All-permissions not granted to JMS Threads

Similar Messages

• How to grant "view all" permissions?

  I have an Oracle Portal 10.1.2.2 instance w/ several thousand pages and several hundred groups.
  How may I grant a group permission to view all portal pages w/o explicitly assigning the group permissions to each page nor granting them DBA or other elevated rights?
  My specific scenario is granting executive leadership "view all" permissions w/o editing several thousand pages.
  TIA

  Hi
  You can define permissions on the pagegroup level so that the users you want will be able to view all the pages of that pagegroup.
  You could also play with permissions inheritance but this would be done manually for each page levels if not done yet.
  Arnaud

• Could not save "blablablabla" becuse write access was not granted, this users have full permissions.

  We have several MAC OSX 10.9.3 users that use adobe CC and then having trouble save your files on the network the error is Could not save “blablablabla” because write access was not granted, this users have full permissions.

  Some 10.9.3 links
  -next link says After Effects, but check YOUR permissions !!!
  -http://blogs.adobe.com/aftereffects/2014/06/permissions-mac-os-start-adobe-applications.ht ml
  -Mac 10.9.3 workaround https://forums.adobe.com/thread/1489922
  -more Mac 10.9.3 https://forums.adobe.com/thread/1491469
  -Enable Mac Root User https://forums.adobe.com/thread/1156604
  -more Root User http://forums.adobe.com/thread/879931
  -and more root user http://forums.adobe.com/thread/940869?tstart=0

• AccessControlException even with all-permissions

  Hi, I have a webstart app that I am trying to get working. My problem is this: I give the app "all-permissions" in the jnlp file, and webstart asks me if I want to give unrestricted access to the app, I click "Start", and then I get an AccessControlException.
  Here is my jnlp file:
  <?xml version="1.0"?>
  <jnlp codebase="$$codebase" href="launchDev.jnlp">
  <information>
  <title>My Dashboard</title>
  <vendor>My Company</vendor>
  <description>A Dashboard</description>
  </information>
  <security>
  <all-permissions/>
  </security>
  <resources>
  <j2se version="1.4"/>
  <jar href="dashboard-signed.jar"/>
  <jar href="tradetone-signed.jar"/>
  <jar href="log4j-signed.jar"/>
  </resources>
  <resources os="Windows\ NT">
  <jar href="tibrvj-66-signed.jar"/>
  </resources>
  <resources os="Windows\ XP Windows\ 2000">
  <jar href="tibrvj-69-signed.jar"/>
  </resources>
  <application-desc main-class="com.mycompany.dashboard.Dashboard">
  <argument>Dev</argument>
  <argument>$$context</argument>
  </application-desc>
  </jnlp>
  Here is the code I'm trying to run:
  URL testUrl = Thread.currentThread().getContextClassLoader().getResource("myfile.txt");
  And here is the exception I get:
  com.mycompany.dashboard.DashboardException: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
       at com.mycompany.dashmodules.servicelauncher.ServiceLauncher.init(ServiceLauncher.java:119)
       at com.mycompany.dashboard.Dashboard.<init>(Dashboard.java:119)
       at com.mycompany.dashboard.Dashboard.main(Dashboard.java:264)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.continueLaunch(Unknown Source)
       at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
       at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Thread.java:536)
  Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
       at java.security.AccessController.checkPermission(AccessController.java:401)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
       at java.lang.Thread.getContextClassLoader(Thread.java:1189)
       at com.mycompany.dashmodules.servicelauncher.ServiceLauncher.init(ServiceLauncher.java:106)
       ... 13 more
  Does anyone have any idea what is going on? I also get an AccessControlAcception with the following line:
  System.getProperty("java.util.prefs.PreferencesFactory");
  Thanks!
  Jason

  I figured it out. For some reason, the classes I loaded with my own URLClassLoader didn't have the same permissions as the classes loaded directly through WebStart. What I did was to include my own policy file in a jar with webstart, which granted java.security.AllPermissions to everything, i.e. all code bases. Then in my Main Class, I did:
  URL policyUrl = Thread.currentThread().getContextClassLoader().getResource("my.java.policy");
  Policy.getPolicy().refresh();
  This fixed it. I am guessing that when you give "all-permissions" to your webstart app, it assigns java.security.AllPermissions to code loaded from the webstart codebase, but not to code from other codebases. Changing the Policy widened this permission to everything.
  Another alternative would have been to write my own Policy subclass which permitted everything and then call Policy.setPolicy() with it.
  Jason

• Why do I get an error message 'write access not granted' when I try to copy paste jpegs from my folder on desktop to an external hard drive/(Transcend)pendrive

  This is a new problem. I transferred some images from my Nikon camera via image capture but converted my raw files to jpegs in the Nikon View nx 2 software and saved them in a new folder on my desktop. I use a 2010 MBP that has OS10.9.5 fully updated. When i tried copying and pasting the jpegs to an external pen drive I got an error message saying the jpg (the number) could not be saved as write access is not granted. I thought the pen drive may be full. So I attached an external hard drive.  got the same message. I then opened the same jpeg in photoshop cc and tried saving it as png on the hard drive, got the same message. Was unable to handover the photographs to my client. Was hugely embarrassed. Pl let me know if there is a way out of this and if its a Mac OSX issue? Thanks.

  right click on the jpeg (the other mouse button then you use to click with) or on trackpad, hold down control and click, in the menu that pops up, click on "get info" next, if the box labeled "locked" is checked, uncheck it. Down at the bottom, there should be a box with your user name, "staff" and "everyone". to the right of this are options to change these you may need to click the small padlock icon and enter in your password. then change all of the permissions to read and write.

• 'Could not save because access was not granted'

  I have just changed to iMac from a pc.
  On the pc I had two LaCie external hard drives containing all my photos. When I connected them up to my Mac, all the photos were there and I was able to edit them but the problem arose when I tried to save them. When I tried to 'save or save as', even using a different file name I am getting the 'could not save because access was not granted' message. The same message pops up even when trying to save something generated in Photoshop and not taken from the external hard drive.
  I went into Applications and Disk Utility but it appears the 'hard drives cannot be written to' and the SMART status is not supported, whatever that might mean!
  Any help or suggestions would be greatly appreciated.

  Hi, possibly your EHD need to be Mac formatted.
  If you have formatted them right click on the Icon then select Get Info. On the very bottom of the Get Info window there is a section for Permissions. You need to Unlock (needs your password) and hit the + sign, from there choose YOUR name & Allow "Read Write" - See if that helps..
  If the EHD are NOT Mac formatted you will need to transfer everything from one EHD to the other then format the empty drive:- Applications ->Utilities ->Disk Utility -> Hilite Erase (top of window) Mac Extended..After that send everything back to the Formatted drive & do the same to the second drive..Finally Repair Permissions on YOUR Mac Main HD & Verify Disk on the EHD's-after that All should be good..........L
  Message was edited by: elmac

• JNLP FileOpenService warning despite signed applet w/ "all-permissions"

  Hi all,
  We are deploying an applet using java 7u21. The applet is signed and the jnlp file contains a security section requesting "all-permissions". Even so, every time that we run the applet a pop-up appears with "The application has requested read/write access to a file on the machine. [...]"
  My understanding is that this warning should no longer display... Is that true? The only thing I have found related to this is http://docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/faq.html#s407, but that seems to indicate I should only see this dialog if I lack file access permissions. (I think I have those via trusted cert + jnlp all-permissions setting).
  Thanks for the help,
  Buzzy
  Relevant text from the link:
  5074526: ExtenededService file APIs show security dialog even if app is signed.
  In version 1.5.0.
  When using the FileOpen Service, the security dialog will only show if the application does not
  have file access permissions. This is not true with the new ExtendedService OpenFile, and
  OpenFiles methods, the security dialog shows anyway.

  I am having the same problem. We are using JRE 1.4.1_05. When a certain EJB is called I get:
  java.security.AccessControlException: access denied (java.net.SocketPermission XXX.XX.XX.XXX:7001, connect,resolve)
  at java.security.AccessControlContext.checkPermission (Unknown Source)...
  I have tried setting the following permission in my jre's /lib/security/java.policy file:
  grant{
  permission java.net.SocketPermission "host:port", "accept,connect";
  After setting this permission the EJB that caused this error seems to crash. Is this the correct permission to set for the above mentioned exception? Is there any other alternative to uninstalling the security manager?

• JMS Thread Pool Size

  Hi,
            I'm using WLS 6.1. The console has a setting for: JMS Thread Pool Size. I wanted to tune the number of threads used by JMS. I thought JMS asynch consumers would use threads in this pool however that doesn't seem to be the case (they all use the default execute threads and queues). Why is this setting available?
            Note the BEA WebLogic JMS Performance Guide talks about tuning this value from version 6.1 up to 8.1 and states "On the server, incoming JMS related requests execute in the JMS execute queue/thread pool."
            Thanks in advance for any responses,
            Mich

  Disregarding what it is for, in my experience, tuning this setting rarely has much effect. For 6.1, the main thread pool related tunables to look at are the EJB thread pools and EJB max-beans... settings, the "default" thread pool, and the internal thread-pool for stand-alone clients -- all of which are mentioned in the performance guide.

• Error of "Could not save (file name) because write access was not granted

  Error of "Could not save (file name) because write access was not granted. The users are pulling the files from a Mountain Lion server. They all have read\write access. If they try to save the file in the same directory they get that error but they can save it anywhere else on the sharepoint. If they save it in another directory then reopen it make a change and do a save as they can save it back to the original directory. Has anyone else come across this same issues

  It is an enterprise solution. I just do not see why you cant save directly to the server. It seems to get weird errors. Some Adobe stuff saves fine on the server and some of it doesnt. It seems Adobe related. The permissions on the server are set correctly so it isnt a permission error

• Could not save "IMG_5116.psd" because write access was not granted.

  "Could not save “IMG_5116.psd” because write access was not granted." i keep on getting this error message     why/?????

  nimrod levy,
  It seems like a permission issue. Grant 'write and read' permission to the file.
  MAC : Right click on the file > click on "Get Info"
  scroll to the bottom "Permissions" >  unlock it > set permission as "Write and read" to all the users.
  Win: Right click on the file > "Properties".
  Uncheck "Attributes: Read only".
  Go to 'Security' tab >  'Edit'
  Give full control check all in "Alloy" column; uncheck all from deny column if any to all the users.

• Config changes to avoid JMS thread deadlock

            From various postings and Weblogic documentation I'm trying to understand the specifics
            of
            how to avoid a JMS thread deadlock problem. The Performance and Tuning Guide states
            "...consider a servlet that reads messages from a designated JMS queue. If all
            execute threads in a server are used to process the servlet requests, then no
            threads are available to
            deliver messages from the JMS queue. A deadlock condition exists,...". I believe
            that is
            what I have, and am trying to understand whether the solution is to create a separate
            execute queue for the servlets, or change the settings on the Execute and JMS
            Thread queues,
            or both, or something else, and if so, what are the settings I should use?
            Specifically, I have servlets that use connections to a custom resource adapter,
            and each
            custom adapter connection writes to a single (for all adapter connection instances)
            permanent JMS queue and reads a response from a one-per-adapter-connection temporary
            queue. Messages are read from the permanent JMS queue by a client process (running
            outside of WLS). My servlets use the default execute queue - i.e., the don't use
            a custom execute queue - and my reads on the temporary JMS queues are timing out,
            I believe because
            no threads are available to process the JMS message
            So can I avoid deadlocks by:
            1. creating a custom execute queue that has n threads
            2. allowing a maximum of n custom adapter connection instances
            3. Setting my JMS thread pool to n (assuming I have no other JMS activity)
            i.e., using the same number - n - for all three settings? I'm about to try this
            and see,
            but if it works I'd still like to have a better understanding as to why (and of
            course if it doesn't,
            I need that understanding even more).
            Or, is text somewhere describing the specifics of how all of the Weblogic thread
            queues
            and JMS play together? There seem to be pieces scattered in various Weblogic documents,
            but
            nowhere have I found a single, coherent and complete description of how all of
            these factors
            interact.
            

            Tom Barnes <[email protected]> wrote:
            >Thanks for the info. Allocating the servlets to their own execute queue solved
            my problem.
            >
            >Glen wrote:
            >
            >> From various postings and Weblogic documentation I'm trying to understand
            >the specifics
            >> of
            >> how to avoid a JMS thread deadlock problem. The Performance and Tuning
            >Guide states
            >> "...consider a servlet that reads messages from a designated JMS queue.
            >If all
            >> execute threads in a server are used to process the servlet requests,
            >then no
            >> threads are available to
            >> deliver messages from the JMS queue. A deadlock condition exists,...".
            > I believe
            >> that is
            >> what I have,
            >
            >You can often verify by inspecting a thread dump. Note that there
            >are other possible reasons for dead-lock, including
            >programming errors at the application level - and if that is
            >the case, the thread dump will likely reveal that as well.
            >
            >> and am trying to understand whether the solution is to create a separate
            >> execute queue for the servlets, or change the settings on the Execute
            >and JMS
            >> Thread queues,
            >> or both, or something else, and if so, what are the settings I should
            >use?
            >>
            >> Specifically, I have servlets that use connections to a custom resource
            >adapter,
            >> and each
            >> custom adapter connection writes to a single (for all adapter connection
            >instances)
            >> permanent JMS queue and reads a response from a one-per-adapter-connection
            >temporary
            >> queue. Messages are read from the permanent JMS queue by a client process
            >(running
            >> outside of WLS). My servlets use the default execute queue - i.e.,
            >the don't use
            >> a custom execute queue - and my reads on the temporary JMS queues are
            >timing out,
            >> I believe because
            >> no threads are available to process the JMS message
            >>
            >> So can I avoid deadlocks by:
            >> 1. creating a custom execute queue that has n threads
            >
            >yes, or configuring more threads for the default pool
            >(somewhat more than you have concurrent servlets)
            >
            >> 2. allowing a maximum of n custom adapter connection instances
            >
            >no - i think your servlets would just end up blocking waiting
            >for adapter connections (instead of blocking waiting for
            >response messages)
            >
            >> 3. Setting my JMS thread pool to n (assuming I have no other JMS
            >activity)
            >
            >i'm not sure, but I don't think this will help in your case - JMS
            >uses the JMS thread pool for a limited purpose, and
            >still uses the default thread pool otherwise (as documented in
            >the perf guide). Plus the default thread pool is needed for
            >RMI/timers/etc.
            >
            >If servlets are truly "stealing" all of the default threads,
            >I think the best option is give
            >the servlets their own thread-pool.
            >
            >> i.e., using the same number - n - for all three settings? I'm about
            >to try this
            >> and see,
            >> but if it works I'd still like to have a better understanding as to
            >why (and of
            >> course if it doesn't,
            >> I need that understanding even more).
            >>
            >> Or, is text somewhere describing the specifics of how all of the Weblogic
            >thread
            >> queues
            >> and JMS play together?
            >
            >The JMS performance guide
            >white-paper is probably the best resource at the moment, it seems
            >to be pointing you in the right direction (provided you confirm
            >the problem is thread pool limits)
            >
            >> There seem to be pieces scattered in various Weblogic documents,
            >> but
            >> nowhere have I found a single, coherent and complete description of
            >how all of
            >> these factors
            >> interact.
            >
            >You are welcome to email a suggestion to bea support.
            >Customer suggestions tend to have more weight than internally
            >generated suggestions.
            >
            >
            

• Permissions not enabled on disk.

  Hello,
  I previoiusly had linux installed in parallel to Leopard on my macbook 4,1.  I'm trying to merge all my partitions so I can reinstall Leopard in as large a space as possible, but the partition that was used as the swap returns error 9973 (Permissions not enabled) whenever I try to do anything with diskutil.  The partition mounts, but doesn't show up in my Volumes directory, so I can't use vsdbutil or chmod.  Here's a layout of my drive:
  #:         TYPE                               NAME                   SIZE       IDENTIFIER
     0:      GUID_partition_scheme                                *149.1 Gi   disk0
     1:      EFI                                                               200.0 Mi   disk0s1
     2:      Apple_HFS                       Macintosh HD        123.6 Gi   disk0s2
     3:      Apple_HFS                       Linux HD                 23.3 Gi    disk0s4
     4:      Linux Swap  <---- Problem!                                 1.9 Gi     disk0s3
  Any suggestions for fixing this? 
  Thanks,
  Jeremy

  Hi BDAqua,
  Thanks for the suggestion, it wasn't my final solution, but it did something very interesting.
  chown root /dev/disk0s3 seemed to execute but I couldn't run chmod on it.  I tried erasing the partition to FAT32 after running chown and instead of displaying error 9973 (Permissions not enabled) it appeared to perform the erase without being able to mount the volume afterwards.  I checked things over with diskutil list and it still listed the partition as being the linux swap.  Only now do I realize that I should have tried running vsdbutil after chown to see if that would have worked.
  My fix was to boot from the Ubuntu install cd and select "Try Ubuntu without installing" from the menu that came up.  Once it was up and running I used the GParted Partition Manager to modify my drive.  Much to my surprise, GParted didn't list the linux swap partition, but rather the name and format I applied after running chown root /dev/disk0s3.  I'm still not sure why diskutil didn't list the change after I erased but I suspect it had something to do with the volume failing to mount after the erase.  From here it was a simple matter to delete all unwanted partitions and resize the one for Mac OS X.
  I should add that I tried GParted Partition Manager because I read a post that it could easily deal with Linux Swap partitions.  Here's the post: https://discussions.apple.com/thread/1748051?start=0&tstart=0
  Thanks for the help,
  Jeremy

• System Folder errors after I changed all permissions on HD to read & write

  Hi,
  Two things may have caused probs on my new 2010 iMac (Snow Leopard), and Applecare is shut so I would really appreciate some help as I have urgent work.
  1) INCORRECT PERMISSIONS
  I have been stupid. I clicked on Macintosh HD and changed all permissions to read & write because I wanted to be sure I could open and edit all documents on other computers.
  I ran Disk Utility Repair Permissions from the install disc, but I am still getting system error messages, and my HP printer won't work.
  The first message, in Repair Permissions, said: Warning: SUID file System/Library/Cores has been modified and will not be repaired. I have read a support doc on this which says no need to worry but I don't like it and would like to fix this.
  More importantly, my HP printer won't work, displays error beside the document in print dialogue box.
  Deleting the printer and readding it didn't work, so I downloaded new drivers and tried to install them, which is when I got the second system error message: System extension System/Library/Extensions/BJUSBLoad.kext was installed improperly and cannot be used. Please try reinstalling it or contact product's vendor for an update.
  I checked the permissions on the file and they were still wrong despite Repair Permissions, allowing everyone to read & write. So I have now clicked on the entire System folder and changed the permissions to: System read & write, admin read only, everyone read only.
  Will this fix it or do I need to do something else, such as check ownership, to make sure all permissions on the computer are now correct?
  2) MEMORY STICK SHUT DOWN MY IMAC
  Additionally (though I don't think this had anything to do with my problems), I inserted a Sandisk USB memory stick the other day and it immediately shut down the computer. When I inserted it into my Macbook it initially rejected it and gave me a message saying the device wanted too much power so it had ejected it to prevent damage to my computer. When I tried again it was OK. I totally reformatted the stick in case there was something harmful on it, but should I now bin the stick as faulty? Scared to use it again.
  3) IS IT BEST TO REINSTALL ENTIRE SOFTWARE?
  If I do a reinstall of all the software from the install disc, will it wipe out all my data, such as Mail, documents, bookmarks and other apps?
  I would back-up, but if I try and back up files on my external drive it will automatically do a Time Machine back-up and I don't want to do that in case it backs-up all the corrupted files. Otherwise, I wouldn't mind starting again just to be sure all is well.
  Expert advice would be very much appreciated.
  Thank you
  Sarah

  Oh, silly really. I was in a hurry and working on docs that I needed to take to the office and open on another computer there.
  But when I checked the permissions on the doc it said I could read & write but everyone else was read only.
  I thought if I opened it on another machine I'd be stuck with read only access and not be able to work on there. I think I couldn't change it, so I thought to avoid any future problems like that I would change everything on machine!
  Yikes. Won't do that again
  Sarah

• Hello there - I am sharing an iPhoto library across two accounts on the same computer - it works fine EXCEPT for Quicktime movies - they play on one account and claim I don't have the rights on the other - all permissions are on and ok?

  Hello there - I am sharing an iPhoto library across two accounts on the same computer - it works fine EXCEPT for Quicktime movies - they play on one account and claim I don't have the rights on the other - all permissions are on and ok?

  It should be in the Users/ Shared folder.
  Back Up and try rebuild the library: hold down the command and option (or alt) keys while launching iPhoto. Use the resulting dialogue to rebuild. Note the option to check and repair Library Permissions
  Regards
  TD

• Project Server 2010 / Sharepoint 2010 Permissions not syncing to Project Site

  Project Permissions not syncing to Project Site
  Project Manager Group
  New project is created and published project server sends permissions to Sharepoint which puts users into the following groups:
  <dir><dir></dir></dir><dir><dir>
  Web Administrator (Microsoft Project Server)
  Project Managers (Microsoft Project Server)
  Team members (Microsoft Project Server)
  Readers (Microsoft Project Server)
  At this time the creator/owner, owner’s management, portfolio managers, and executives should all have Project Manager rights on the sharepoint site, and Admins will have Web Admin permissions.
  Issue #1: Only the Web Admin permissions and creator/owner permissions are being added to the Sharepoint permission groups
  Workaround #1: Going into the project site permissions and adding the
  Project Managers (Microsoft Project Server) group manually and the sync will keep the permissions
  Workaround #2: Going into the Server Settings, Manager Groups then removing or add all users to the No Permission Group, which forces an sync to all workspaces. Con: This workaround can only be down at night when users are not active since it will
  block the queue for at least an hour.
  Project Owner Transfer
  Previously created project has owner change, once saved and published project server sends permissions to update user’s permission to
  Project Managers (Microsoft Project Server) on Sharepoint project site.
  Issue #2: When Project owner is changed and project is published the owner is not getting permissions to the Sharepoint project site. However, if owner is also added to the team using the Build Team Feature the sync will give the owner Project
  Manager permissions on the Project Site.
  Workaround #1: Going into Server Settings, Project Sites, select project and Synchronize. Once this is done, the owner will have Project Manager Permissions without being added to the team.
  Users who have been added to this project in Project Server 2010, but not assigned to tasks. Users who have assignments in this project in Project Server 2010 and are contributors to the project workspace site,
  meaning that they can create and edit documents, issues, and risks. Users who have published this project or who have
  Save Project permission in Project Web App and are contributors to the project workspace site, meaning that they can create and edit documents, issues, and risks. Users who have
  Manage SharePoint Foundation permission in Project Web App and are contributors to the project workspace site, meaning that they can create and edit documents, issues, and risks.</dir></dir>

  By default when you create project build team add users in the task and publish the project plan then All the User which are available in the project plan including Project owner will go to below mentioned group in project site:
  1. creator/owner, owner’s management, portfolio managers, and executives should all have Project Manager will get access to Project Managers (Microsoft Project Server)
  2. User who are having team member access to PWA will get Team members (Microsoft Project Server) access if they are assigned to the project task.
  3. User who are having team member access to PWA will get Readers (Microsoft Project Server) access if they are not assigned to the project task.
  4. Only PWA Administrator will get the access to Web Administrator (Microsoft Project Server)
  Sharepoint permission you have to use when you want to give permission manually to users on project site  
  In the Project Site provisioning setting under Server setting if you have Check to automatically synchronize Project Web App users with Project Sites when they are created, when project managers publish projects, and when user permissions change in Project
  Server.
  Then all the user get access as per describe above and if you will give access manually to any of the user either in project server group or in Sharepoint group once you will publish the project next time all the manually given permission will go away.
  IF you want to give permission to user manually to sharepoint group or project server group then uncheck automatically synchronize Project Web App users with Project Sites when they are created, when project managers publish projects, and when user permissions
  change in Project Server.
  You check PWA site setting --> Site permission then member of Sharepoint group user who will have access to sharepoint group in PWA site setting site permission will have access to all the project site sharepoint group as Project site inherit permission
  from PWA root site.
  Both the issue which you have described is behavior of project site.
  For issue 2 when first time project owner create and publish the project and projectsite is getting created then porject owner name gets access  in the porject manager (project server group) nect time if you will change the owner and publish the project
  until he will not present in the project plan will not get the permission.
  If you want to give sharepoint permission to users then uncheck automatically synchronize Project Web App users with Project Sites when they are created, when project managers publish projects, and when user permissions change in Project Server and give
  the permission manually. 
  Project site in 2010 has some issue and not full filling customer need some time ,Ms has came up with 2013 which is having tight integration with project sites .
  Project workspace security groups are equal to the SharePoint Server 2010 security groups.
  Web Administrator equals Full Control
  Project Managers equals Design
  Team members equals Contribute
  Readers equals Read
  Users who have Manage
  SharePoint Foundation permission in Project Web App and are contributors to the project workspace site, meaning that they can
  create and edit documents, issues, and risks will get access to Web Administrator (Microsoft Project Server)
  http://technet.microsoft.com/en-us/library/cc197668(v=office.14).aspx
  kirtesh