[GLASSFISH-17005] list-secure-admin-principals and list-secure-admin-internal-users both incorrectly prompt for a command operand Created: 08/Jul/11  Updated: 02/Dec/11  Resolved: 21/Jul/11

Status: Resolved
Project: glassfish
Component/s: admin
Affects Version/s: 3.1.1, 3.1.2_b02, 4.0
Fix Version/s: 3.1.2_b02, 4.0

Type: Bug Priority: Major
Reporter: Tim Quinn Assignee: Tim Quinn
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Tags: 3_1-next, 3_1-next_release-note-added, 3_1-next_release-notes, 3_1_1-scrubbed

 Description   

The list-secure-admin-principals and list-secure-admin-internal-users commands both incorrectly prompt for a command operand. In contrast, they should not – these commands should list all of the respective elements.

The problem is that I incorrectly specified a resolver for the two list commands in the CRUD notation.

This is certainly not a show-stopper for 3.1.1 release. Relatively few users will create secure admin principals or secure admin internal users, so few will need to list them. As a workaround, users can use

asadmin get secure-admin.secure-admin-principal.*

or

asadmin get secure-admin.secure-admin-internal-user.*

In both cases, if no such items are defined then the user gets a message like this:

remote failure: Dotted name path secure-admin.secure-admin-internal-user.* not found.
Command get failed.

which is ugly but it conveys correct information.

I have marked this for review in case others feel strongly that this is in-your-face enough to warrant a fix at this point.

Why fix this issue in 3.1.1?
Although there is a workaround, the error is very in-your-face.

Which is the targeted build of 3.1.1 for this fix?
If approved, b11.

Do regression tests exist for this issue?
not yet

Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
Tests involving enabling secure admin; the CRUD list functionality should be fully insulated from other code paths.



 Comments   
Comment by scatari [ 09/Jul/11 ]

Tim,
Please attach the code changes for review.

Thanks

Comment by Tim Quinn [ 09/Jul/11 ]

Here are the code changes. In both cases I have removed the "resolver" setting for the @Listing anno.

Index: src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
===================================================================
— src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java (revision 47947)
+++ src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java (working copy)
@@ -70,13 +70,13 @@
@Element
@Create(value="enable-secure-admin-principal", decorator=SecureAdminPrincipal.CrDecorator.class, i18n=@I18n("enable.secure.admin.principal.command"))
@Delete(value="disable-secure-admin-principal", resolver=SecureAdminPrincipal.Resolver.class, i18n=@I18n("disable.secure.admin.principal.command"))

  • @Listing(value="list-secure-admin-principals", resolver=SecureAdminPrincipal.Resolver.class, i18n=@I18n("list.secure.admin.principals.command"))
    + @Listing(value="list-secure-admin-principals", i18n=@I18n("list.secure.admin.principals.command"))
    public List<SecureAdminPrincipal> getSecureAdminPrincipal();

@Element
@Create(value="enable-secure-admin-internal-user", decorator=SecureAdminInternalUser.CrDecorator.class, i18n=@I18n("enable.secure.admin.internal.user.command"))
@Delete(value="disable-secure-admin-internal-user", resolver=TypeAndNameResolver.class, i18n=@I18n("disable.secure.admin.internal.user.command"))

  • @Listing(value="list-secure-admin-internal-users", resolver=TypeAndNameResolver.class, i18n=@I18n("list.secure.admin.internal.user.command"))
    + @Listing(value="list-secure-admin-internal-users", i18n=@I18n("list.secure.admin.internal.user.command"))
    public List<SecureAdminInternalUser> getSecureAdminInternalUser();

/**

Comment by scatari [ 11/Jul/11 ]

Tim,
Although the changes look okay, let us defer this to the next release given how close we are to producing a FCS candidate build. Thanks for your understanding and appreciate your efforts to improve 3.1.1 quality. I have already marked them with appropriate tags.

Thanks

Comment by Tim Quinn [ 21/Jul/11 ]

Fixed in trunk.

Project: glassfish
Repository: svn
Revision: 48036
Author: tjquinn
Date: 2011-07-14 21:37:25 UTC
Link:

Log Message:
------------
Check-ins for 16437, 16438, 16545

These changes enhance secure admin so that users can

1. enable multiple certificates as authorized for admin operations
2. have GlassFish processes authenticate to each other using an admin username and password instead of certificates
3. stronger checking that admin messages from other GlassFish processes are from servers in the same domain.

Approved for 3.1.1: Sathyan
Tests: QL, deployment single-instance and cluster devtests

Revisions:
----------
48036

Modified Paths:
---------------
trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties
trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/DisableSecureAdminCommand.java
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/EnableSecureAdminCommand.java
trunk/v3/security/core/src/main/resources/com/sun/enterprise/security/admin/cli/LocalStrings.properties
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminCommand.java
trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java
trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/ServerRemoteAdminCommand.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/LocalStrings.properties
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/RemoteAdminCommand.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminPrincipal.java

Added Paths:
------------
trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java
trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminInternalUser.java

Comment by Tim Quinn [ 19/Aug/11 ]

Fix for 3.1.2 checked in.

Project: glassfish
Repository: svn
Revision: 48936
Author: tjquinn
Date: 2011-08-19 22:20:09 UTC
Link:

Log Message:
------------
Fix for 17005

In 3.1.1 we added enable- and disable-secure-admin-[principal | internal-user] commands. We also added the corresponding list-xxx commands but they incorrectly demand a command operand.

This check-in fixes that problem with the list-secure-admin-principals and list-secure-admin-internal-users commands.

Revisions:
----------
48936

Modified Paths:
---------------
branches/3.1.2/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java

Comment by Tim Quinn [ 18/Oct/11 ]

Updating "fixed in" field.

Comment by Tim Quinn [ 18/Oct/11 ]

Adding 3.1.2-b2 as a fixed-in build to reflect the earlier fix check-in for 3.1.2.

Comment by Tim Quinn [ 18/Oct/11 ]

By virtue of being fixed in then-3.2 this is also fixed in 4.0.

Comment by Tim Quinn [ 18/Oct/11 ]

Restoring original "affects" list which I accidentally changed.

Generated at Fri Sep 30 22:21:43 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.