Unfortunately I cannot retrieve the keyset from a cache because I get the following error:
ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
It's quite strange; because in this example code I am able to create a cache if it's not existing (of course if you want to create a cache you need to be admin) but then I am not able to just retrieve the keyset of that cache.
Am I doing some mistakes or effectively there is a bug?
Steps to reproduce:
- Put the attached config (infinispan.xml) in: <SERVER_ROOT>/server/conf/infinispan.xml
<infinispan xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:11.0 https://infinispan.org/schemas/infinispan-config-11.0.xsd
urn:infinispan:server:11.0 https://infinispan.org/schemas/infinispan-server-11.0.xsd"
xmlns="urn:infinispan:config:11.0"
xmlns:server="urn:infinispan:server:11.0">
<cache-container default-cache="secured"
name="clustered"
statistics="true">
<transport cluster="cbcluster"
stack="${infinispan.cluster.stack:tcp}"
node-name="${infinispan.node.name:}"/>
<security>
<authorization>
<identity-role-mapper/>
<role name="admin"
permissions="ALL"/>
<role name="reader"
permissions="READ"/>
<role name="writer"
permissions="WRITE"/>
<role name="supervisor"
permissions="READ WRITE EXEC"/>
<role name="cacheadmin"
permissions="ALL"/>
</authorization>
</security>
<local-cache name="secured">
<security>
<authorization/>
</security>
</local-cache>
<distributed-cache name="entrypoints"
mode="SYNC"
segments="20"
owners="2"
remote-timeout="30000">
<encoding media-type="application/x-protostream"/>
<locking isolation="READ_COMMITTED"
acquire-timeout="30000"
concurrency-level="1000"
striping="false"/>
<security>
<authorization roles="cacheadmin"/>
</security>
<transaction mode="NONE"/>
<!-- ( 24 hours ) -->
<expiration lifespan="86400000"/>
</distributed-cache>
</cache-container>
<server xmlns="urn:infinispan:server:11.0">
<interfaces>
<interface name="public">
<inet-address value="${infinispan.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-bindings default-interface="public"
port-offset="${infinispan.socket.binding.port-offset:0}">
<socket-binding name="default"
port="${infinispan.bind.port:11222}"/>
<socket-binding name="memcached"
port="11221"/>
</socket-bindings>
<security>
<security-realms>
<security-realm name="default">
<!-- Uncomment to enable TLS on the realm -->
<!-- server-identities>
<ssl>
<keystore path="application.keystore" relative-to="infinispan.server.config.path"
keystore-password="password" alias="server" key-password="password"
generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities-->
<properties-realm groups-attribute="Roles">
<user-properties path="users.properties"
relative-to="infinispan.server.config.path"
plain-text="true"/>
<group-properties path="groups.properties"
relative-to="infinispan.server.config.path"/>
</properties-realm>
</security-realm>
</security-realms>
</security>
<endpoints socket-binding="default"
security-realm="default">
<hotrod-connector name="hotrod"
cache-container="clustered">
<topology-state-transfer lock-timeout="1000"
replication-timeout="5000"/>
<!-- INIZIO -->
<authentication security-realm="default">
<sasl server-name="datagridAuth"
mechanisms="DIGEST-SHA-256"
qop="auth">
<policy>
<no-anonymous value="true"/>
</policy>
<property name="com.sun.security.sasl.digest.utf8">true</property>
</sasl>
</authentication>
<!-- FINE -->
</hotrod-connector>
<memcached-connector socket-binding="memcached"
cache-container="clustered"/>
<rest-connector name="rest"
cache-container="clustered">
<authentication mechanisms="DIGEST DIGEST-SHA-256"/>
</rest-connector>
</endpoints>
</server>
</infinispan>
Run the server ( bin/server.sh )
Run the attached JAVA program
import java.io.IOException;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.infinispan.client.hotrod.DefaultTemplate;
import org.infinispan.client.hotrod.RemoteCache;
import org.infinispan.client.hotrod.RemoteCacheManager;
import org.infinispan.client.hotrod.configuration.ClientIntelligence;
import org.infinispan.client.hotrod.configuration.ConfigurationBuilder;
import org.infinispan.client.hotrod.impl.ConfigurationProperties;
import org.infinispan.commons.api.CacheContainerAdmin;
public class InfinispanSample {
public static void main(String[] args) {
// Create a configuration for a locally-running server
ConfigurationBuilder builder = new ConfigurationBuilder();
builder.addServer().host("127.0.0.1").port(ConfigurationProperties.DEFAULT_HOTROD_PORT);
// Workaround for docker 4 mac
builder.clientIntelligence(ClientIntelligence.BASIC);
//Configure the security properties
builder.security().authentication()
.username("adminuser")
.password("12345678")
.saslMechanism("DIGEST-MD5")
.realm("default")
.serverName("datagridAuth");
// Connect to the server
RemoteCacheManager cacheManager = new RemoteCacheManager(builder.build());
// Create test cache, if such does not exist
cacheManager.administration().withFlags(CacheContainerAdmin.AdminFlag.VOLATILE).getOrCreateCache("test",
DefaultTemplate.DIST_SYNC);
// Obtain the remote cache
RemoteCache<String, String> cache = cacheManager.getCache("test");
/// Store a value
cache.put("key", "value");
cache.put("key2", "XX");
// Retrieve the value and print it out
System.out.printf("key = %s\n", cache.get("key"));
System.out.printf("key2 = %s\n", cache.get("key2"));
Set<String> remoteCacheKeySet = cache.keySet();
remoteCacheKeySet.stream().forEach(item -> {
String val = cache.get(item);
System.out.printf("key = " + item + " = " + val);
});
// Stop the cache manager and release all resources
cacheManager.stop();
}
}
When I am executing the program I see that it's correctly retrieved key1 and key2 , but then there is the ISPN000287 error when the keySet operation is executed.
Here I post an extract
19:07:10.923 [main] INFO o.i.HOTROD - ISPN004021: Infinispan version: Infinispan 'Corona Extra' 11.0.9.Final
key = value
key2 = XX
19:07:11.088 [HotRod-client-async-pool-1-1] WARN o.i.HOTROD - ISPN004005: Error received from the server: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
Exception in thread "main" org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=12 returned server error (status=0x85): java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:329)
at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:168)
Thank you in advance for your help
Best regards
It is a bug: ISPN-12716
A fix will be included in Infinispan 12.1.0 and 12.0.1