Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-5458

[Operator] Client Cert Authorization causes 403 ISPN000287: Unauthorized access

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide

      The existing Client Cert Authorization test can be made to fail with the following additions:

      Index: test/e2e/infinispan/client_cert_test.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/test/e2e/infinispan/client_cert_test.go b/test/e2e/infinispan/client_cert_test.go
--- a/test/e2e/infinispan/client_cert_test.go	(revision c7ebceb205908dea47736461a8252e4640953514)
+++ b/test/e2e/infinispan/client_cert_test.go	(date 1657616142345)
@@ -137,7 +137,10 @@
 	// Register it
 	testKube.CreateInfinispan(spec, tutils.Namespace)
 	testKube.WaitForInfinispanPods(1, tutils.SinglePodTimeout, spec.Name, tutils.Namespace)
-	testKube.WaitForInfinispanCondition(spec.Name, spec.Namespace, ispnv1.ConditionWellFormed)
+	ispn := testKube.WaitForInfinispanCondition(spec.Name, spec.Namespace, ispnv1.ConditionWellFormed)
+	ispn.Spec.Replicas = 0
+	testKube.Update(ispn)
+	testKube.WaitForInfinispanPods(0, tutils.SinglePodTimeout, spec.Name, tutils.Namespace)
 
 	// Ensure that we can connect to the endpoint with TLS
 	client_ := tutils.HTTPSClientForCluster(spec, tlsConfig, testKube)
      Show
      The existing Client Cert Authorization test can be made to fail with the following additions: Index: test/e2e/infinispan/client_cert_test.go IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/test/e2e/infinispan/client_cert_test.go b/test/e2e/infinispan/client_cert_test.go --- a/test/e2e/infinispan/client_cert_test.go (revision c7ebceb205908dea47736461a8252e4640953514) +++ b/test/e2e/infinispan/client_cert_test.go (date 1657616142345) @@ -137,7 +137,10 @@ // Register it testKube.CreateInfinispan(spec, tutils.Namespace) testKube.WaitForInfinispanPods(1, tutils.SinglePodTimeout, spec.Name, tutils.Namespace) - testKube.WaitForInfinispanCondition(spec.Name, spec.Namespace, ispnv1.ConditionWellFormed) + ispn := testKube.WaitForInfinispanCondition(spec.Name, spec.Namespace, ispnv1.ConditionWellFormed) + ispn.Spec.Replicas = 0 + testKube.Update(ispn) + testKube.WaitForInfinispanPods(0, tutils.SinglePodTimeout, spec.Name, tutils.Namespace) // Ensure that we can connect to the endpoint with TLS client_ := tutils.HTTPSClientForCluster(spec, tlsConfig, testKube)

    Description

      If a user configures the Infinispan CR to use Authorization and Client Cert authentication, then i'ts no longer possible for Operator REST requests to be accepted by the Server. This is because the common-name-role-mapper is configured for client cert authorization, however the Operator client connects without a certificate and relies on it's principal name for authorization.

      A ISPN000287 exception is thrown for any REST operation perfomed by the Operator that requires Authorization. For example, the following is thrown when the user attempts to gracefully shutdown the cluster.

      unexpected HTTP status code (403): unexpected error during graceful shutdown, response: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [operator, RolePrincipal{name='admin'}]' lacks 'LIFECYCLE' permission

      A test exists for the Authorization with Client Certs, however it passes as it only establishes that the Infinispan cluster is WellFormed. The WellFormed check continues to function without a 403 as it utilises the rest/v2/cache-managers/default/health endpoint, which does not require authentication/authorization for local calls.

      Attachments

        Issue Links

          links to

          Web Link Upstream Issue

          Activity

            People

              remerson@redhat.com Ryan Emerson
              remerson@redhat.com Ryan Emerson
              Pavel Drobek Pavel Drobek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: