Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1087

Elytron caching-realm backed by ldap-realm should evict or update the cache when a related role changes in LDAP

    XMLWordPrintable

Details

    • Hide
      1. A role in LDAP has a user as a member, for example JBossAdmin role has jduke user as a member: 
        dn: cn=JBossAdmin,ou=Roles
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
description: the JBossAdmin group
member: uid=jduke,ou=People
member: uid=jduke2,ou=People

        .

      2. Log in as the user (the role is assigned and a new identity is cached for the user).
      3. Remove the user membership from the role in LDAP.
      4. Try to log in as the user. Login attempt should fail because the user should not have assigned the role. FAILS – because the identity related to the user is still cached with the role assigned.
      Show
      A role in LDAP has a user as a member, for example JBossAdmin role has jduke user as a member: dn: cn=JBossAdmin,ou=Roles objectClass: top objectClass: groupOfNames cn: JBossAdmin description: the JBossAdmin group member: uid=jduke,ou=People member: uid=jduke2,ou=People . Log in as the user (the role is assigned and a new identity is cached for the user). Remove the user membership from the role in LDAP. Try to log in as the user. Login attempt should fail because the user should not have assigned the role. FAILS – because the identity related to the user is still cached with the role assigned.

    Description

      Elytron caching-realm backed by ldap-realm does not evict or update a cached identity when a role related to the identity is changed in LDAP, see steps to reproduce.

      This is against the following hard requirement of EAP7-542: "Ability to listen for events fired by a modifiable realm in order to evict or update the cache accordingly." The ability is available but not used in this case. Hence the priority is set to Blocker. The issue blocks the RFE to be verified. The issue does not block test development for the RFE. The issue has been revealed by fixing JBEAP-8679.

      The eviction/updating works when user password is changed in LDAP.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10384 Elytron caching-realm backed by ldap-realm should evict or update the cache when a related role changes in LDAP

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: