Project

General

Profile

Actions

Task #1166

closed

Issue while create superAdminRole

Added by Ondřej Kopr over 3 years ago. Updated over 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Petr Michal
Category:
Authentication / Authorization
Target version:
Start date:
07/04/2018
Due date:
% Done:

100%

Estimated time:

Description

On project was explored strange behavior with create superAdminRole.

IDM_AUTHORIZATION_POLICY was created for this role, but base_permission (ADMIN) was not filled.

Please check this beahvior on 8.1.0 and higher version.

Actions #1

Updated by Ondřej Kopr over 3 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Ondřej Kopr over 3 years ago

Some info from project:

Active spring profile: production

application-production.properties is copy of classic dev properties.

I can simulate same behavior as project only with these steps:
  • create clean enviroment without/with demo data,
  • edit superAdminRole and remove permission (Administration (all)),
  • after this edit, isn't possible made any another change as yasterday on project,
  • only possible fix is update idm_authorization_policy and add back base permission.

On project was disable envers listener (audit not auditing :)) so I search ID of authorization policy (7fa4fa95-bc9e-48bb-b730-9d6c43f96335) in catalina.out and I found these records:

1

2018-06-20 13:10:58.132  INFO 7876 --- [ost-startStop-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-save-processor] start for [AuthorizationPolicyEvent [type: CREATE, content: eu.
bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= null], properties: {}]] with order [0].
2018-06-20 13:10:58.182  INFO 7876 --- [ost-startStop-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-save-processor] end for [AuthorizationPolicyEvent [type: CREATE, content: eu.bc
vsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [0].
2018-06-20 13:10:58.182  INFO 7876 --- [ost-startStop-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-delete-permissions-change-processor] start for [AuthorizationPolicyEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [2147483647].
2018-06-20 13:10:58.214  INFO 7876 --- [ost-startStop-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-delete-permissions-change-processor] end for [AuthorizationPolicyEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [2147483647].
2018-06-20 13:10:58.215  INFO 7876 --- [ost-startStop-1] e.b.i.c.m.s.i.DefaultEntityEventManager  : Event [AuthorizationPolicyEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] is completed
2018-06-20 13:10:58.216  INFO 7876 --- [ost-startStop-1] eu.bcvsolutions.idm.InitApplicationData  : Super admin Role created [id: null]
2018-06-20 13:10:58.232  INFO 7876 --- [ost-startStop-1] e.b.i.c.m.s.i.DefaultEntityEventManager  : Publishing event [CoreEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= admin], properties: {}]]

2

2018-07-03 15:39:46.432  INFO 23506 --- [nio-8080-exec-1] e.b.i.c.m.s.i.DefaultEntityEventManager  : Publishing event [AuthorizationPolicyEvent [type: UPDATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]]
2018-07-03 15:39:46.439  INFO 23506 --- [nio-8080-exec-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-save-processor] start for [AuthorizationPolicyEvent [type: UPDATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [0].
2018-07-03 15:39:46.462  INFO 23506 --- [nio-8080-exec-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-save-processor] end for [AuthorizationPolicyEvent [type: UPDATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [0].
2018-07-03 15:39:46.463  INFO 23506 --- [nio-8080-exec-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-delete-permissions-change-processor] start for [AuthorizationPolicyEvent [type: UPDATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [2147483647].
2018-07-03 15:39:46.470  INFO 23506 --- [nio-8080-exec-1] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [authorization-policy-delete-permissions-change-processor] end for [AuthorizationPolicyEvent [type: UPDATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] with order [2147483647].
2018-07-03 15:39:46.471  INFO 23506 --- [nio-8080-exec-1] e.b.i.c.m.s.i.DefaultEntityEventManager  : Event [AuthorizationPolicyEvent [type: UPDATE, content: eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto [code= 7fa4fa95-bc9e-48bb-b730-9d6c43f96335], properties: {}]] is completed

first logs is create the role superAdminRole and then set authorization policy (2018-06-20 13:10). The second one is start of processor authorization-policy-delete-permissions-change-processor. This processor probably remove permissin ADMIN from this authorization policy. After this is next logs warning with forbidden:

2018-07-03 15:43:58.403  WARN 23506 --- [nio-8080-exec-5] e.b.i.c.e.ExceptionControllerAdvice      : [56263166-9340-453b-bd65-b1996df325df] 
eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException: Forbidden: entity [a6953116-04e6-4fb8-bfbd-694027ceb729], permission [AUTOCOMPLETE, READ].
        at eu.bcvsolutions.idm.core.rest.impl.IdmTreeTypeController.getDefaultTreeType(IdmTreeTypeController.java:327)

So probably best explanation: someone made miss-click to multi selectbox and removed this permission (time 2018-07-03 15:39). All behavior with create new superAdminRole works correctly (tested version 8.1.0, 8.1.3 and current develop).

Actions #3

Updated by Ondřej Kopr over 3 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondřej Kopr to Petr Michal
  • Target version set to Lapis (8.2.0)
  • % Done changed from 0 to 90
Actions #4

Updated by Radek Tomiška over 3 years ago

  • Status changed from Needs feedback to Rejected
  • % Done changed from 90 to 100
Actions

Also available in: Atom PDF