Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11785

review key-store runtime-only operations available on profile resources

    XMLWordPrintable

Details

    • Not Required

    Description

      Some /subsystem=elytron/key-store operations should probably be marked runtime-only. (edit: this is already part of JBEAP-11790) Their handlers extends ElytronRuntimeOnlyHandler and they don't seem to change anything in model.

      load
      store
      read-alias
      read-aliases
      remove-alias

      [standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=load      
{
    "outcome" => "success",
    "result" => {
        "operation-name" => "load",
        "description" => "Load the KeyStore, if the KeyStore is file backed this will involve re-reading the contents of the file.",
        "request-properties" => {},
        "reply-properties" => {},
        "read-only" => false,
        "runtime-only" => false
    }
}
[standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=store
{
    "outcome" => "success",
    "result" => {
        "operation-name" => "store",
        "description" => "Store the KeyStore to file, this operation will fail for any KeyStore instances not backed by a file.  If the file does not exist and it was not flagged as required it will be created.",
        "request-properties" => {},
        "reply-properties" => {},
        "read-only" => false,
        "runtime-only" => false
    }
}
[standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=read-alias
{
    "outcome" => "success",
    "result" => {
        "operation-name" => "read-alias",
        "description" => "Read an alias from a KeyStore.",
        "request-properties" => {"alias" => {
            "type" => STRING,
            "description" => "The alias of the KeyStore item to read.",
            "expressions-allowed" => false,
            "required" => true,
            "nillable" => false,
            "min-length" => 1L,
            "max-length" => 2147483647L
        }},
        "reply-properties" => {},
        "read-only" => true,
        "runtime-only" => false
    }
}
[standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=read-aliases
{
    "outcome" => "success",
    "result" => {
        "operation-name" => "read-aliases",
        "description" => "Read aliases from a KeyStore.",
        "request-properties" => {},
        "reply-properties" => {},
        "read-only" => true,
        "runtime-only" => false
    }
}
[standalone@embedded /] /subsystem=elytron/key-store=aa:read-operation-description(name=remove-alias
{
    "outcome" => "success",
    "result" => {
        "operation-name" => "remove-alias",
        "description" => "Remove an alias from a KeyStore.",
        "request-properties" => {"alias" => {
            "type" => STRING,
            "description" => "The alias of the KeyStore item to remove.",
            "expressions-allowed" => false,
            "required" => true,
            "nillable" => false,
            "min-length" => 1L,
            "max-length" => 2147483647L
        }},
        "reply-properties" => {},
        "read-only" => false,
        "runtime-only" => false
    }
}

      Also I'm not sure whether they should be registered at /profile resources in domain as they are rolled out to servers (servers might try to write to file concurrently).

      [domain@localhost:9990 /] /profile=default/subsystem=elytron/key-store=test:store()
{
    "outcome" => "failed",
    "result" => undefined,
    "failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"main-server-group" => {"host" => {"master" => {
        "server-one" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist.",
        "server-two" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist."
    }}}}}},
    "rolled-back" => true,
    "server-groups" => {"main-server-group" => {"host" => {"master" => {
        "server-one" => {"response" => {
            "outcome" => "failed",
            "result" => undefined,
            "failure-description" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist.",
            "rolled-back" => true
        }},
        "server-two" => {"response" => {
            "outcome" => "failed",
            "result" => undefined,
            "failure-description" => "WFLYELY00010: Unable to save KeyStore - KeyStore file '/tmp/test' does not exist.",
            "rolled-back" => true
        }}
    }}}}
}

      priority set to blocker to decide whether operations can be registered at profile resources. They can be added back later but they cannot be removed.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-3017 review key-store runtime-only operations available on profile resources

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11466 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta28

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11795 Elytron subsystem should not register storage=runtime attributes on profile resources

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11790 some xxx-realm operations should be marked runtime-only

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Verified

          Documentation - JBEAP-10816 Documentation, Multiple CredentialStores with ONE backed credential store file can rewrite values each other.

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              msimka@redhat.com Martin Simka
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: