jboss.weld] (MSC service thread 1-1) Starting weld service
13:48:43,658 INFO  [javax.enterprise.resource.webcontainer.jsf.config] (MSC service thread 1-2) Initializing Mojarra 2.1
.3 (SNAPSHOT 20110825) for context '/alfa-web'
13:48:47,999 INFO  [org.primefaces.webapp.PostConstructApplicationEventListener] (MSC service thread 1-2) Running on Pri
meFaces 3.0
13:48:48,011 INFO  [org.jboss.web] (MSC service thread 1-2) registering web context: /alfa-web
13:48:48,313 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "root.war"
13:48:48,313 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "alfa.ear"
17:50:25,872 INFO  [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-1) Stopping Coyote HTTP/1.1 on http--
127.1.26.129-8080


Exit Code: 0
broker_c: ["namespace", "rhlogin", "ssh", "app_uuid", "debug", "alter", "cartridge", "cart_type", "action", "app_name",
"api"]
api_c: ["placeholder"]
API version:    1.1.2
Broker version: 1.1.1

RESULT:
tailing /var/lib/libra/2d25d1289668403db7a9addd81c1ce37/alfa//jbossas-7.0/standalone/log/server.log
------ Tail of alfa application server.log ------
13:48:41,160 ERROR [org.hibernate.tool.hbm2ddl.SchemaExport] (MSC service thread 1-4) Sequence "HIBERNATE_SEQUENCE" not
found; SQL statement:
drop sequence hibernate_sequence [90036-145]
13:48:41,235 INFO  [org.hibernate.tool.hbm2ddl.SchemaExport] (MSC service thread 1-4) HHH00230:Schema export complete
13:48:41,454 INFO  [org.jboss.weld] (MSC service thread 1-1) Starting weld service
13:48:43,658 INFO  [javax.enterprise.resource.webcontainer.jsf.config] (MSC service thread 1-2) Initializing Mojarra 2.1
.3 (SNAPSHOT 20110825) for context '/alfa-web'
13:48:47,999 INFO  [org.primefaces.webapp.PostConstructApplicationEventListener] (MSC service thread 1-2) Running on Pri
meFaces 3.0
13:48:48,011 INFO  [org.jboss.web] (MSC service thread 1-2) registering web context: /alfa-web
13:48:48,313 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "root.war"
13:48:48,313 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "alfa.ear"
17:50:25,872 INFO  [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-1) Stopping Coyote HTTP/1.1 on http--
127.1.26.129-8080

Expected results:
Success !

Additional info:
Comment 1 Bill DeCoste 2012-01-20 03:54:54 UTC 
The format of <module-option> has changed in JBossAS7. The format should be as below:

<security-domain name="alfa-db" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
      <module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
      <module-option name="principalsQuery" value="SELECT password FROM User WHERE
username=?"/>
      <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM UserRoles,
User WHERE User.username=? AND User.id = UserRoles.user_id"/>
    </login-module>
  </authentication>
</security-domain>

Could you please tail the server.log before you perform the 'git push' and attach the entire log output? This will show whether AS7 is starting properly.
Comment 2 Bill DeCoste 2012-01-20 03:58:45 UTC 
Also, could you please attach your application's persistence.xml?
Comment 3 Bill DeCoste 2012-01-20 13:20:39 UTC 
Also, could you please attach your application's persistence.xml?
Comment 4 elesne@anteo-consulting.com 2012-01-23 11:02:55 UTC 
Created attachment 556919 [details]
persistence.xml file
Comment 5 elesne@anteo-consulting.com 2012-01-23 13:02:56 UTC 
Please could your explain me if there is a dependency between security-domain into standalone.xml and persistence file into ear ??

Regards
Emmanuel
Comment 6 Bill DeCoste 2012-01-23 15:58:36 UTC 
The log shows a Hibernate error, thus the request for persistence.xml. I have not been able to recreate an error using multiple security domains. I need to see the entire log.
Comment 7 Bill DeCoste 2012-01-23 16:02:21 UTC 
Could you pls add the following to your persistence.xml?

<property name="dialect">
    org.hibernate.dialect.H2Dialect
</property>
Comment 8 elesne@anteo-consulting.com 2012-01-23 19:14:16 UTC 
With my lastest test security-domain works fine with "values".

Not workings:
<security-domain name="alfa-db" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName">java:jboss/datasources/MysqlDS</module-option>
      <module-option name="principalsQuery">SELECT password FROM User WHERE username=?</module-option>
      <module-option name="rolesQuery">SELECT role, 'Roles' FROM UserRoles, User WHERE User.username=? AND User.id = UserRoles.user_id</module-option>
    </login-module>
  </authentication>
</security-domain>

Working fine:
<security-domain name="alfa-db" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS" />
      <module-option name="principalsQuery" value="SELECT password FROM User WHERE username=?" />
      <module-option name="rolesQuery" value="SELECT Role.role as role, 'Roles' FROM UserRoles, User, Role WHERE User.username=? AND User.id = UserRoles.user_id AND UserRoles.role_id=Role.id" />
    </login-module>
  </authentication>
</security-domain>

Thanks for your help
Emmanuel
Comment 9 elesne@anteo-consulting.com 2012-01-23 19:15:34 UTC 
Created attachment 557035 [details]
Standalone whith security-domain's working