2 Replies Latest reply on Nov 4, 2017 1:19 PM by justcono

    java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s)

    justcono
    justcono Nov 3, 2017 1:45 AM

      Hi Everybody,

       

      I'm in the process of securing the cluster and I've been stuck on this for a week now on this problem. I am using Infinispan 8.2.8 setup for cross-site replication. I can get authenticated and authorized using the hotrod client. I use the same user to login via the management console and I get the exception below.

       

      I found this bug just now at end of typing all this out lol: [ISPN-6515] GlobalXSiteAdminOperations fails on secured caches - JBoss Issue Tracker Is it fixed in 8.2.8?

       

      Excerpts of my configs:

      ....

      <security-realm name="LDAPSManagementRealm">

         <authentication>

            <ldap connection="ldap_connection" base-dn="OU=People,DC=dev,DC=net">

                <username-filter attribute="sAMAccountName" />

            </ldap>

        </authentication>

                      <authorization>

                          <ldap connection="ldap_connection">

                              <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">

                                  <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=dev,dc=net">

                                      <membership-filter principal-attribute="member"/>

                                  </group-to-principal>

                              </group-search>

                          </ldap>

                      </authorization>

      </security-realm>

              </security-realms>

      <outbound-connections>

      <ldap name="ldap_connection" url="ldap://192.168.10.11:389" search-dn="cn=Administrator,cn=Users,dc=dev,dc=net" search-credential="secret" />

      </outbound-connections>

      ....

                   <security>

                          <authorization>

                              <identity-role-mapper/>

                              <role name="Developers" permissions="WRITE"/>

                              <role name="Business" permissions="READ"/>

                              <role name="ClusterAdmins" permissions="ALL EXEC"/>

                              <role name="Managers" permissions="ALL_READ ALL_WRITE EXEC"/>

                          </authorization>

                      </security>

      ....

       

                          <distributed-cache name="default" mode="ASYNC" segments="20" owners="2" remote-timeout="30000" start="EAGER">

                              <locking acquire-timeout="30000" concurrency-level="1000" striping="false"/>

                              <transaction mode="NONE"/>

                              <backups>

                                <backup site="PROD2" strategy="ASYNC" failure-policy="WARN" enabled="true" />

                              </backups>

                            <partition-handling enabled="true"/>

       

       

                          <security>

                              <authorization roles="Business ClusterAdmins Developers Managers"/>

                          </security>

      <!--

                          <compatibility/>

      -->

                          </distributed-cache>

       

      The exception:

      [Server:prod2-s1] 01:31:04,078 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 33) WFLYCTL0013: Operation ("read-attribute") failed - address: ([

      [Server:prod2-s1]     ("subsystem" => "datagrid-infinispan"),

      [Server:prod2-s1]     ("cache-container" => "clustered")

      [Server:prod2-s1] ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [admin@LDAPSManagementRealm, ClusterAdmins@LDAPSManagementRealm, ClusterAdmins, InetAddressPrincipal <192.168.1.220/192.168.1.220>]' lacks 'ADMIN' permission

      [Server:prod2-s1] at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)

      [Server:prod2-s1] at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)

      [Server:prod2-s1] at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:341)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.addCacheAdmin(GlobalXSiteAdminOperations.java:40)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:136)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:89)

      [Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:287)

      [Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:259)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)

      [Server:prod2-s1] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)

      [Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)

      [Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler.internalExecute(TransactionalProtocolOperationHandler.java:247)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler.doExecute(TransactionalProtocolOperationHandler.java:185)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:138)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:134)

      [Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)

      [Server:prod2-s1] at javax.security.auth.Subject.doAs(Subject.java:360)

      [Server:prod2-s1] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:81)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:157)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:153)

      [Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2.execute(TransactionalProtocolOperationHandler.java:153)

      [Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)

      [Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)

      [Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      [Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      [Server:prod2-s1] at java.lang.Thread.run(Thread.java:748)

      [Server:prod2-s1] at org.jboss.threads.JBossThread.run(JBossThread.java:320)

      [Server:prod2-s1]

      [Server:prod2-s1] 01:31:04,110 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 33) WFLYCTL0013: Operation ("read-attribute") failed - address: ([

      [Server:prod2-s1]     ("subsystem" => "datagrid-infinispan"),

      [Server:prod2-s1]     ("cache-container" => "clustered")

      [Server:prod2-s1] ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [admin@LDAPSManagementRealm, ClusterAdmins@LDAPSManagementRealm, ClusterAdmins, InetAddressPrincipal <192.168.1.220/192.168.1.220>]' lacks 'ADMIN' permission

      [Server:prod2-s1] at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)

      [Server:prod2-s1] at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)

      [Server:prod2-s1] at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:341)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.addCacheAdmin(GlobalXSiteAdminOperations.java:40)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:136)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:89)

      [Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:287)

      [Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:259)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)

      [Server:prod2-s1] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)

      [Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)

      [Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler.internalExecute(TransactionalProtocolOperationHandler.java:247)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler.doExecute(TransactionalProtocolOperationHandler.java:185)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:138)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:134)

      [Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)

      [Server:prod2-s1] at javax.security.auth.Subject.doAs(Subject.java:360)

      [Server:prod2-s1] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:81)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:157)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:153)

      [Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2.execute(TransactionalProtocolOperationHandler.java:153)

      [Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)

      [Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)

      [Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      [Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      [Server:prod2-s1] at java.lang.Thread.run(Thread.java:748)

      [Server:prod2-s1] at org.jboss.threads.JBossThread.run(JBossThread.java:320)

      [Server:prod2-s1]

      [Server:prod2-s1] 01:31:04,199 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 36) WFLYCTL0013: Operation ("read-attribute") failed - address: ([

      [Server:prod2-s1]     ("subsystem" => "datagrid-infinispan"),

      [Server:prod2-s1]     ("cache-container" => "clustered")

      [Server:prod2-s1] ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [admin@LDAPSManagementRealm, ClusterAdmins@LDAPSManagementRealm, ClusterAdmins, InetAddressPrincipal <192.168.1.220/192.168.1.220>]' lacks 'ADMIN' permission

      [Server:prod2-s1] at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)

      [Server:prod2-s1] at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)

      [Server:prod2-s1] at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:341)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.addCacheAdmin(GlobalXSiteAdminOperations.java:40)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:136)

      [Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:89)

      [Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:287)

      [Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:259)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)

      [Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)

      [Server:prod2-s1] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)

      [Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)

      [Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler.internalExecute(TransactionalProtocolOperationHandler.java:247)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler.doExecute(TransactionalProtocolOperationHandler.java:185)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:138)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:134)

      [Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)

      [Server:prod2-s1] at javax.security.auth.Subject.doAs(Subject.java:360)

      [Server:prod2-s1] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:81)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:157)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:153)

      [Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)

      [Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2.execute(TransactionalProtocolOperationHandler.java:153)

      [Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)

      [Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)

      [Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      [Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      [Server:prod2-s1] at java.lang.Thread.run(Thread.java:748)

      [Server:prod2-s1] at org.jboss.threads.JBossThread.run(JBossThread.java:320)

      [Server:prod2-s1]

      [Server:prod2-s1] 01:31:04,232 INFO  [org.jboss.as.clustering.infinispan] (remote-thread--p2-t1) DGISPN0001: Started ___event_log_cache cache from clustered container

      [Server:prod2-s1] 01:31:04,288 INFO  [org.jboss.as.clustering.infinispan] (remote-thread--p2-t1) DGISPN0001: Started ___query_cache cache from clustered container

       

       

      Thanks,

      cd cd

      • 412 Views
      • Tags: