java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s)
justcono Nov 3, 2017 1:45 AMHi Everybody,
I'm in the process of securing the cluster and I've been stuck on this for a week now on this problem. I am using Infinispan 8.2.8 setup for cross-site replication. I can get authenticated and authorized using the hotrod client. I use the same user to login via the management console and I get the exception below.
I found this bug just now at end of typing all this out lol: [ISPN-6515] GlobalXSiteAdminOperations fails on secured caches - JBoss Issue Tracker Is it fixed in 8.2.8?
Excerpts of my configs:
....
<security-realm name="LDAPSManagementRealm">
<authentication>
<ldap connection="ldap_connection" base-dn="OU=People,DC=dev,DC=net">
<username-filter attribute="sAMAccountName" />
</ldap>
</authentication>
<authorization>
<ldap connection="ldap_connection">
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
<group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=dev,dc=net">
<membership-filter principal-attribute="member"/>
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap_connection" url="ldap://192.168.10.11:389" search-dn="cn=Administrator,cn=Users,dc=dev,dc=net" search-credential="secret" />
</outbound-connections>
....
<security>
<authorization>
<identity-role-mapper/>
<role name="Developers" permissions="WRITE"/>
<role name="Business" permissions="READ"/>
<role name="ClusterAdmins" permissions="ALL EXEC"/>
<role name="Managers" permissions="ALL_READ ALL_WRITE EXEC"/>
</authorization>
</security>
....
<distributed-cache name="default" mode="ASYNC" segments="20" owners="2" remote-timeout="30000" start="EAGER">
<locking acquire-timeout="30000" concurrency-level="1000" striping="false"/>
<transaction mode="NONE"/>
<backups>
<backup site="PROD2" strategy="ASYNC" failure-policy="WARN" enabled="true" />
</backups>
<partition-handling enabled="true"/>
<security>
<authorization roles="Business ClusterAdmins Developers Managers"/>
</security>
<!--
<compatibility/>
-->
</distributed-cache>
The exception:
[Server:prod2-s1] 01:31:04,078 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 33) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
[Server:prod2-s1] ("subsystem" => "datagrid-infinispan"),
[Server:prod2-s1] ("cache-container" => "clustered")
[Server:prod2-s1] ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [admin@LDAPSManagementRealm, ClusterAdmins@LDAPSManagementRealm, ClusterAdmins, InetAddressPrincipal <192.168.1.220/192.168.1.220>]' lacks 'ADMIN' permission
[Server:prod2-s1] at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
[Server:prod2-s1] at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
[Server:prod2-s1] at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:341)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.addCacheAdmin(GlobalXSiteAdminOperations.java:40)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:136)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:89)
[Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:287)
[Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:259)
[Server:prod2-s1] at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
[Server:prod2-s1] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
[Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
[Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler.internalExecute(TransactionalProtocolOperationHandler.java:247)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler.doExecute(TransactionalProtocolOperationHandler.java:185)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:138)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:134)
[Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)
[Server:prod2-s1] at javax.security.auth.Subject.doAs(Subject.java:360)
[Server:prod2-s1] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:81)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:157)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:153)
[Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2.execute(TransactionalProtocolOperationHandler.java:153)
[Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)
[Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)
[Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[Server:prod2-s1] at java.lang.Thread.run(Thread.java:748)
[Server:prod2-s1] at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[Server:prod2-s1]
[Server:prod2-s1] 01:31:04,110 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 33) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
[Server:prod2-s1] ("subsystem" => "datagrid-infinispan"),
[Server:prod2-s1] ("cache-container" => "clustered")
[Server:prod2-s1] ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [admin@LDAPSManagementRealm, ClusterAdmins@LDAPSManagementRealm, ClusterAdmins, InetAddressPrincipal <192.168.1.220/192.168.1.220>]' lacks 'ADMIN' permission
[Server:prod2-s1] at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
[Server:prod2-s1] at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
[Server:prod2-s1] at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:341)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.addCacheAdmin(GlobalXSiteAdminOperations.java:40)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:136)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:89)
[Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:287)
[Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:259)
[Server:prod2-s1] at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
[Server:prod2-s1] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
[Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
[Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler.internalExecute(TransactionalProtocolOperationHandler.java:247)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler.doExecute(TransactionalProtocolOperationHandler.java:185)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:138)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:134)
[Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)
[Server:prod2-s1] at javax.security.auth.Subject.doAs(Subject.java:360)
[Server:prod2-s1] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:81)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:157)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:153)
[Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2.execute(TransactionalProtocolOperationHandler.java:153)
[Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)
[Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)
[Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[Server:prod2-s1] at java.lang.Thread.run(Thread.java:748)
[Server:prod2-s1] at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[Server:prod2-s1]
[Server:prod2-s1] 01:31:04,199 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 36) WFLYCTL0013: Operation ("read-attribute") failed - address: ([
[Server:prod2-s1] ("subsystem" => "datagrid-infinispan"),
[Server:prod2-s1] ("cache-container" => "clustered")
[Server:prod2-s1] ]): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [admin@LDAPSManagementRealm, ClusterAdmins@LDAPSManagementRealm, ClusterAdmins, InetAddressPrincipal <192.168.1.220/192.168.1.220>]' lacks 'ADMIN' permission
[Server:prod2-s1] at org.infinispan.security.impl.AuthorizationHelper.checkPermission(AuthorizationHelper.java:86)
[Server:prod2-s1] at org.infinispan.security.impl.AuthorizationManagerImpl.checkPermission(AuthorizationManagerImpl.java:42)
[Server:prod2-s1] at org.infinispan.security.impl.SecureCacheImpl.getComponentRegistry(SecureCacheImpl.java:341)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.addCacheAdmin(GlobalXSiteAdminOperations.java:40)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.collectXSiteAdminOperation(GlobalXSiteAdminOperations.java:136)
[Server:prod2-s1] at org.infinispan.xsite.GlobalXSiteAdminOperations.globalStatus(GlobalXSiteAdminOperations.java:89)
[Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.filterSitesByStatus(CacheContainerMetricsHandler.java:287)
[Server:prod2-s1] at org.jboss.as.clustering.infinispan.subsystem.CacheContainerMetricsHandler.executeRuntimeStep(CacheContainerMetricsHandler.java:259)
[Server:prod2-s1] at org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:53)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)
[Server:prod2-s1] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
[Server:prod2-s1] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
[Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
[Server:prod2-s1] at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler.internalExecute(TransactionalProtocolOperationHandler.java:247)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler.doExecute(TransactionalProtocolOperationHandler.java:185)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:138)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$1.run(TransactionalProtocolOperationHandler.java:134)
[Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)
[Server:prod2-s1] at javax.security.auth.Subject.doAs(Subject.java:360)
[Server:prod2-s1] at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:81)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:157)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2$1.run(TransactionalProtocolOperationHandler.java:153)
[Server:prod2-s1] at java.security.AccessController.doPrivileged(Native Method)
[Server:prod2-s1] at org.jboss.as.controller.remote.TransactionalProtocolOperationHandler$ExecuteRequestHandler$2.execute(TransactionalProtocolOperationHandler.java:153)
[Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)
[Server:prod2-s1] at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)
[Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[Server:prod2-s1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[Server:prod2-s1] at java.lang.Thread.run(Thread.java:748)
[Server:prod2-s1] at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[Server:prod2-s1]
[Server:prod2-s1] 01:31:04,232 INFO [org.jboss.as.clustering.infinispan] (remote-thread--p2-t1) DGISPN0001: Started ___event_log_cache cache from clustered container
[Server:prod2-s1] 01:31:04,288 INFO [org.jboss.as.clustering.infinispan] (remote-thread--p2-t1) DGISPN0001: Started ___query_cache cache from clustered container
Thanks,
cd cd