Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9634

Elytron, unable to configure Kerberos authentication in DR14

XMLWordPrintable

      User impact: User can't configure kerberos authentication in DR14 with Elytron
      Workaround: There is no workaround
      Regression against DR13.

      Description:
      If I try command which worked previously I get error

      [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"])
      {
          "outcome" => "failed",
          "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
          "rolled-back" => true
      }
      

      In server.log there is this stacktrace

      15:00:53,476 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("kerberos-security-factory" => "a")
      ]): java.lang.IllegalArgumentException
      	at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:103)
      	at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:503)
      	at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:168)
      	at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77)
      	at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151)
      	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979)
      	at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722)
      	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
      	at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388)
      	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
      	at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229)
      	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244)
      	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
      	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
      	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
      	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
      

      Adding optional options attribute makes command work again

      [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b})
      {"outcome" => "success"}
      

      But after reload, there is error in server log

      18:30:37,430 ERROR [org.jboss.as.controller] (Controller Boot Thread) 
      
      OPVDX001: Validation error in standalone.xml -----------------------------------
      |
      |  365:     </kerberos-security-factory>
      |  366: </credential-security-factories>
      |  367: <mappers>
      |       ^^^^ 'mappers' isn't an allowed element here
      |            
      |            Elements allowed here are: 
      |              audit-logging                  policy                         
      |              authentication-client          providers                      
      |              credential-security-factories  sasl                           
      |              credential-stores              security-domains               
      |              dir-contexts                   security-properties            
      |              http                           security-realms                
      |              mappers                        tls                            
      |
      |  368:     <constant-permission-mapper name="default-permission-mapper">
      |  369:         <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
      |  370:         <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
      |
      | 'mappers' is allowed in elements: 
      | - server > profile > {urn:wildfly:elytron:1.0}subsystem
      | "
      |
      | The primary underlying error message was:
      | > ParseError at [row,col]:[367,13]
      | > Message: WFLYCTL0198: Unexpected element
      | >   '{urn:wildfly:elytron:1.0}mappers' encountered
      |
      |-------------------------------------------------------------------------------
      
      18:30:37,430 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
      	at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
      	at org.jboss.as.server.ServerService.boot(ServerService.java:376)
      	at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:337)
      	at java.lang.Thread.run(Thread.java:745)
      
      18:30:37,432 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
      

      Attribute options is marked correctly optional in model.

      	"options" => {
      	    "type" => OBJECT,
      	    "description" => "The Krb5LoginModule additional options.",
      	    "expressions-allowed" => false,
      	    "required" => false,
      	    "nillable" => true,
      	    "value-type" => STRING,
      	    "access-type" => "read-write",
      	    "storage" => "configuration",
      	    "restart-required" => "no-services"
      	},
      

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: