Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-14143

Task execution needs ADMIN permission additional to EXEC

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 13.0.12.Final, 14.0.1.Final
    • 13.0.10.Final
    • Tasks
    • None

    Description

      To execute a Server side task the expectation is that EXEC permission is needed and nothing else (if there is no special permission needed inside the task code).

      But the invocation fails with "lacks ADMIN permission" without reaching the task code

       

      ERROR (non-blocking-thread--p2-t11) [org.infinispan.server.hotrod.BaseRequestProcessor:org.infinispan.server.hotrod.BaseRequestProcessor.writeException(BaseRequestProcessor.java:85)] ISPN005003: Exception reported java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [wfink, RolePrincipal{name='task'}, InetAddressPrincipal [address=127.0.0.1/127.0.0.1]]' lacks 'ADMIN' permission
          at org.infinispan.security.impl.Authorizer.checkPermission(Authorizer.java:113)
          at org.infinispan.security.impl.Authorizer.checkPermission(Authorizer.java:84)
          at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:53)
          at org.infinispan.security.impl.SecureCacheImpl.getAuthorizationManager(SecureCacheImpl.java:564)
          at org.infinispan.server.tasks.ServerTaskEngine.checkPermissions(ServerTaskEngine.java:95)
          at org.infinispan.server.tasks.ServerTaskEngine.runTask(ServerTaskEngine.java:64)
          at org.infinispan.server.tasks.ServerTaskEngine.runTask(ServerTaskEngine.java:27)
          at org.infinispan.tasks.impl.TaskManagerImpl.lambda$runTask$4(TaskManagerImpl.java:111)
          at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1106)
          at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2235)
          at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:143)
          at org.infinispan.tasks.impl.TaskManagerImpl.runTask(TaskManagerImpl.java:94)
          at org.infinispan.server.hotrod.TaskRequestProcessor.exec(TaskRequestProcessor.java:38)
          at org.infinispan.server.hotrod.HotRodDecoder.switch3(HotRodDecoder.java:1872)
          at org.infinispan.server.hotrod.HotRodDecoder.switch1_0(HotRodDecoder.java:164)
          at org.infinispan.server.hotrod.HotRodDecoder.decode(HotRodDecoder.java:151)
          at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:519)
          at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:458)
          at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:280)
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
          at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
          at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:93)
          at org.infinispan.server.core.transport.StatsChannelHandler.channelRead(StatsChannelHandler.java:28)
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
          at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
          at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
          at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
          at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
          at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:499)
          at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:397)
          at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
          at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
          at java.base/java.lang.Thread.run(Thread.java:829)

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. ISPN-14144 Task execution (permission) is different for ALL_NODES and ONE_NODE

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              ttarrant@redhat.com Tristan Tarrant
              rhn-support-wfink Wolf Fink
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: