Running standlone server with standalone-auth.xml. I changed only identity-role-mapper to cluster-role-mapper and then try to do following from console [standalone@localhost:9999 cache-container=local] cache secured [standalone@localhost:9999 local-cache=secured] roles I got UnsupportedOperationException 16:36:24,259 ERROR [org.infinispan.cli.interpreter.Interpreter] (management-handler-thread - 1) ISPN019003: Interpreter error: java.lang.UnsupportedOperationException at org.infinispan.security.impl.ClusterRoleMapper.listAll(ClusterRoleMapper.java:69) [infinispan-core-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.cli.interpreter.statement.RolesStatement.execute(RolesStatement.java:41) [infinispan-cli-server-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.cli.interpreter.Interpreter.execute(Interpreter.java:149) [infinispan-cli-server-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.server.infinispan.SecurityActions$5.run(SecurityActions.java:164) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.server.infinispan.SecurityActions$5.run(SecurityActions.java:161) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.security.Security.doPrivileged(Security.java:89) [infinispan-core-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.server.infinispan.SecurityActions.doPrivileged(SecurityActions.java:53) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.infinispan.server.infinispan.SecurityActions.executeInterpreter(SecurityActions.java:167) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.jboss.as.clustering.infinispan.subsystem.CliInterpreterHandler.execute(CliInterpreterHandler.java:49) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:601) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:479) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:283) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:278) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:231) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:137) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:173) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:105) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:125) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:121) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51] at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:121) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283) at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final-redhat-1.jar:2.1.1.Final-redhat-1]
Vitalii, this works on CR1. Please always test with the latest release.
Created attachment 914652 [details] hotrod secured with fix for users without roles
1) roles command is not showing users and roles correctly Added two users bin/add-user.sh -a -u user1 -p qwer1234@ bin/add-user.sh -a -u user2 -p qwer1234@ [standalone@localhost:9999 cache-container=local] roles <<< Here should be map that user1 and user2 have no roles [standalone@localhost:9999 cache-container=local] cache teams [standalone@localhost:9999 local-cache=teams] grant writer to user1 [standalone@localhost:9999 local-cache=teams] grant reader to user2 [standalone@localhost:9999 local-cache=teams] roles [reader][writer] <<< So we actually do not see map {user, [roles]}, we see only that writer role is granted to some user and reader role is assigned to some user 2) Wrong roles are mapped to user If I try to run hotrod-secured quickstart and call "grant writer to user1" I got following output from quickstart Enter username: user1 Enter password: qwer1234@ Choose action: ============= at - add a team ap - add a player to a team rt - remove a team rp - remove a player from a team p - print all teams and players q - quit >at Enter team name: Real ACCESS DENIED: at, PERMISSION RESTRICTED So that means I cant write to cache, But When I call "grant reader role to user1" then I am able to write to cache >at Enter team name: Real >p === Team: Real === Players: >ap Enter team name: p1 The specified team "p1" does not exist, choose next operation >ap Enter team name: Real Enter player's name(to stop adding, type "q"): p1 Enter player's name(to stop adding, type "q"): p2 Enter player's name(to stop adding, type "q"): p3 Enter player's name(to stop adding, type "q"): p4 Enter player's name(to stop adding, type "q"): p5 Enter player's name(to stop adding, type "q"): q >p === Team: Real === Players: - p1 - p2 - p3 - p4 - p5 > 3) Users not specified in ApplicationRealm should be now allowed to grant roles [standalone@localhost:9999 local-cache=teams] grant reader to user3 [standalone@localhost:9999 local-cache=teams] roles [reader][reader][reader, writer] Use quickstart from attachment
Created attachment 914654 [details] Add server configuration for quickstart
So I tested it again and this seems to work. In quickstart I use get() operation so I need [reader, writer] roles to be specified to add some new entries to cache.