Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9989

When failed credential store flush to file on the disk then we have inconsistency between credential store in memory and persisted file.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR18
    • 7.1.0.DR15
    • Security
    • None

      When failed credential store flush to file on the disk then we have inconsistency between credential store in memory and persisted file.

      I expect consistent state, same aliases in memory and persisted on disk.
      We must not add new aliases only to memory.

      This problem is exported from issue https://issues.jboss.org/browse/JBEAP-6866
      where is noted as secondary problem.

      HOW TO REPRODUCE

      /subsystem=elytron/credential-store=cs001:add(credential-reference={clear-text=pass123}, relative-to="jboss.server.data.dir", create=true, location=cs/credentialStore.jceks)
      
      /subsystem=elytron/credential-store=cs001/alias=alias001:add(secret-value=secretvalue)
      

      Now is credentialstore.jceks file persisted on disk here JBOSS_HOME/standalone/data/cs
      Please remove write permission for folder "cs"

      chmod g-w  cs
      chmod u-w  cs
      

      Try add another entry to credential store

      /subsystem=elytron/credential-store=cs001/alias=alias002:add(secret-value=secretvalue)
      {
          "outcome" => "failed",
          "failure-description" => "WFLYELY00009: Unable to complete operation. 'ELY09525: Unable to flush credential store to storage'",
          "rolled-back" => true
      }
      

      And you get error message as above.
      Now you list all aliases in credential store:

      /subsystem=elytron/credential-store=cs001:read-children-names(child-type=alias)
      {
          "outcome" => "success",
          "result" => [
              "alias001",
              "alias002"
          ]
      }
      

      There is non persisted "alias002" too.

      Now we check aliases in persisted file:

      reload
      

      There isn't any alias "alias002" after reload.

      /subsystem=elytron/credential-store=cs001:read-children-names(child-type=alias)
      {
          "outcome" => "success",
          "result" => ["alias001"]
      }
      

              thofman Tomas Hofman
              hsvabek_jira Hynek Švábek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: