Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2767

Elytron Keystore resource needs restart when is changed credential-reference attribute but restart-required is set to "no-services"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Critical Critical
    • None
    • None
    • Security
    • None
    • Hide
      /subsystem=elytron/credential-store=cs001:add(credential-reference={clear-text=pass123}, create=true, location=cs001.jceks)  
      
      /subsystem=elytron/credential-store=cs001:add-alias(alias=ff,secret-value=Elytron)
      

      Copy firefly.keystore from attachment to JBOSS_HOME/standalone/data

      /subsystem=elytron/key-store=firefly:add(path=firefly.keystore,relative-to=jboss.server.data.dir,type=JKS,credential-reference= {store=cs001,alias=ff})
      

      You can list all aliases in keystore

      /subsystem=elytron/key-store=firefly:read-aliases
      {
          "outcome" => "success",
          "result" => [
              "ca",
              "firefly"
          ]
      }
      

      We create another credential store with same alias entry but different value

      /subsystem=elytron/credential-store=cs002:add(credential-reference={clear-text=pass123}, create=true, location=cs002.jceks)  
      
      /subsystem=elytron/credential-store=cs002:add-alias(alias=ff, secret-value=ElytronWrong)
      

      Now we change credential-reference for keystore to second credential store with invalid password to keystore access.

      /subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002)
      {
          "outcome" => "success",
          "response-headers" => {
              "operation-requires-reload" => true,
              "process-state" => "reload-required"
          }
      }
      

      Reload is required for credential-reference but in model we see "restart-required" => "no-services"

      Unable to find source-code formatter for language: collapse. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      "credential-reference" => {
                      "type" => OBJECT,
                      "description" => "The reference to credential stored in CredentialStore under defined alias or clear text password.",
                      "expressions-allowed" => false,
                      "required" => true,
                      "nillable" => false,
                      "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
                      "value-type" => {
                          "store" => {
                              "type" => STRING,
                              "description" => "The name of the credential store holding the alias to credential.",
                              "expressions-allowed" => false,
                              "required" => false,
                              "nillable" => true,
                              "capability-reference" => "org.wildfly.security.credential-store",
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "alias" => {
                              "type" => STRING,
                              "description" => "The alias which denotes stored secret or credential in the store.",
                              "expressions-allowed" => true,
                              "required" => false,
                              "nillable" => true,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "type" => {
                              "type" => STRING,
                              "description" => "The type of credential this reference is denoting.",
                              "expressions-allowed" => true,
                              "required" => false,
                              "nillable" => true,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "clear-text" => {
                              "type" => STRING,
                              "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
                              "expressions-allowed" => true,
                              "required" => false,
                              "nillable" => true,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          }
                      },
                      "access-type" => "read-write",
                      "storage" => "configuration",
                      "restart-required" => "no-services"
                  }
      

      Set allow-resource-service-restart header property to true doesn't help

      /subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002){allow-resource-service-restart=true}   
      {
          "outcome" => "success",
          "response-headers" => {
              "operation-requires-reload" => true,
              "process-state" => "reload-required"
          }
      }
      
      Show
      /subsystem=elytron/credential-store=cs001:add(credential-reference={clear-text=pass123}, create= true , location=cs001.jceks) /subsystem=elytron/credential-store=cs001:add-alias(alias=ff,secret-value=Elytron) Copy firefly.keystore from attachment to JBOSS_HOME/standalone/data /subsystem=elytron/key-store=firefly:add(path=firefly.keystore,relative-to=jboss.server.data.dir,type=JKS,credential-reference= {store=cs001,alias=ff}) You can list all aliases in keystore /subsystem=elytron/key-store=firefly:read-aliases { "outcome" => "success" , "result" => [ "ca" , "firefly" ] } We create another credential store with same alias entry but different value /subsystem=elytron/credential-store=cs002:add(credential-reference={clear-text=pass123}, create= true , location=cs002.jceks) /subsystem=elytron/credential-store=cs002:add-alias(alias=ff, secret-value=ElytronWrong) Now we change credential-reference for keystore to second credential store with invalid password to keystore access. /subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002) { "outcome" => "success" , "response-headers" => { "operation-requires-reload" => true , "process-state" => "reload-required" } } Reload is required for credential-reference but in model we see "restart-required" => "no-services" Unable to find source-code formatter for language: collapse. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml "credential-reference" => { "type" => OBJECT, "description" => "The reference to credential stored in CredentialStore under defined alias or clear text password." , "expressions-allowed" => false , "required" => true , "nillable" => false , "access-constraints" => { "sensitive" => { "credential" => { "type" => "core" }}}, "value-type" => { "store" => { "type" => STRING, "description" => "The name of the credential store holding the alias to credential." , "expressions-allowed" => false , "required" => false , "nillable" => true , "capability-reference" => "org.wildfly.security.credential-store" , "min-length" => 1L, "max-length" => 2147483647L }, "alias" => { "type" => STRING, "description" => "The alias which denotes stored secret or credential in the store." , "expressions-allowed" => true , "required" => false , "nillable" => true , "min-length" => 1L, "max-length" => 2147483647L }, "type" => { "type" => STRING, "description" => "The type of credential this reference is denoting." , "expressions-allowed" => true , "required" => false , "nillable" => true , "min-length" => 1L, "max-length" => 2147483647L }, "clear-text" => { "type" => STRING, "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services." , "expressions-allowed" => true , "required" => false , "nillable" => true , "min-length" => 1L, "max-length" => 2147483647L } }, "access-type" => "read-write" , "storage" => "configuration" , "restart-required" => "no-services" } Set allow-resource-service-restart header property to true doesn't help /subsystem=elytron/key-store=firefly:write-attribute(name=credential-reference.store, value=cs002){allow-resource-service-restart= true } { "outcome" => "success" , "response-headers" => { "operation-requires-reload" => true , "process-state" => "reload-required" } }

      Elytron Keystore resource needs restart when is changed credential-reference attribute but restart-required is set to "no-services"

      There should be rather restart-required set to "resource-services" and ability to use allow-resource-service-restart=true header property

              yborgess1@redhat.com Yeray Borges Santana
              hsvabek_jira Hynek Švábek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: