Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-508

Missing schema_manager role, when attempting to register protofile to ___protobuf_metadata cache

    XMLWordPrintable

    Details

    • Fix Build:
      GA
    • Steps to Reproduce:
      Hide

      Attempt to register the schema with no security enabled, JDG on a remote address.
      RemoteCache<String, String> metadataCache = cacheManager
      .getCache(ProtobufMetadataManagerConstants.PROTOBUF_METADATA_CACHE_NAME);
      metadataCache.put(PROTOBUF_DEFINITION_RESOURCE,
      readResource(PROTOBUF_DEFINITION_RESOURCE));
      String errors = metadataCache
      .get(ProtobufMetadataManagerConstants.ERRORS_KEY_SUFFIX);
      if (errors != null)

      { throw new IllegalStateException( "Some Protobuf schema files contain errors:\n" + errors); }

      Loop back error is thrown.

      Attempt to register schema with security enabled. Lack of 'WRITE' permission exception is thrown.

      Attempt to register schema security enabled and proper role "___schema_manager" specified.
      Successful registration.

      Show
      Attempt to register the schema with no security enabled, JDG on a remote address. RemoteCache<String, String> metadataCache = cacheManager .getCache(ProtobufMetadataManagerConstants.PROTOBUF_METADATA_CACHE_NAME); metadataCache.put(PROTOBUF_DEFINITION_RESOURCE, readResource(PROTOBUF_DEFINITION_RESOURCE)); String errors = metadataCache .get(ProtobufMetadataManagerConstants.ERRORS_KEY_SUFFIX); if (errors != null) { throw new IllegalStateException( "Some Protobuf schema files contain errors:\n" + errors); } Loop back error is thrown. Attempt to register schema with security enabled. Lack of 'WRITE' permission exception is thrown. Attempt to register schema security enabled and proper role "___schema_manager" specified. Successful registration.

      Description

      Title: Indexing Protobuf Encoded Entities

      Describe the issue:
      Due to a new requirement in JDG 7.0, accessing the ___protobuf_metadata cache can only be
      done loopback without security enabled. This exception is thrown.
      "org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=3 returned server error (status=0x84): org.infinispan.server.hotrod.RequestParsingException: Remote requests are allowed to protected caches only over loopback or if authorization is enabled. Do no send remote requests to cache '_protobuf_metadata'"

      If accessing the cache using a remote address a permission error occurs due to lack of permissions.
      "org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=7 returned server error (status=0x85): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [SimpleUserPrincipal [name=user1], InetAddressPrincipal [address=192.168.50.196/192.168.50.196], user1@ApplicationRealm, role1@ApplicationRealm, role1]' lacks 'WRITE' permission"

      Even if the user has the ADMIN or ALL permission it still isn't sufficient to access the '___protobuf_metadata' cache.

      Suggestions for improvement:
      An additional permission role, "__schema_manager" is required of the user attempting to WRITE to the '__protobuf_metadata' cache. This needs to be documented.

      It appears to only be available in the infinispan 9.0.x documentation, git doc and the git source.

      Additional information:

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              chuffman Christian Huffman
              Reporter:
              kenthua Kent Hua (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: