Issue Details (XML | Word | Printable)

Key: GLASSFISH-17005
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Tim Quinn
Reporter: Tim Quinn
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
glassfish

list-secure-admin-principals and list-secure-admin-internal-users both incorrectly prompt for a command operand

Created: 08/Jul/11 10:58 PM   Updated: 02/Dec/11 07:25 PM   Resolved: 21/Jul/11 04:47 PM
Component/s: admin
Affects Version/s: 3.1.1, 3.1.2_b02, 4.0
Fix Version/s: 3.1.2_b02, 4.0

Time Tracking:
Not Specified

Tags: 3_1-next 3_1-next_release-note-added 3_1-next_release-notes 3_1_1-scrubbed
Participants: scatari and Tim Quinn


 Description  « Hide

The list-secure-admin-principals and list-secure-admin-internal-users commands both incorrectly prompt for a command operand. In contrast, they should not – these commands should list all of the respective elements.

The problem is that I incorrectly specified a resolver for the two list commands in the CRUD notation.

This is certainly not a show-stopper for 3.1.1 release. Relatively few users will create secure admin principals or secure admin internal users, so few will need to list them. As a workaround, users can use

asadmin get secure-admin.secure-admin-principal.*

or

asadmin get secure-admin.secure-admin-internal-user.*

In both cases, if no such items are defined then the user gets a message like this:

remote failure: Dotted name path secure-admin.secure-admin-internal-user.* not found.
Command get failed.

which is ugly but it conveys correct information.

I have marked this for review in case others feel strongly that this is in-your-face enough to warrant a fix at this point.

Why fix this issue in 3.1.1?
Although there is a workaround, the error is very in-your-face.

Which is the targeted build of 3.1.1 for this fix?
If approved, b11.

Do regression tests exist for this issue?
not yet

Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
Tests involving enabling secure admin; the CRUD list functionality should be fully insulated from other code paths.



scatari added a comment - 09/Jul/11 03:35 AM

Tim,
Please attach the code changes for review.

Thanks


Tim Quinn added a comment - 09/Jul/11 11:57 AM

Here are the code changes. In both cases I have removed the "resolver" setting for the @Listing anno.

Index: src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
===================================================================
— src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java (revision 47947)
+++ src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java (working copy)
@@ -70,13 +70,13 @@
@Element
@Create(value="enable-secure-admin-principal", decorator=SecureAdminPrincipal.CrDecorator.class, i18n=@I18n("enable.secure.admin.principal.command"))
@Delete(value="disable-secure-admin-principal", resolver=SecureAdminPrincipal.Resolver.class, i18n=@I18n("disable.secure.admin.principal.command"))

  • @Listing(value="list-secure-admin-principals", resolver=SecureAdminPrincipal.Resolver.class, i18n=@I18n("list.secure.admin.principals.command"))
    + @Listing(value="list-secure-admin-principals", i18n=@I18n("list.secure.admin.principals.command"))
    public List<SecureAdminPrincipal> getSecureAdminPrincipal();

@Element
@Create(value="enable-secure-admin-internal-user", decorator=SecureAdminInternalUser.CrDecorator.class, i18n=@I18n("enable.secure.admin.internal.user.command"))
@Delete(value="disable-secure-admin-internal-user", resolver=TypeAndNameResolver.class, i18n=@I18n("disable.secure.admin.internal.user.command"))

  • @Listing(value="list-secure-admin-internal-users", resolver=TypeAndNameResolver.class, i18n=@I18n("list.secure.admin.internal.user.command"))
    + @Listing(value="list-secure-admin-internal-users", i18n=@I18n("list.secure.admin.internal.user.command"))
    public List<SecureAdminInternalUser> getSecureAdminInternalUser();

/**


scatari added a comment - 11/Jul/11 03:58 PM

Tim,
Although the changes look okay, let us defer this to the next release given how close we are to producing a FCS candidate build. Thanks for your understanding and appreciate your efforts to improve 3.1.1 quality. I have already marked them with appropriate tags.

Thanks


Tim Quinn added a comment - 21/Jul/11 04:47 PM

Fixed in trunk.

Project: glassfish
Repository: svn
Revision: 48036
Author: tjquinn
Date: 2011-07-14 21:37:25 UTC
Link:

Log Message:
------------
Check-ins for 16437, 16438, 16545

These changes enhance secure admin so that users can

1. enable multiple certificates as authorized for admin operations
2. have GlassFish processes authenticate to each other using an admin username and password instead of certificates
3. stronger checking that admin messages from other GlassFish processes are from servers in the same domain.

Approved for 3.1.1: Sathyan
Tests: QL, deployment single-instance and cluster devtests

Revisions:
----------
48036

Modified Paths:
---------------
trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties
trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/DisableSecureAdminCommand.java
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/EnableSecureAdminCommand.java
trunk/v3/security/core/src/main/resources/com/sun/enterprise/security/admin/cli/LocalStrings.properties
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminCommand.java
trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java
trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/ServerRemoteAdminCommand.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/LocalStrings.properties
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/RemoteAdminCommand.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminPrincipal.java

Added Paths:
------------
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminInternalUser.java


Tim Quinn added a comment - 19/Aug/11 10:21 PM

Fix for 3.1.2 checked in.

Project: glassfish
Repository: svn
Revision: 48936
Author: tjquinn
Date: 2011-08-19 22:20:09 UTC
Link:

Log Message:
------------
Fix for 17005

In 3.1.1 we added enable- and disable-secure-admin-[principal | internal-user] commands. We also added the corresponding list-xxx commands but they incorrectly demand a command operand.

This check-in fixes that problem with the list-secure-admin-principals and list-secure-admin-internal-users commands.

Revisions:
----------
48936

Modified Paths:
---------------
branches/3.1.2/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java


Tim Quinn added a comment - 18/Oct/11 07:43 PM

Updating "fixed in" field.


Tim Quinn added a comment - 18/Oct/11 08:05 PM

Adding 3.1.2-b2 as a fixed-in build to reflect the earlier fix check-in for 3.1.2.


Tim Quinn added a comment - 18/Oct/11 08:06 PM

By virtue of being fixed in then-3.2 this is also fixed in 4.0.


Tim Quinn added a comment - 18/Oct/11 08:29 PM

Restoring original "affects" list which I accidentally changed.