Details
-
Bug
-
Resolution: Done
-
Major
-
8.2.1.Final
-
None
Description
When running CLI on secured caches, it fails with exception bellow. This exception is quite confusing, as user has properly defined ADMIN permission on given cache. What is actually happening is that some operation, like statistics, called by CLI, iterates over all defined caches, including internal caches, and user hasn't required permission on all these caches (in this case on internal script cache)
00:04:23,563 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
("subsystem" => "datagrid-infinispan"),
("cache-container" => "local")
]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [user@ManagementRealm, admin@ManagementRealm, admin, org.jboss.remoting3.security.UserPrincipal@36ebcb, InetAddressPrincipal <127.0.0.1/127.0.0.1>, InetAddressPrincipal <127.0.0.1/127.0.0.1>]' lacks 'ADMIN' permission
at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:37)
at org.infinispan.security.impl.SecureCacheImpl.getStats(SecureCacheImpl.java:567)
at org.infinispan.stats.impl.CacheContainerStatsImpl.calculateAverageRemoveTime(CacheContainerStatsImpl.java:131)
at org.infinispan.stats.impl.CacheContainerStatsImpl.getAverageRemoveTime(CacheContainerStatsImpl.java:121)
at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:196)
at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
Steps to reproduce:
- create mgmt user using add-user.sh script (e.g. user user) and assign him role admin in standalone/configuration/mgmt-groups.properties
- create secure cache testcache with following configuration in standalone.xml (security enabled and admin user has admin rights):
<cache-container name="local" default-cache="testcache"> <security> <authorization> <identity-role-mapper/> <role name="admin" permissions="ADMIN" /> </authorization> </security> <local-cache name="testcache" start="EAGER" batching="false"> <security> <authorization roles="admin" enabled="true"/> </security> <transaction mode="NONE"/> </local-cache> </cache-container> - start ISPN server in standalone mode
- start ISPN console in GUI mode (ispn-cli.sh --gui --user=user --password=pass) and navigate to subsystem=datagrid-infinispan -> cache-container=local
- once clicked on cache-container=local no cache should appear there (while there should be testcache) and exception above should appear in ISPN server log
Alternatively, you can run CLI without GUI and run
cd subsystem=datagrid-infinispan/cache-container=local ls
Attachments
Issue Links
- relates to
-
-
- Closed
-
