-
Bug
-
Resolution: Done
-
Blocker
-
JDG65 1.3.0.GA
-
None
jboss-datagrid-6/datagrid65-openshift:1.3-2 fails to start if authentication is enabled. The reason is a linvenessProbe failing to get the status of cache
15:30:48,860 INFO [org.infinispan.AUDIT] (HttpManagementService-threads - 1) [DENY] anonymous ADMIN cache[secured] 15:30:48,863 ERROR [org.jboss.as.controller.management-operation] (HttpManagementService-threads - 1) JBAS014612: Operation ("read-attribute") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "clustered") ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject: Principal: anonymous Principal: anonymous Principal: InetAddressPrincipal <127.0.0.1/127.0.0.1> ' lacks 'ADMIN' permission at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:76) at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:44) at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:547) at org.infinispan.stats.impl.CacheContainerStatsImpl.getStores(CacheContainerStatsImpl.java:315) at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:199) at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:89) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:702) at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:537) at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338) at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:305) at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:210)
To easily reproduce run
ocker run -it -e HOTROD_AUTHENTICATION=true -e SECURED_CACHE_SECURITY_AUTHORIZATION_ENABLED=true -e PASSWORD=JBoss.123 -e REST_AUTH_METHOD=basic -e CACHE_NAMES=default,secured -e USERNAME=jdg -e CONTAINER_SECURITY_ROLES=admin=ALL -e REST_SECURITY_DOMAIN=jdg -e CONTAINER_SECURITY_ROLE_MAPPER=identity-role-mapper -e SECURED_CACHE_SECURITY_AUTHORIZATION_ROLES=admin jboss-datagrid-6/datagrid65-openshift:1.3-2
and then
docker exec -it <containerid> /opt/datagrid/bin/livenessProbe.sh
The net result is that the container fails to start because livness probe permanently evaluates it as non-live.
- is duplicated by
-
CLOUD-1569 [JDG] Add auth support to probes
- Closed