glassfish
  1. glassfish
  2. GLASSFISH-15429

Modifying keyfile path in a newly created config does not properly list the users

    Details

    • Type: Bug Bug
    • Status: Reopened
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1_ms07
    • Fix Version/s: future release
    • Component/s: security
    • Labels:
      None

      Description

      1. asadmin copy-config default-config new-config
      2. asadmin get new-config.security-service.auth-realm.admin-realm.property.file
      new-config.security-service.auth-realm.admin-realm.property.file=$

      {com.sun.aas.instanceRoot}

      /config/admin-keyfile
      3. asadmin set new-config.security-service.auth-realm.admin-realm.property.file=/tmp/v3/admin-keyfile
      new-config.security-service.auth-realm.admin-realm.property.file=/tmp/v3/admin-keyfile
      Command set executed successfully.
      4. file /tmp/v3/admin-keyfile is not currently created.
      5. asadmin create-file-user --authrealmname admin-realm --target new-config test
      Enter the user password>
      Enter the user password again>
      Command create-file-user executed successfully.
      6. cat /tmp/v3/admin-keyfile
      test;

      {SSHA256}mjyhJFWxU8xUnGMY5bt+ngwj3tf6v6yOTKB7DgGKJUu6Neky/GVOsQ==;asadmin
      user1;{SSHA256}

      rImtlHJuqi6AMSypIUyBdcs2CUEPQq3pIEHSEsndYQmhBl4ZBT+fJA==;user1
      <user test is properly added to admin-keyfile under /tmp/v3 as expected.>
      8. asadmin list-file-users --authrealmname admin-realm new-config
      user1
      Command list-file-users executed successfully.
      <Expected is test,user1 but it lists user1 which it takes from $

      {instance_root}

      /domains/domain1/config/keyfile but it should list from /tmp/v3/admin-keyfile>

      The list-file-users needs to be fixed to list from /tmp/v3/admin-keyfile

        Issue Links

          Activity

          Hide
          kumarjayanti added a comment -

          Your step two :
          ~ 2) asadmin list-file-users --authrealmname admin-realm server-config

          should be changed to

          2) asadmin list-file-users --authrealmname admin-realm TEST-config

          and IMO that will reproduce the problem in CLI

          Show
          kumarjayanti added a comment - Your step two : ~ 2) asadmin list-file-users --authrealmname admin-realm server-config should be changed to 2) asadmin list-file-users --authrealmname admin-realm TEST-config and IMO that will reproduce the problem in CLI
          Hide
          kumarjayanti added a comment -

          I retested after implementing solution 1. Here is the output :

          $ ./asadmin start-domain
          Waiting for domain1 to start ..........
          Successfully started the domain : domain1
          domain Location: /Users/vbkumarjayanti/Downloads/glassfish3/glassfish/domains/domain1
          Log File: /Users/vbkumarjayanti/Downloads/glassfish3/glassfish/domains/domain1/logs/server.log
          Admin Port: 4848
          Command start-domain executed successfully.

          $ ./asadmin copy-config default-config new-config
          Command copy-config executed successfully.

          $ ./asadmin list-file-users --authrealmname admin-realm new-config
          admin
          Command list-file-users executed successfully.

          $ ./asadmin set new-config.security-service.auth-realm.admin-realm.property.file=/tmp/mykeyfile
          new-config.security-service.auth-realm.admin-realm.property.file=/tmp/mykeyfile
          Command set executed successfully.

          $ ./asadmin __synchronize-realm-from-config --realmname admin-realm new-config
          Synchronization of Realm admin-realm from Configuration Successful.
          Command __synchronize-realm-from-config executed successfully.

          $ ./asadmin list-file-users --authrealmname admin-realm new-config
          Command list-file-users executed successfully.

          $ cat /tmp/mykeyfile

          $ ./asadmin create-file-user --authrealmname admin-realm --target new-config test
          Enter the user password>
          Enter the user password again>
          Command create-file-user executed successfully.

          $ ./asadmin list-file-users --authrealmname admin-realm new-config
          test
          Command list-file-users executed successfully.

          Show
          kumarjayanti added a comment - I retested after implementing solution 1. Here is the output : $ ./asadmin start-domain Waiting for domain1 to start .......... Successfully started the domain : domain1 domain Location: /Users/vbkumarjayanti/Downloads/glassfish3/glassfish/domains/domain1 Log File: /Users/vbkumarjayanti/Downloads/glassfish3/glassfish/domains/domain1/logs/server.log Admin Port: 4848 Command start-domain executed successfully. $ ./asadmin copy-config default-config new-config Command copy-config executed successfully. $ ./asadmin list-file-users --authrealmname admin-realm new-config admin Command list-file-users executed successfully. $ ./asadmin set new-config.security-service.auth-realm.admin-realm.property.file=/tmp/mykeyfile new-config.security-service.auth-realm.admin-realm.property.file=/tmp/mykeyfile Command set executed successfully. $ ./asadmin __synchronize-realm-from-config --realmname admin-realm new-config Synchronization of Realm admin-realm from Configuration Successful. Command __synchronize-realm-from-config executed successfully. $ ./asadmin list-file-users --authrealmname admin-realm new-config Command list-file-users executed successfully. $ cat /tmp/mykeyfile $ ./asadmin create-file-user --authrealmname admin-realm --target new-config test Enter the user password> Enter the user password again> Command create-file-user executed successfully. $ ./asadmin list-file-users --authrealmname admin-realm new-config test Command list-file-users executed successfully.
          Hide
          kumarjayanti added a comment -

          The new hidden command will set RESTART required if the change was done to an active server config

          $ ./asadmin set server-config.security-service.auth-realm.file.property.file=/tmp/mykeyfile
          server-config.security-service.auth-realm.file.property.file=/tmp/mykeyfile
          Command set executed successfully.

          $ ./asadmin __synchronize-realm-from-config --realmname file server-config
          Restart required for configuration updates to active server realm: file.
          Command __synchronize-realm-from-config executed successfully.

          And here is how the code in the command sets the information required for GUI for a restart. I picked up this code from :

          core/kernel/src/main/java/com/sun/enterprise/v3/admin/GetRestartRequiredCommand.java

          private void setRestartRequired(ActionReport report) {
          report.setActionExitCode(ActionReport.ExitCode.SUCCESS);
          ActionReport.MessagePart mp = report.getTopMessagePart();

          Properties extraProperties = new Properties();
          Map<String, Object> entity = new HashMap<String, Object>();
          mp.setMessage(_localStrings.getLocalString("RESTART_REQUIRED",
          "Restart required for configuration updates to active server realm:

          {0}

          .",
          new Object[]

          {realmName}

          ));
          entity.put("restartRequired","true");
          extraProperties.put("entity", entity);
          ((ActionReport) report).setExtraProperties(extraProperties);
          }

          Show
          kumarjayanti added a comment - The new hidden command will set RESTART required if the change was done to an active server config $ ./asadmin set server-config.security-service.auth-realm.file.property.file=/tmp/mykeyfile server-config.security-service.auth-realm.file.property.file=/tmp/mykeyfile Command set executed successfully. $ ./asadmin __synchronize-realm-from-config --realmname file server-config Restart required for configuration updates to active server realm: file. Command __synchronize-realm-from-config executed successfully. And here is how the code in the command sets the information required for GUI for a restart. I picked up this code from : core/kernel/src/main/java/com/sun/enterprise/v3/admin/GetRestartRequiredCommand.java private void setRestartRequired(ActionReport report) { report.setActionExitCode(ActionReport.ExitCode.SUCCESS); ActionReport.MessagePart mp = report.getTopMessagePart(); Properties extraProperties = new Properties(); Map<String, Object> entity = new HashMap<String, Object>(); mp.setMessage(_localStrings.getLocalString("RESTART_REQUIRED", "Restart required for configuration updates to active server realm: {0} .", new Object[] {realmName} )); entity.put("restartRequired","true"); extraProperties.put("entity", entity); ((ActionReport) report).setExtraProperties(extraProperties); }
          Hide
          kumarjayanti added a comment -

          checked in the Partial Fix which will make the GUI work.

          GUI has to invoke the new hidden command whenever an asadmin set is invoked on any realm.

          The CLI this bug still remains if someone does the following sequence of operations :

          1. asadmin copy-config default-config new-config
          2. asadmin list-file-users --authrealmname admin-realm new-config
          admin
          Command list-file-users executed successfully.
          3. asadmin get new-config.security-service.auth-realm.admin-realm.property.file
          new-config.security-service.auth-realm.admin-realm.property.file=$

          {com.sun.aas.instanceRoot}

          /config/admin-keyfile
          4. asadmin set new-config.security-service.auth-realm.admin-realm.property.file=/tmp/v3/admin-keyfile
          new-config.security-service.auth-realm.admin-realm.property.file=/tmp/v3/admin-keyfile
          Command set executed successfully.
          5. create the physical keyfile at /tmp/v3/admin-keyfile

          After doing these steps, the following command will give a wrong answer :

          1. asadmin list-file-users --authrealmname admin-realm new-config
          admin
          Command list-file-users executed successfully.

          This is because the asadmin set command in step-4 above updates the Configuration Layer but does not update the Backend Realm which was loaded while executing step 2. So the list command will continue to list the user admin which was present in the original realm's keyfile (one that it was referring to before the set command changed it).

          Summary of the CLI Bug : If an asadmin set command is executed to change a realm-property for a realm that was loaded by the backend (due to an earlier CLI command targeted at the realm) , then the realm continues to behave as if the set command was not executed. The workaround is to restart Appserver after a set command has been used to change a property of an already loaded realm.

          Show
          kumarjayanti added a comment - checked in the Partial Fix which will make the GUI work. GUI has to invoke the new hidden command whenever an asadmin set is invoked on any realm. The CLI this bug still remains if someone does the following sequence of operations : 1. asadmin copy-config default-config new-config 2. asadmin list-file-users --authrealmname admin-realm new-config admin Command list-file-users executed successfully. 3. asadmin get new-config.security-service.auth-realm.admin-realm.property.file new-config.security-service.auth-realm.admin-realm.property.file=$ {com.sun.aas.instanceRoot} /config/admin-keyfile 4. asadmin set new-config.security-service.auth-realm.admin-realm.property.file=/tmp/v3/admin-keyfile new-config.security-service.auth-realm.admin-realm.property.file=/tmp/v3/admin-keyfile Command set executed successfully. 5. create the physical keyfile at /tmp/v3/admin-keyfile After doing these steps, the following command will give a wrong answer : 1. asadmin list-file-users --authrealmname admin-realm new-config admin Command list-file-users executed successfully. This is because the asadmin set command in step-4 above updates the Configuration Layer but does not update the Backend Realm which was loaded while executing step 2. So the list command will continue to list the user admin which was present in the original realm's keyfile (one that it was referring to before the set command changed it). Summary of the CLI Bug : If an asadmin set command is executed to change a realm-property for a realm that was loaded by the backend (due to an earlier CLI command targeted at the realm) , then the realm continues to behave as if the set command was not executed. The workaround is to restart Appserver after a set command has been used to change a property of an already loaded realm.
          Hide
          Scott Fordin added a comment -

          Issue added to 3.1 Release Notes.

          Show
          Scott Fordin added a comment - Issue added to 3.1 Release Notes.

            People

            • Assignee:
              kumarjayanti
              Reporter:
              srinik76
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: