Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-4688

HotRod does not work with 'Validate' strategy

    XMLWordPrintable

Details

    Description

      Server does not enable 'EXTERNAL' sasl mechanism for HotRod client when `Validate` strategy is selected via Operator. Rest endpoint works as expected. The same configuration for HotRod client works when `Authenticate` strategy is selected.

      Client config:

      ConfigurationBuilder builder = new ConfigurationBuilder();
         builder.addServer().host(serviceName).port(11222);
         builder.security().authentication().saslMechanism("EXTERNAL").realm("default").serverName("infinispan");
         builder.security().ssl()
                 .keyStoreFileName("/etc/client-secret/keystore").trustStorePassword("password".toCharArray())
                 .trustStoreFileName("/etc/truststore-secret/truststore.p12").keyStorePassword("password".toCharArray());

         RemoteCacheManager rcm = new RemoteCacheManager(builder.build());

      Infinispan CR:

      spec: 
  ...
  security: 
    endpointEncryption: 
      type: secret
      certSecretName: encryption-secret
      clientCert: Validate
      clientCertSecretName: truststore-secret
  ...

      Stacktrace:

      2021-06-29 12:35:40,492 [HotRod-client-async-pool-1-1] INFO  org.infinispan.SECURITY- ISPN000947: Using Java SSL Provider
2021-06-29 12:35:41,437 [http-apr-8080-exec-3] INFO  org.infinispan.HOTROD- ISPN004021: Infinispan version: Infinispan 'Taedonggang' 12.1.4.Final
2021-06-29 12:35:42,130 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:42,305 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:42,516 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:42,674 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:42,887 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:43,029 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:43,179 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:43,353 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:43,542 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:43,674 [HotRod-client-async-pool-1-2] INFO  org.infinispan.HOTROD- ISPN004016: Server not in cluster anymore(datagrid-service:11222), removing from the pool.
2021-06-29 12:35:43,798 [HotRod-client-async-pool-1-2] ERROR org.infinispan.HOTROD- ISPN004007: Exception encountered. Retry 10 out of 10
org.infinispan.client.hotrod.exceptions.TransportException:: java.lang.SecurityException: ISPN004031: The selected authentication mechanism 'EXTERNAL' is not among the supported server mechanisms: []
	at org.infinispan.client.hotrod.impl.transport.netty.ActivationHandler.exceptionCaught(ActivationHandler.java:52)
	at ConfigurationBuilder builder = new ConfigurationBuilder();
         builder.addServer().host(serviceName).port(11222);
         builder.security().authentication().saslMechanism("EXTERNAL").realm("default").serverName("infinispan");
         builder.security().ssl()
                 .keyStoreFileName("/etc/client-secret/keystore").trustStorePassword("password".toCharArray())
                 .trustStoreFileName("/etc/truststore-secret/truststore.p12").keyStorePassword("password".toCharArray());

         RemoteCacheManager rcm = new RemoteCacheManager(builder.build());io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
	at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
	at io.netty.handler.ssl.SslHandler.exceptionCaught(SslHandler.java:1122)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
	at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.exceptionCaught(DefaultChannelPipeline.java:1377)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
	at io.netty.channel.DefaultChannelPipeline.fireExceptionCaught(DefaultChannelPipeline.java:907)
	at org.infinispan.client.hotrod.impl.transport.netty.AuthHandler.lambda$channelActive$2(AuthHandler.java:86)
	at java.util.concurrent.CompletableFuture.uniExceptionally(CompletableFuture.java:870)
	at java.util.concurrent.CompletableFuture$UniExceptionally.tryFire(CompletableFuture.java:852)
	at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474)
	at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962)
	at org.infinispan.client.hotrod.impl.operations.HotRodOperation.complete(HotRodOperation.java:160)
	at org.infinispan.client.hotrod.impl.operations.AuthMechListOperation.acceptResponse(AuthMechListOperation.java:56)
	at org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:146)
	at org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:94)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1504)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1253)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1300)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.SecurityException: ISPN004031: The selected authentication mechanism 'EXTERNAL' is not among the supported server mechanisms: []
	at org.infinispan.client.hotrod.impl.transport.netty.AuthHandler.lambda$channelActive$0(AuthHandler.java:50)
	at java.util.concurrent.CompletableFuture.uniCompose(CompletableFuture.java:952)
	at java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:926)
	... 35 more
java.lang.SecurityException: ISPN004031: The selected authentication mechanism 'EXTERNAL' is not among the supported server mechanisms: []

      Attachments

        Issue Links

          relates to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JDG-4311 [Operator] Possibility to set require-ssl-client-auth for endpoint configuration

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link Upstream Image Issue

          Web Link Upstream issue

          Activity

            People

              remerson@redhat.com Ryan Emerson
              pdrobek@redhat.com Pavel Drobek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: