Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27329

[GSS](8.0.z) Remote authentications are slower than legacy methods

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • Management, Remoting, Security
    • None
    • False
    • None
    • False

      It looks like the remote connections are slower than the legacy methods, and if that is intentional, then timeouts used by them need to be reviewed.

      We have noticed it mainly in domain mode, where the Secondary Host Controller connection times out when it tries to connect to a domain controller. It is reproducible when we are using two different machines, in a local environment even with JBOSS-LOCAL-USER removed, there is no such an issue.

      I open it as critical since the timeout out for this sort of connection cannot be modified, which can lead to the situation where Domain Mode is unusable with remote host controllers.

       

      In my local environment, using two machines I get one timeout out, and on the second try, the host controller is able to connect remotely:

      13:06:43,909 INFO  [org.jboss.modules] (main) JBoss Modules version 2.1.5.Final
      13:06:44,079 INFO  [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
      13:06:44,087 INFO  [org.jboss.as.process.Host Controller.status] (main) WFLYPC0018: Starting process 'Host Controller'
      13:06:44,389 INFO  [org.jboss.as.process.Host Controller.system.stdout] (stdout for Host Controller) [Host Controller] 13:06:44,373 INFO  [org.jboss.modules] (main) JBoss Modules version 2.1.5.Final
      [Host Controller] 13:06:44,622 INFO  [org.jboss.msc] (main) JBoss MSC version 1.5.5.Final
      [Host Controller] 13:06:44,627 INFO  [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
      [Host Controller] 13:06:44,662 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: WildFly 33.0.0.Beta1-SNAPSHOT (WildFly Core 25.0.0.Beta3) starting
      [Host Controller] 13:06:44,722 TRACE [org.wildfly.security] (MSC service thread 1-2) Building security domain with defaultRealmName Empty.
      [Host Controller] 13:06:44,728 TRACE [org.wildfly.security] (MSC service thread 1-2) Role mapping: principal [anonymous] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      [Host Controller] 13:06:44,913 INFO  [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 2.4.2.Final
      [Host Controller] 13:06:44,936 DEBUG [org.jboss.as.host.controller] (Controller Boot Thread) Invoking the initial host=foo:add() op
      [Host Controller] 13:06:45,023 DEBUG [org.jboss.as.host.controller] (Controller Boot Thread) Invoking remaining host.xml ops
      [Host Controller] 13:06:45,155 INFO  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0003: Creating http management service using network interface (management) port (19990) securePort (-1)
      [Host Controller] 13:06:45,166 INFO  [org.xnio] (MSC service thread 1-8) XNIO version 3.8.15.Final
      [Host Controller] 13:06:45,171 INFO  [org.xnio.nio] (MSC service thread 1-8) XNIO NIO Implementation Version 3.8.15.Final
      [Host Controller] 13:06:45,197 INFO  [org.jboss.remoting] (MSC service thread 1-2) JBoss Remoting version 5.0.28.Final
      [Host Controller] 13:06:45,210 TRACE [org.wildfly.security] (MSC service thread 1-4) Building security domain with defaultRealmName ManagementRealm.
      [Host Controller] 13:06:45,210 TRACE [org.wildfly.security] (MSC service thread 1-4) The following additional realms were added: [ManagementRealm, local].
      [Host Controller] 13:06:45,210 TRACE [org.wildfly.security] (MSC service thread 1-4) Role mapping: principal [anonymous] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      [Host Controller] 13:06:45,290 DEBUG [org.jboss.as.host.controller] (MSC service thread 1-5) Starting Host Controller Server Inventory
      [Host Controller] 13:06:45,304 TRACE [org.wildfly.security] (Controller Boot Thread) getAuthenticationConfiguration uri=remote+http://192.168.1.226:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=secondary,set-host=192.168.1.226,set-protocol=remote+http,set-port=9990,credentials-present,providers-supplier=org.wildfly.security.provider.util.ProviderUtil$1@6a2ae813,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      [Host Controller] 13:06:45,382 TRACE [org.wildfly.security] (Controller Boot Thread) getAuthenticationConfiguration uri=remote+http://192.168.1.226:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=secondary,set-host=192.168.1.226,set-protocol=remote+http,set-port=9990,credentials-present,providers-supplier=org.wildfly.security.provider.util.ProviderUtil$1@6a2ae813,sasl-mechanism-selector=(true) -((#FAMILY(IEC-ISO-9798)||OTP||NTLM||CRAM-MD5)) -JBOSS-LOCAL-USER,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      [Host Controller] 13:06:45,436 TRACE [org.wildfly.security] (management I/O-1) Created SaslClient for mechanism DIGEST-MD5, using Provider WildFlyElytronSaslDigestProvider and protocol remote
      [Host Controller] 13:06:45,437 TRACE [org.wildfly.security] (management I/O-1) Created SaslClient [org.wildfly.security.sasl.util.PrivilegedSaslClient@6dcb74f7->org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory$LocalPrincipalSaslClient@2ce83a11->org.wildfly.security.sasl.digest.DigestSaslClient@9801fde] for mechanisms [DIGEST-MD5, JBOSS-DOMAIN-SERVER]
      [Host Controller] 13:06:45,461 TRACE [org.wildfly.security.sasl.digest] (management task-1) SASL Negotiation Completed
      [Host Controller] 13:06:50,401 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote+http://192.168.1.226:9990: java.net.ConnectException: WFLYPRT0023: Could not connect to remote+http://192.168.1.226:9990. The connection timed out
      [Host Controller]     at org.jboss.as.protocol@25.0.0.Beta3//org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:115)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:194)
      [Host Controller]     at org.wildfly.common@1.7.0.Final//org.wildfly.common.context.Contextual.runExceptionAction(Contextual.java:108)
      [Host Controller]     at org.wildfly.security.elytron-base@2.4.2.Final//org.wildfly.security.auth.client.AuthenticationContext.run(AuthenticationContext.java:280)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.RemoteDomainConnection.openConnection(RemoteDomainConnection.java:194)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.RemoteDomainConnection$InitialConnectTask.connect(RemoteDomainConnection.java:565)
      [Host Controller]     at org.jboss.as.protocol@25.0.0.Beta3//org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:53)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.RemoteDomainConnection.connect(RemoteDomainConnection.java:124)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.RemoteDomainConnectionService.register(RemoteDomainConnectionService.java:265)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.DomainModelControllerService.connectToDomainMaster(DomainModelControllerService.java:1019)
      [Host Controller]     at org.jboss.as.host-controller@25.0.0.Beta3//org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:709)
      [Host Controller]     at org.jboss.as.controller@25.0.0.Beta3//org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:356)
      [Host Controller]     at java.base/java.lang.Thread.run(Thread.java:829)
      [Host Controller] 
      [Host Controller] 13:06:51,402 TRACE [org.wildfly.security] (Controller Boot Thread) getAuthenticationConfiguration uri=remote+http://192.168.1.226:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=secondary,set-host=192.168.1.226,set-protocol=remote+http,set-port=9990,credentials-present,providers-supplier=org.wildfly.security.provider.util.ProviderUtil$1@6a2ae813,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      [Host Controller] 13:06:51,403 TRACE [org.wildfly.security] (Controller Boot Thread) getAuthenticationConfiguration uri=remote+http://192.168.1.226:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=secondary,set-host=192.168.1.226,set-protocol=remote+http,set-port=9990,credentials-present,providers-supplier=org.wildfly.security.provider.util.ProviderUtil$1@6a2ae813,sasl-mechanism-selector=(true) -((#FAMILY(IEC-ISO-9798)||OTP||NTLM||CRAM-MD5)) -JBOSS-LOCAL-USER,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      [Host Controller] 13:06:51,407 TRACE [org.wildfly.security] (management I/O-1) Created SaslClient for mechanism DIGEST-MD5, using Provider WildFlyElytronSaslDigestProvider and protocol remote
      [Host Controller] 13:06:51,407 TRACE [org.wildfly.security] (management I/O-1) Created SaslClient [org.wildfly.security.sasl.util.PrivilegedSaslClient@54767591->org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory$LocalPrincipalSaslClient@18c7e0d6->org.wildfly.security.sasl.digest.DigestSaslClient@2a2f1c06] for mechanisms [DIGEST-MD5, JBOSS-DOMAIN-SERVER]
      [Host Controller] 13:06:51,412 TRACE [org.wildfly.security.sasl.digest] (management task-2) SASL Negotiation Completed
      [Host Controller] 13:06:55,501 DEBUG [org.jboss.as.host.controller] (Host Controller Service Threads - 2) Applying extensions provided by master
      [Host Controller] 13:06:56,275 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) DomainHostExcludeRegistry is null
      [Host Controller] 13:06:56,275 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) No domain ignored extensions: null
      [Host Controller] 13:06:56,275 DEBUG [org.jboss.as.host.controller] (Host Controller Service Threads - 2) Applying domain level boot operations provided by master
      [Host Controller] 13:06:56,498 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.mvc-krazo], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=24, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,508 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.mvc-krazo], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=23, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,508 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.mvc-krazo], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=22, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,508 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.mvc-krazo], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=21, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,508 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.micrometer, org.wildfly.extension.microprofile.lra-participant, org.wildfly.extension.microprofile.lra-coordinator, org.wildfly.extension.mvc-krazo, org.wildfly.extension.microprofile.telemetry], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=20, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,508 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.clustering.ejb, org.wildfly.extension.micrometer, org.wildfly.extension.microprofile.lra-participant, org.wildfly.extension.microprofile.lra-coordinator, org.wildfly.extension.mvc-krazo, org.wildfly.extension.microprofile.telemetry], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=19, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,508 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.clustering.ejb, org.wildfly.extension.micrometer, org.wildfly.extension.microprofile.lra-participant, org.wildfly.extension.microprofile.lra-coordinator, org.wildfly.extension.mvc-krazo, org.wildfly.extension.microprofile.telemetry], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=18, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,509 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.clustering.ejb, org.wildfly.extension.micrometer, org.wildfly.extension.opentelemetry, org.wildfly.extension.microprofile.lra-participant, org.wildfly.extension.microprofile.lra-coordinator, org.wildfly.extension.mvc-krazo, org.wildfly.extension.microprofile.telemetry, org.wildfly.extension.elytron-oidc-client], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=17, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,509 TRACE [org.jboss.as.domain.controller] (Host Controller Service Threads - 2) Recorded VersionExcludeData{ignoredExtensions=[org.wildfly.extension.clustering.ejb, org.wildfly.extension.micrometer, org.wildfly.extension.opentelemetry, org.wildfly.extension.microprofile.lra-participant, org.wildfly.extension.microprofile.lra-coordinator, org.wildfly.extension.mvc-krazo, org.wildfly.extension.microprofile.telemetry, org.wildfly.extension.elytron-oidc-client], activeServerGroups=[], activeSocketBindingGroups=[]} for VersionKey{majorVersion=16, minorVersion=0, microVersion=0}
      [Host Controller] 13:06:56,535 INFO  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0148: Connected to the domain controller at remote+http://192.168.1.226:9990
      

      On the domain controller, we can see both tries:

      [Host Controller] 13:02:56,077 TRACE [org.wildfly.security] (management I/O-2) Handling SocketAddressCallback
      [Host Controller] 13:02:56,077 TRACE [org.wildfly.security] (management I/O-2) Handling SocketAddressCallback
      [Host Controller] 13:02:56,077 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      [Host Controller] 13:02:56,077 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      [Host Controller] 13:02:56,077 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      [Host Controller] 13:02:56,077 TRACE [org.wildfly.security] (management I/O-2) Handling AvailableRealmsCallback: realms = [ManagementRealm]
      [Host Controller] 13:02:56,084 TRACE [org.wildfly.security] (management I/O-2) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@2694119d] for mechanism [DIGEST-MD5] and protocol [remote]
      [Host Controller] 13:02:56,084 TRACE [org.wildfly.security] (management I/O-2) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@4187593f->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@211e563e->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@1878d5c5->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@1e6637ae->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@65d3dbfc->org.wildfly.security.sasl.digest.DigestSaslServer@2694119d] for mechanism [DIGEST-MD5]
      [Host Controller] 13:02:56,094 TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]
      [Host Controller] 13:02:56,094 TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = secondary
      [Host Controller] 13:02:56,094 TRACE [org.wildfly.security] (management task-1) Principal assigning: [secondary], pre-realm rewritten: [secondary], realm name: [ManagementRealm], post-realm rewritten: [secondary], realm rewritten: [secondary]
      [Host Controller] 13:02:56,096 TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: obtained credential for correct realm "ManagementRealm"
      [Host Controller] 13:02:56,096 TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@5dee644a
      [Host Controller] 13:02:56,097 TRACE [org.wildfly.security] (management task-1) Role mapping: principal [secondary] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      [Host Controller] 13:02:56,097 TRACE [org.wildfly.security] (management task-1) Authorizing principal secondary.
      [Host Controller] 13:02:56,097 TRACE [org.wildfly.security] (management task-1) Authorizing against the following attributes: [groups] => []
      [Host Controller] 13:02:56,097 TRACE [org.wildfly.security] (management task-1) Authorizing against the following runtime attributes: [Source-Address] => [192.168.1.48]
      [Host Controller] 13:02:56,097 TRACE [org.wildfly.security] (management task-1) Permission mapping: identity [secondary] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security] (management task-1) Authorization succeed
      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security] (management task-1) RunAs authorization succeed - the same identity
      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security] (management task-1) Handling AuthorizeCallback: authenticationID = secondary  authorizationID = secondary  authorized = true
      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security.sasl.digest] (management task-1) SASL Negotiation Completed
      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: succeed
      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security] (management task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=secondary, securityDomain=org.wildfly.security.auth.server.SecurityDomain@5767c3e2, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='ManagementRealm', securityRealm=org.wildfly.extension.elytron.PropertiesRealmDefinition$RealmWrapper@2de0c189}, creationTime=2024-06-18T12:02:56.097593876Z}
      [Host Controller] 13:03:02,046 TRACE [org.wildfly.security] (management I/O-1) Handling SocketAddressCallback
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Handling SocketAddressCallback
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Handling AvailableRealmsCallback: realms = [ManagementRealm]
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@2a0d25ad] for mechanism [DIGEST-MD5] and protocol [remote]
      [Host Controller] 13:03:02,047 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@6f0fae88->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@65868612->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@5e2aa12d->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@1d49d708->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@f2051c7->org.wildfly.security.sasl.digest.DigestSaslServer@2a0d25ad] for mechanism [DIGEST-MD5]
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = secondary
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Principal assigning: [secondary], pre-realm rewritten: [secondary], realm name: [ManagementRealm], post-realm rewritten: [secondary], realm rewritten: [secondary]
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: obtained credential for correct realm "ManagementRealm"
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@5dee644a
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Role mapping: principal [secondary] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Authorizing principal secondary.
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Authorizing against the following attributes: [groups] => []
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Authorizing against the following runtime attributes: [Source-Address] => [192.168.1.48]
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Permission mapping: identity [secondary] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Authorization succeed
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) RunAs authorization succeed - the same identity
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling AuthorizeCallback: authenticationID = secondary  authorizationID = secondary  authorized = true
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security.sasl.digest] (management task-1) SASL Negotiation Completed
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: succeed
      [Host Controller] 13:03:02,049 TRACE [org.wildfly.security] (management task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=secondary, securityDomain=org.wildfly.security.auth.server.SecurityDomain@5767c3e2, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='ManagementRealm', securityRealm=org.wildfly.extension.elytron.PropertiesRealmDefinition$RealmWrapper@2de0c189}, creationTime=2024-06-18T12:03:02.049527171Z}
      [Host Controller] 13:03:07,172 INFO  [org.jboss.as.domain.controller] (Host Controller Service Threads - 32) WFLYHC0019: Registered remote secondary host "yborgesrhel9.localdomain", JBoss WildFly 33.0.0.Beta1-SNAPSHOT (WildFly 25.0.0.Beta3)
      

      Notice there are more than 5 seconds between the first authentication and then following try:

      [Host Controller] 13:02:56,098 TRACE [org.wildfly.security] (management task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=secondary, securityDomain=org.wildfly.security.auth.server.SecurityDomain@5767c3e2, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='ManagementRealm', securityRealm=org.wildfly.extension.elytron.PropertiesRealmDefinition$RealmWrapper@2de0c189}, creationTime=2024-06-18T12:02:56.097593876Z}
      [Host Controller] 13:03:02,046 TRACE [org.wildfly.security] (management I/O-1) Handling SocketAddressCallback
      

       

      This issue is not a Domain Mode issue, it also occurs when we are using management CLI to connect remotely to a standalone instance, however when using Management CLI we can configure the timeout and give it enough time so we can connect. The following a re the relevant traces:

      The first try gives a timeout:

      $ ./build/target/wildfly-33.0.0.Beta1-SNAPSHOT/bin/jboss-cli.sh -c --controller=192.168.1.226 -u=admin -p=admin
      Failed to connect to the controller: The controller is not available at 192.168.1.226:9990: java.net.ConnectException: WFLYPRT0023: Could not connect to remote+http://192.168.1.226:9990. The connection timed out: WFLYPRT0023: Could not connect to remote+http://192.168.1.226:9990. The connection timed out
      

      On the standalone instance we can see the following:

      13:12:27,908 TRACE [org.wildfly.security] (management I/O-1) Handling SocketAddressCallback
      13:12:27,908 TRACE [org.wildfly.security] (management I/O-1) Handling SocketAddressCallback
      13:12:27,909 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      13:12:27,909 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='rheldev' protocol='remote'
      13:12:27,909 TRACE [org.wildfly.security] (management I/O-1) Handling AvailableRealmsCallback: realms = [ManagementRealm]
      13:12:27,913 TRACE [org.wildfly.security] (management I/O-1) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@6597d7c2] for mechanism [DIGEST-MD5] and protocol [remote]
      13:12:27,914 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@52917fd2->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@8f218dd->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@1e758363->org.wildfly.security.sasl.digest.DigestSaslServer@6597d7c2] for mechanism [DIGEST-MD5]
      13:12:27,930 TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]
      13:12:27,931 TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = admin
      13:12:27,931 TRACE [org.wildfly.security] (management task-1) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [ManagementRealm], post-realm rewritten: [admin], realm rewritten: [admin]
      13:12:27,933 TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: obtained credential for correct realm "ManagementRealm"
      13:12:27,933 TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@b2b93fa5
      13:12:27,934 TRACE [org.wildfly.security] (management task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      13:12:27,934 TRACE [org.wildfly.security] (management task-1) Authorizing principal admin.
      13:12:27,934 TRACE [org.wildfly.security] (management task-1) Authorizing against the following attributes: [groups] => []
      13:12:27,934 TRACE [org.wildfly.security] (management task-1) Authorizing against the following runtime attributes: [Source-Address] => [192.168.1.48]
      13:12:27,935 TRACE [org.wildfly.security] (management task-1) Permission mapping: identity [admin] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      13:12:27,935 TRACE [org.wildfly.security] (management task-1) Authorization succeed
      13:12:27,935 TRACE [org.wildfly.security] (management task-1) RunAs authorization succeed - the same identity
      13:12:27,935 TRACE [org.wildfly.security] (management task-1) Handling AuthorizeCallback: authenticationID = admin  authorizationID = admin  authorized = true
      13:12:27,935 TRACE [org.wildfly.security.sasl.digest] (management task-1) SASL Negotiation Completed
      13:12:27,935 TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: succeed
      13:12:27,935 TRACE [org.wildfly.security] (management task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@32e87ecc, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='ManagementRealm', securityRealm=org.wildfly.extension.elytron.PropertiesRealmDefinition$RealmWrapper@7a2f5c18}, creationTime=2024-06-18T12:12:27.934359621Z}
      

      Increasing the Management CLI timeout, it succeeds: 

      $ ./build/target/wildfly-33.0.0.Beta1-SNAPSHOT/bin/jboss-cli.sh -c --controller=192.168.1.226 -u=admin -p=admin --timeout=15000
      [standalone@192.168.1.226:9990 /] 
      

      The root cause is still unclear to me, not sure if it could be due to Elytron authentication, remote connection establishment or any management issue.

       

      The connection between boths machines seems to be fine:

      $ ping -c 10 192.168.1.226
      PING 192.168.1.226 (192.168.1.226) 56(84) bytes of data.
      64 bytes from 192.168.1.226: icmp_seq=1 ttl=64 time=0.560 ms
      64 bytes from 192.168.1.226: icmp_seq=2 ttl=64 time=0.258 ms
      64 bytes from 192.168.1.226: icmp_seq=3 ttl=64 time=0.527 ms
      64 bytes from 192.168.1.226: icmp_seq=4 ttl=64 time=0.520 ms
      64 bytes from 192.168.1.226: icmp_seq=5 ttl=64 time=0.529 ms
      64 bytes from 192.168.1.226: icmp_seq=6 ttl=64 time=0.552 ms
      64 bytes from 192.168.1.226: icmp_seq=7 ttl=64 time=0.551 ms
      64 bytes from 192.168.1.226: icmp_seq=8 ttl=64 time=0.316 ms
      64 bytes from 192.168.1.226: icmp_seq=9 ttl=64 time=0.106 ms
      64 bytes from 192.168.1.226: icmp_seq=10 ttl=64 time=0.325 ms
      
      --- 192.168.1.226 ping statistics ---
      10 packets transmitted, 10 received, 0% packet loss, time 9211ms
      rtt min/avg/max/mdev = 0.106/0.424/0.560/0.152 ms
      
      $ ping -c 10 192.168.1.48
      PING 192.168.1.48 (192.168.1.48) 56(84) bytes of data.
      64 bytes from 192.168.1.48: icmp_seq=1 ttl=64 time=0.837 ms
      64 bytes from 192.168.1.48: icmp_seq=2 ttl=64 time=0.757 ms
      64 bytes from 192.168.1.48: icmp_seq=3 ttl=64 time=0.828 ms
      64 bytes from 192.168.1.48: icmp_seq=4 ttl=64 time=0.891 ms
      64 bytes from 192.168.1.48: icmp_seq=5 ttl=64 time=0.833 ms
      64 bytes from 192.168.1.48: icmp_seq=6 ttl=64 time=0.895 ms
      64 bytes from 192.168.1.48: icmp_seq=7 ttl=64 time=0.902 ms
      64 bytes from 192.168.1.48: icmp_seq=8 ttl=64 time=0.893 ms
      64 bytes from 192.168.1.48: icmp_seq=9 ttl=64 time=0.903 ms
      64 bytes from 192.168.1.48: icmp_seq=10 ttl=64 time=0.837 ms--- 192.168.1.48 ping statistics ---
      10 packets transmitted, 10 received, 0% packet loss, time 9150ms
      rtt min/avg/max/mdev = 0.757/0.857/0.903/0.045 ms
      

              jboss-set_jira JBoss SET
              yborgess1@redhat.com Yeray Borges Santana
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: