Bug 1156318 - HR authentication broken in cluster mode
Summary: HR authentication broken in cluster mode
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Data Grid 6
Classification: JBoss
Component: Server
Version: 6.3.1,6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ER3
: 6.4.0
Assignee: Tristan Tarrant
QA Contact: Martin Gencur
URL:
Whiteboard:
Depends On:
Blocks: jdg64-Beta-Blockers 1168237
TreeView+ depends on / blocked
 
Reported: 2014-10-24 07:53 UTC by Vojtech Juranek
Modified: 2015-01-28 13:32 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
: 1168237 (view as bug list)
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker ISPN-4882 0 Blocker Resolved HotRod authentication fails with an authorization-enabled clustered container 2016-08-01 23:08:29 UTC

Internal Links: 1158121 1168245

Description Vojtech Juranek 2014-10-24 07:53:53 UTC 
Description of problem:
When server cache is clustered, HR client is not able to authenticate itself even when using proper credentials. It seems that transport layer breaks authentication process. When local cache is used, everything works as expected.


How reproducible:
Always

Steps to Reproduce:
1. setup HR security (config sniplets are bellow)
2. use security for distributed or replicated cache
3. connect to this cache from HR client, using proper credentials

Actual results:
HR authentication fails with 
09:44:00,343 INFO  [org.infinispan.AUDIT] (HotRodServerWorker-1) [DENY] null ADMIN cache[securedcache]

Expected results:
HR client should be able to authenticate and read/write to cache according to the specified rights

Additional info:
HR server config:

            <hotrod-connector socket-binding="hotrod" cache-container="securedcachecontainer">
                <topology-state-transfer lazy-retrieval="false" lock-timeout="1000" replication-timeout="5000"/>
                <authentication security-realm="ApplicationRealm">
                    <sasl server-name="securedserver" mechanisms="DIGEST-MD5" qop="auth">
                        <policy>
                            <no-anonymous value="true"/>
                        </policy>
                        <property name="com.sun.security.sasl.digest.utf8">true</property>
                    </sasl>
                </authentication>  
            </hotrod-connector>




            <cache-container name="securedcachecontainer" default-cache="securedcache">
                <transport executor="infinispan-transport" lock-timeout="60000"/>
                <security>
                    <authorization>
                        <identity-role-mapper/>
                        <role name="admin" permissions="ALL" />
                        <role name="reader" permissions="READ BULK_READ"/>
                        <role name="writer" permissions="ALL" />
                        <role name="supervisor" permissions="READ WRITE EXEC" />
                    </authorization>
                </security>
                <replicated-cache name="securedcache" mode="SYNC" start="EAGER"  remote-timeout="30000" >
                    <security>
                        <authorization roles="admin reader writer" />
                    </security>
                </replicated-cache>
            </cache-container>
Comment 3 Sebastian Łaskawiec 2014-10-30 08:35:34 UTC 
PR: https://github.com/infinispan/jdg/pull/308
Note You need to log in before you can comment on or make changes to this bug.