Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8340

Resuming a batch job after server resume requires the anonymous identity to have RunAsPrincipalPermission of the original user

    Details

      Description

      • Batch job is submitted by user A
      • While the job is running, the server gets suspended
      • When user B calls the resume operation, the Batch execution is attempted to be restarted. However, this only works if anonymous identity has the permission org.wildfly.security.auth.permission.RunAsPrincipalPermission for user A, which is not the case in the default configuration.

      I find this a UX issue because you have to add a special permission to make this work when it should work out-of-the-box, and also one might not want to give this permission to anonymous because it could be potentially abused in other places.

      14:59:53,729 TRACE [org.wildfly.security] (management-handler-thread - 4) Permission mapping: identity [anonymous] with roles [] implies ("org.wildfly.security.auth.permission.RunAsPrincipalPermission" "user1") = false
      14:19:53,842 ERROR [org.wildfly.extension.batch] (management-handler-thread - 4) WFLYBATCH000016: Failed to restart execution 1 for job server-suspend on deployment server-suspend.war: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as "user1" authorization operation failed
      	at org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:628)
      	at org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:603)
      	at org.wildfly.extension.batch.jberet.deployment.JobOperatorService$BatchJobServerActivity.privilegedRunAs(JobOperatorService.java:520)
      	at org.wildfly.extension.batch.jberet.deployment.JobOperatorService$BatchJobServerActivity.restartStoppedJobs(JobOperatorService.java:495)
      	at org.wildfly.extension.batch.jberet.deployment.JobOperatorService$BatchJobServerActivity.resume(JobOperatorService.java:430)
      	at org.jboss.as.server.suspend.SuspendController.resume(SuspendController.java:127)
      	at org.jboss.as.server.operations.ServerResumeHandler$1$1.handleResult(ServerResumeHandler.java:79)
      	at org.jboss.as.controller.AbstractOperationContext$Step.invokeResultHandler(AbstractOperationContext.java:1493)
      	at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1475)
      	at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1437)
      	at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1410)
      	at org.jboss.as.controller.AbstractOperationContext$Step.access$400(AbstractOperationContext.java:1284)
      	at org.jboss.as.controller.AbstractOperationContext.executeResultHandlerPhase(AbstractOperationContext.java:856)
      	at org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:842)
      	at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:748)
      	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
      	at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388)
      	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
      	at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:258)
      	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:277)
      	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
      	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
      	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
      	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jamezp James Perkins
                  Reporter:
                  jamezp James Perkins
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: