Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3017

review key-store runtime-only operations available on profile resources

    Details

      Description

      Some /subsystem=elytron/key-store operations should probably be marked runtime-only. (edit: this is already part of JBEAP-11790) Their handlers extends ElytronRuntimeOnlyHandler and they don't seem to change anything in model.

      load
      store
      read-alias
      read-aliases
      remove-alias

      [standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=load      
      {
          "outcome" => "success",
          "result" => {
              "operation-name" => "load",
              "description" => "Load the KeyStore, if the KeyStore is file backed this will involve re-reading the contents of the file.",
              "request-properties" => {},
              "reply-properties" => {},
              "read-only" => false,
              "runtime-only" => false
          }
      }
      [standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=store
      {
          "outcome" => "success",
          "result" => {
              "operation-name" => "store",
              "description" => "Store the KeyStore to file, this operation will fail for any KeyStore instances not backed by a file.  If the file does not exist and it was not flagged as required it will be created.",
              "request-properties" => {},
              "reply-properties" => {},
              "read-only" => false,
              "runtime-only" => false
          }
      }
      [standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=read-alias
      {
          "outcome" => "success",
          "result" => {
              "operation-name" => "read-alias",
              "description" => "Read an alias from a KeyStore.",
              "request-properties" => {"alias" => {
                  "type" => STRING,
                  "description" => "The alias of the KeyStore item to read.",
                  "expressions-allowed" => false,
                  "required" => true,
                  "nillable" => false,
                  "min-length" => 1L,
                  "max-length" => 2147483647L
              }},
              "reply-properties" => {},
              "read-only" => true,
              "runtime-only" => false
          }
      }
      [standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=read-aliases
      {
          "outcome" => "success",
          "result" => {
              "operation-name" => "read-aliases",
              "description" => "Read aliases from a KeyStore.",
              "request-properties" => {},
              "reply-properties" => {},
              "read-only" => true,
              "runtime-only" => false
          }
      }
      [standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=remove-alias
      {
          "outcome" => "success",
          "result" => {
              "operation-name" => "remove-alias",
              "description" => "Remove an alias from a KeyStore.",
              "request-properties" => {"alias" => {
                  "type" => STRING,
                  "description" => "The alias of the KeyStore item to remove.",
                  "expressions-allowed" => false,
                  "required" => true,
                  "nillable" => false,
                  "min-length" => 1L,
                  "max-length" => 2147483647L
              }},
              "reply-properties" => {},
              "read-only" => false,
              "runtime-only" => false
          }
      }
      

      Also I'm not sure whether they should be registered at /profile resources in domain as they are rolled out to servers (servers might try to write to file concurrently).

      [domain@localhost:9990 /] /profile=default/subsystem=elytron/key-store=test:store()
      {
          "outcome" => "failed",
          "result" => undefined,
          "failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"main-server-group" => {"host" => {"master" => {
              "server-one" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist.",
              "server-two" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist."
          }}}}}},
          "rolled-back" => true,
          "server-groups" => {"main-server-group" => {"host" => {"master" => {
              "server-one" => {"response" => {
                  "outcome" => "failed",
                  "result" => undefined,
                  "failure-description" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist.",
                  "rolled-back" => true
              }},
              "server-two" => {"response" => {
                  "outcome" => "failed",
                  "result" => undefined,
                  "failure-description" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist.",
                  "rolled-back" => true
              }}
          }}}}
      }
      

      priority set to blocker to decide whether operations can be registered at profile resources. They can be added back later but they cannot be removed.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  honza889 Jan Kalina
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: