Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: JDG65 1.3.0.GA
Affects Version/s: JDG65 1.3.0.GA
Component/s: JDG6
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

JDG65 1.3.0.GA

Sprint:
CLOUD Maintenance Sprint 5

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

jboss-datagrid-6/datagrid65-openshift:1.3-2 fails to start if authentication is enabled. The reason is a linvenessProbe failing to get the status of cache

15:30:48,860 INFO  [org.infinispan.AUDIT] (HttpManagementService-threads - 1) [DENY] anonymous ADMIN cache[secured]
15:30:48,863 ERROR [org.jboss.as.controller.management-operation] (HttpManagementService-threads - 1) JBAS014612: Operation ("read-attribute") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "clustered")
]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
	Principal: anonymous
	Principal: anonymous
	Principal: InetAddressPrincipal <127.0.0.1/127.0.0.1>
' lacks 'ADMIN' permission
	at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:76)
	at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:44)
	at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:547)
	at org.infinispan.stats.impl.CacheContainerStatsImpl.getStores(CacheContainerStatsImpl.java:315)
	at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:199)
	at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:89)
	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:702)
	at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:537)
	at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338)
	at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:305)
	at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:210)

To easily reproduce run

ocker run -it -e HOTROD_AUTHENTICATION=true -e SECURED_CACHE_SECURITY_AUTHORIZATION_ENABLED=true -e PASSWORD=JBoss.123 -e REST_AUTH_METHOD=basic -e CACHE_NAMES=default,secured -e USERNAME=jdg -e CONTAINER_SECURITY_ROLES=admin=ALL -e REST_SECURITY_DOMAIN=jdg -e CONTAINER_SECURITY_ROLE_MAPPER=identity-role-mapper -e SECURED_CACHE_SECURITY_AUTHORIZATION_ROLES=admin jboss-datagrid-6/datagrid65-openshift:1.3-2

and then

docker exec -it <containerid> /opt/datagrid/bin/livenessProbe.sh

The net result is that the container fails to start because livness probe permanently evaluates it as non-live.

is duplicated by

CLOUD-1569 [JDG] Add auth support to probes

Closed

Assignee:: Rob Cernich

Reporter:: Jiri Pechanec

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017/03/08 3:21 AM

Updated:: 2017/05/11 3:11 AM

Resolved:: 2017/04/12 6:08 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates