Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1087

Elytron caching-realm backed by ldap-realm should evict or update the cache when a related role changes in LDAP

XMLWordPrintable

    • Hide
      1. A role in LDAP has a user as a member, for example JBossAdmin role has jduke user as a member: 
        dn: cn=JBossAdmin,ou=Roles
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
description: the JBossAdmin group
member: uid=jduke,ou=People
member: uid=jduke2,ou=People

        .

      2. Log in as the user (the role is assigned and a new identity is cached for the user).
      3. Remove the user membership from the role in LDAP.
      4. Try to log in as the user. Login attempt should fail because the user should not have assigned the role. FAILS – because the identity related to the user is still cached with the role assigned.
      Show
      A role in LDAP has a user as a member, for example JBossAdmin role has jduke user as a member: dn: cn=JBossAdmin,ou=Roles objectClass: top objectClass: groupOfNames cn: JBossAdmin description: the JBossAdmin group member: uid=jduke,ou=People member: uid=jduke2,ou=People . Log in as the user (the role is assigned and a new identity is cached for the user). Remove the user membership from the role in LDAP. Try to log in as the user. Login attempt should fail because the user should not have assigned the role. FAILS – because the identity related to the user is still cached with the role assigned.

      Elytron caching-realm backed by ldap-realm does not evict or update a cached identity when a role related to the identity is changed in LDAP, see steps to reproduce.

      This is against the following hard requirement of EAP7-542: "Ability to listen for events fired by a modifiable realm in order to evict or update the cache accordingly." The ability is available but not used in this case. Hence the priority is set to Blocker. The issue blocks the RFE to be verified. The issue does not block test development for the RFE. The issue has been revealed by fixing JBEAP-8679.

      The eviction/updating works when user password is changed in LDAP.

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: