Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-2599

Creation of secure caches through remote admin fails with security exception

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • JDG 7.3.1 ER2
    • JDG 7.2.3 GA
    • None
    • None
    • +
    • Hide

      If we don't apply any security to the clustered cache container. It works fine.

      Show
      If we don't apply any security to the clustered cache container. It works fine.
    • Hide

      Create a security role as below in clustered cache container:

       <cache-container name="clustered" default-cache="default" statistics="true">
      -
      -
      -
       <security>
                          <authorization>
                              <identity-role-mapper/>
                              <role name="a_role" permissions="ALL"/>
                          </authorization>
                      </security>
      

      Create a distributed-cache-configuration as below:

      <distributed-cache-configuration name="demo_config" owners="2" segments="256" l1-lifespan="60000" mode="SYNC" remote-timeout="30000">
                          <locking striping="false" acquire-timeout="3000" concurrency-level="1000"/>
                          <transaction mode="NONE"/>
       		    <security>
                              <authorization roles="a_role"/>
                          </security>
                          <memory>
                              <object size="5000000"/>
                          </memory>
                          <expiration max-idle="-1" lifespan="-1" interval="120000"/>
                          <file-store path="/testCashStore/" shared="false" preload="true" passivation="true" fetch-state="true" purge="false" read-only="false"/>
                          <indexing index="NONE" auto-config="true"/>
                      </distributed-cache-configuration>
      

      Create the dynamic cache with below code:

      String cacheName = "test123";
          	
              String TemplateName="demo_config";
              cacheManager.administration().withFlags(AdminFlag.PERMANENT).getOrCreateCache(cacheName, TemplateName);
      

      The reproducer and test config file are attached. The project resource folder has all the configuration files and project has the java reproducer as hotrod client.

      Show
      Create a security role as below in clustered cache container: <cache-container name= "clustered" default-cache= "default" statistics= "true" > - - - <security> <authorization> <identity-role-mapper/> <role name= "a_role" permissions= "ALL" /> </authorization> </security> Create a distributed-cache-configuration as below: <distributed-cache-configuration name= "demo_config" owners= "2" segments= "256" l1-lifespan= "60000" mode= "SYNC" remote-timeout= "30000" > <locking striping= "false" acquire-timeout= "3000" concurrency-level= "1000" /> <transaction mode= "NONE" /> <security> <authorization roles= "a_role" /> </security> <memory> <object size= "5000000" /> </memory> <expiration max-idle= "-1" lifespan= "-1" interval= "120000" /> <file-store path= "/testCashStore/" shared= "false" preload= "true" passivation= "true" fetch-state= "true" purge= "false" read-only= "false" /> <indexing index= "NONE" auto-config= "true" /> </distributed-cache-configuration> Create the dynamic cache with below code: String cacheName = "test123" ; String TemplateName= "demo_config" ; cacheManager.administration().withFlags(AdminFlag.PERMANENT).getOrCreateCache(cacheName, TemplateName); The reproducer and test config file are attached. The project resource folder has all the configuration files and project has the java reproducer as hotrod client.
    • JDG Sprint #25

      Attempting to create a cache with enabled security through the cache admin API fails.
      An example cache configuration:

      <distributed-cache-configuration name="secure" >
        <security>
          <authorization roles="a_role"/>
        </security>
      </distributed-cache-configuration>
      
      ISPN000280: Caught exception [java.lang.SecurityException] while invoking method [public void org.infinispan.globalstate.impl.GlobalConfigurationStateListener.createCache(org.infinispan.notifications.cachelistener.event.CacheEntryCreatedEvent)] on listener instance: org.infinispan.globalstate.impl.GlobalConfigurationStateListener@6d95c204
      	at org.infinispan.notifications.impl.AbstractListenerImpl$ListenerInvocationImpl$1.run(AbstractListenerImpl.java:401)
      	at org.infinispan.util.concurrent.WithinThreadExecutor.execute(WithinThreadExecutor.java:20)
      	at org.infinispan.notifications.impl.AbstractListenerImpl$ListenerInvocationImpl.invoke(AbstractListenerImpl.java:419)
      	at org.infinispan.notifications.cachelistener.CacheNotifierImpl$BaseCacheEntryListenerInvocation.doRealInvocation(CacheNotifierImpl.java:1565)
      	at org.infinispan.notifications.cachelistener.CacheNotifierImpl$BaseCacheEntryListenerInvocation.doRealInvocation(CacheNotifierImpl.java:1561)
      	at org.infinispan.notifications.cachelistener.CacheNotifierImpl$BaseCacheEntryListenerInvocation.invokeNoChecks(CacheNotifierImpl.java:1556)
      	at org.infinispan.notifications.cachelistener.CacheNotifierImpl$BaseCacheEntryListenerInvocation.invoke(CacheNotifierImpl.java:1535)
      	at org.infinispan.notifications.cachelistener.CacheNotifierImpl.notifyCacheEntryCreated(CacheNotifierImpl.java:368)
      	at org.infinispan.interceptors.locking.ClusteringDependentLogic$AbstractClusteringDependentLogic.notifyCommitEntry(ClusteringDependentLogic.java:261)
      	at org.infinispan.interceptors.locking.ClusteringDependentLogic$ReplicationLogic.commitSingleEntry(ClusteringDependentLogic.java:493)
      	at org.infinispan.interceptors.locking.ClusteringDependentLogic$AbstractClusteringDependentLogic.commitEntry(ClusteringDependentLogic.java:186)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.commitContextEntry(EntryWrappingInterceptor.java:578)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.commitEntryIfNeeded(EntryWrappingInterceptor.java:746)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.commitContextEntries(EntryWrappingInterceptor.java:555)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.applyChanges(EntryWrappingInterceptor.java:611)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.lambda$setSkipRemoteGetsAndInvokeNextForDataCommand$8(EntryWrappingInterceptor.java:667)
      	at org.infinispan.interceptors.BaseAsyncInterceptor.invokeNextThenAccept(BaseAsyncInterceptor.java:108)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.setSkipRemoteGetsAndInvokeNextForDataCommand(EntryWrappingInterceptor.java:664)
      	at org.infinispan.interceptors.impl.EntryWrappingInterceptor.visitPutKeyValueCommand(EntryWrappingInterceptor.java:304)
      	at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:79)
      	at org.infinispan.interceptors.BaseAsyncInterceptor.invokeNext(BaseAsyncInterceptor.java:57)
      	at org.infinispan.interceptors.locking.AbstractLockingInterceptor.visitNonTxDataWriteCommand(AbstractLockingInterceptor.java:107)
      	at org.infinispan.interceptors.locking.NonTransactionalLockingInterceptor.visitDataWriteCommand(NonTransactionalLockingInterceptor.java:39)
      	at org.infinispan.interceptors.locking.AbstractLockingInterceptor.visitPutKeyValueCommand(AbstractLockingInterceptor.java:77)
      	at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:79)
      	at org.infinispan.interceptors.BaseAsyncInterceptor.invokeNext(BaseAsyncInterceptor.java:57)
      	at org.infinispan.statetransfer.StateTransferInterceptor.handleNonTxWriteCommand(StateTransferInterceptor.java:354)
      	at org.infinispan.statetransfer.StateTransferInterceptor.handleWriteCommand(StateTransferInterceptor.java:292)
      	at org.infinispan.statetransfer.StateTransferInterceptor.visitPutKeyValueCommand(StateTransferInterceptor.java:122)
      	at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:79)
      	at org.infinispan.interceptors.BaseAsyncInterceptor.invokeNext(BaseAsyncInterceptor.java:57)
      	at org.infinispan.interceptors.impl.CacheMgmtInterceptor.updateStoreStatistics(CacheMgmtInterceptor.java:178)
      	at org.infinispan.interceptors.impl.CacheMgmtInterceptor.visitPutKeyValueCommand(CacheMgmtInterceptor.java:167)
      	at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:79)
      	at org.infinispan.interceptors.BaseAsyncInterceptor.invokeNextAndExceptionally(BaseAsyncInterceptor.java:126)
      	at org.infinispan.interceptors.impl.InvocationContextInterceptor.visitCommand(InvocationContextInterceptor.java:92)
      	at org.infinispan.interceptors.BaseAsyncInterceptor.invokeNext(BaseAsyncInterceptor.java:59)
      	at org.infinispan.interceptors.DDAsyncInterceptor.handleDefault(DDAsyncInterceptor.java:53)
      	at org.infinispan.interceptors.DDAsyncInterceptor.visitPutKeyValueCommand(DDAsyncInterceptor.java:59)
      	at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:79)
      	at org.infinispan.interceptors.DDAsyncInterceptor.visitCommand(DDAsyncInterceptor.java:49)
      	at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invokeAsync(AsyncInterceptorChainImpl.java:267)
      	at org.infinispan.commands.remote.BaseRpcInvokingCommand.processVisitableCommandAsync(BaseRpcInvokingCommand.java:71)
      	at org.infinispan.commands.remote.SingleRpcCommand.invokeAsync(SingleRpcCommand.java:58)
      	at org.infinispan.remoting.inboundhandler.BasePerCacheInboundInvocationHandler.invokeCommand(BasePerCacheInboundInvocationHandler.java:95)
      	at org.infinispan.remoting.inboundhandler.BaseBlockingRunnable.invoke(BaseBlockingRunnable.java:91)
      	at org.infinispan.remoting.inboundhandler.BaseBlockingRunnable.runAsync(BaseBlockingRunnable.java:69)
      	at org.infinispan.remoting.inboundhandler.BaseBlockingRunnable.run(BaseBlockingRunnable.java:41)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'LIFECYCLE' permission
      	at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:87)
      	at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:65)
      	at org.infinispan.manager.DefaultCacheManager.wireAndStartCache(DefaultCacheManager.java:647)
      	at org.infinispan.manager.DefaultCacheManager.createCache(DefaultCacheManager.java:622)
      	at org.infinispan.manager.DefaultCacheManager.internalGetCache(DefaultCacheManager.java:508)
      	at org.infinispan.manager.DefaultCacheManager.getCache(DefaultCacheManager.java:494)
      	at org.infinispan.manager.DefaultCacheManager.getCache(DefaultCacheManager.java:482)
      	at org.infinispan.globalstate.impl.VolatileLocalConfigurationStorage.createCache(VolatileLocalConfigurationStorage.java:64)
      	at org.infinispan.globalstate.impl.OverlayLocalConfigurationStorage.createCache(OverlayLocalConfigurationStorage.java:44)
      	at org.infinispan.globalstate.impl.GlobalConfigurationManagerImpl.createCacheLocally(GlobalConfigurationManagerImpl.java:159)
      	at org.infinispan.globalstate.impl.GlobalConfigurationStateListener.createCache(GlobalConfigurationStateListener.java:28)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.infinispan.notifications.impl.AbstractListenerImpl$ListenerInvocationImpl$1.run(AbstractListenerImpl.java:396)
      	... 50 more
      

              ttarrant@redhat.com Tristan Tarrant
              rhn-support-danaokar Durgesh Anaokar (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: