[
https://issues.apache.org/jira/browse/GEODE-5618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16595468#comment-16595468
]
ASF subversion and git services commented on GEODE-5618:
--------------------------------------------------------
Commit 60ea939e85e7d94da9d8eb64d5b88dd62edb2618 in geode's branch
refs/heads/feature/GEODE-5338 from Juan José Ramos
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=60ea939 ]
GEODE-5618: Auth Attributes in FunctionService (#2360)
* When a client executes a function using the id instead of the actual
instance, an internal invocation to the `GetFunctionAttributeOp` function is
executed to get the metadata about the original function itself. This
invocation doesn't set the user attributes requried by the authentication
mechanism, so the entire invocation fails.
* Added distributed tests.
* Classes `ServerFunctionExecutor` and `ServerRegionFunctionExecutor` now
set the `userAttributes` in the local thread before getting the metadata when
the function is executed by id.
> FunctionService.onServer() and FunctionService.onRegion() fail when
> multiuser-authentication=true
> -------------------------------------------------------------------------------------------------
>
> Key: GEODE-5618
> URL: https://issues.apache.org/jira/browse/GEODE-5618
> Project: Geode
> Issue Type: Bug
> Components: functions, security
> Reporter: Juan José Ramos Cassella
> Assignee: Juan José Ramos Cassella
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The problem resides within the {{ServerFunctionExecutor}} class, specifically
> in the following section of code:
> {code:title=ServerFunctionExecutor.java|borderStyle=solid}
> public ResultCollector execute(final String functionName) {
> (...)
> byte[] functionAttributes = getFunctionAttributes(functionName);
> if (functionAttributes == null) {
> Object obj = GetFunctionAttributeOp.execute(this.pool, functionName);
> functionAttributes = (byte[]) obj;
> addFunctionAttributes(functionName, functionAttributes);
> }
> (..)
> }
> {code}
> We are specifically executing an internal function (namely
> {{GetFunctionAttributeOp}}) to retrieve the metadata for the function
> executed by the client *without setting the user attributes* required by the
> authentication mechanism and, as such, the execution fails for this
> particular function instead of the one executed by the client (it's not even
> part of the stack trace):
> {noformat}
> Exception in thread "main" java.lang.UnsupportedOperationException: Use Pool
> APIs for doing operations when multiuser-secure-mode-enabled is set to true.
> at
> org.apache.geode.cache.client.internal.PoolImpl.authenticateIfRequired(PoolImpl.java:1549)
> at
> org.apache.geode.cache.client.internal.PoolImpl.authenticateIfRequired(PoolImpl.java:1531)
> at org.apache.geode.cache.client.internal.PoolImpl.execute(PoolImpl.java:781)
> at
> org.apache.geode.cache.client.internal.GetFunctionAttributeOp.execute(GetFunctionAttributeOp.java:24)
> at
> org.apache.geode.internal.cache.execute.ServerFunctionExecutor.execute(ServerFunctionExecutor.java:310)
> {noformat}
> The other top-level methods from {{ServerFunctionExecutor}} and
> {{ServerRegionFunctionExecutor}} configure the user attributes before
> actually executing the function, that's why (as a workaround), the user can
> use {{FunctionService.onServer(regionService).execute(new MyFunction())}},
> works as expected:
> {code}
> if (proxyCache != null) {
> if (this.proxyCache.isClosed()) {
> throw proxyCache.getCacheClosedException("Cache is closed for this user.");
> }
> UserAttributes.userAttributes.set(this.proxyCache.getUserAttributes());
> }
> {code}
> The solution would be to add the same _pre-operation logic_ to the buggy
> method.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
