Menu
▾
▴
Re: [Exist-development] Bug in permissions or am I missing something?
|
From: Adam R. <ad...@ex...> - 2012-06-13 21:37:28
|
This is not a bug. The answer is in the messages in the log, if not subtly ;-) Basically the message you get is - "Permission denied to open collection: /db/organizations by te...@ea..." The permissions on /db/organizations are 'rwxr-xr--' and the owner is 'admin:dba', however the user 'te...@ea...' does not have permission to open the collection. That is to say that you need to grant execute 'x' access on the collection /db/organizations for that account. On 13 June 2012 02:31, Casey Jordan <cas...@jo...> wrote: > Hi all, > > Doing more stress testing on trunk and I started to get a lot of 401 > unauthorized errors. I did some investigation and found something strange. > > I have a collection /db/organizations owned by admin and group dba, but with > world readable permissions (rwxr-x-r--). > > When I login as my test user (not guest) via oXygen I get a permission > denied error. Looking at the logs I see: > > 2012-06-12 21:23:16,109 [eXistThread-37] DEBUG (SecurityManagerImpl.java > [authenticate]:395) - Authentication try for 'te...@ea...'. > 2012-06-12 21:23:16,109 [eXistThread-37] DEBUG (SecurityManagerImpl.java > [authenticate]:436) - Authenticated by 'exist' as '[auth] <account > name="te...@ea..." id="11"><group name="__test-org" > id="12"></group><group name="__test-org__contributor-dita-langref" > id="17"></group><group name="__test-org-dita-langref" > id="16"></group></user>'. > 2012-06-12 21:23:16,109 [eXistThread-37] ERROR (ExistCollection.java > [initMetadata]:117) - org.exist.security.PermissionDeniedException: > Permission denied to open collection: /db/organizations by > te...@ea... > 2012-06-12 21:23:16,110 [eXistThread-37] DEBUG (MiltonResource.java > [authenticate]:343) - User 'te...@ea...' has been authenticated. > 2012-06-12 21:23:16,111 [eXistThread-37] INFO (MiltonResource.java > [authorise]:350) - PROPFIND /db/organizations (write=false) > 2012-06-12 21:23:16,112 [eXistThread-37] DEBUG (MiltonResource.java > [authorise]:402) - User te...@ea... is NOT authorized to read > resource, abort. > > > However the admin client is reporting to me that I should have read > permissions (See first screenshot) > > I also tried logging in to admin client as that user, and experienced the > same thing: > > Failed to invoke method describeCollection in class > org.exist.xmlrpc.RpcConnection: Permission denied to open collection: > /db/organizations by te...@ea... > > org.xmldb.api.base.XMLDBException: Failed to invoke method > describeCollection in class org.exist.xmlrpc.RpcConnection: Permission > denied to open collection: /db/organizations by te...@ea... > at > org.exist.xmldb.RemoteCollection.readCollection(RemoteCollection.java:461) > at > org.exist.xmldb.RemoteCollection.listChildCollections(RemoteCollection.java:278) > at > org.exist.client.InteractiveClient.getResources(InteractiveClient.java:371) > at > org.exist.client.InteractiveClient.process(InteractiveClient.java:556) > at org.exist.client.ClientFrame$ProcessThread.run(ClientFrame.java:1662) > Caused by: org.apache.xmlrpc.XmlRpcException: Failed to invoke method > describeCollection in class org.exist.xmlrpc.RpcConnection: Permission > denied to open collection: /db/organizations by te...@ea... > at > org.apache.xmlrpc.client.XmlRpcStreamTransport.readResponse(XmlRpcStreamTransport.java:197) > at > org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:156) > at > org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:143) > at > org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:69) > at > org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:56) > at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:167) > at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:158) > at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:147) > at > org.exist.xmldb.RemoteCollection.readCollection(RemoteCollection.java:459) > ... 4 more > Caused by: org.apache.xmlrpc.XmlRpcException: Failed to invoke method > describeCollection in class org.exist.xmlrpc.RpcConnection: Permission > denied to open collection: /db/organizations by te...@ea... > at > org.apache.xmlrpc.client.XmlRpcStreamTransport.readResponse(XmlRpcStreamTransport.java:197) > at > org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:156) > at > org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:143) > at > org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:69) > at > org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:56) > at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:167) > at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:158) > at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:147) > at > org.exist.xmldb.RemoteCollection.readCollection(RemoteCollection.java:459) > at > org.exist.xmldb.RemoteCollection.listChildCollections(RemoteCollection.java:278) > at > org.exist.client.InteractiveClient.getResources(InteractiveClient.java:371) > at > org.exist.client.InteractiveClient.process(InteractiveClient.java:556) > at org.exist.client.ClientFrame$ProcessThread.run(ClientFrame.java:1662) > > > and in the logs: > > 2012-06-12 21:28:42,981 [eXistThread-44] DEBUG (SecurityManagerImpl.java > [authenticate]:395) - Authentication try for 'te...@ea...'. > 2012-06-12 21:28:42,981 [eXistThread-44] DEBUG (SecurityManagerImpl.java > [authenticate]:436) - Authenticated by 'exist' as '[auth] <account > name="te...@ea..." id="11"><group name="__test-org" > id="12"></group><group name="__test-org__contributor-dita-langref" > id="17"></group><group name="__test-org-dita-langref" > id="16"></group></user>'. > 2012-06-12 21:28:42,981 [eXistThread-44] DEBUG (RpcConnection.java > [handleException]:120) - Permission denied to open collection: > /db/organizations by te...@ea... > org.exist.security.PermissionDeniedException: Permission denied to open > collection: /db/organizations by te...@ea... > at org.exist.storage.NativeBroker.openCollection(NativeBroker.java:893) > at org.exist.storage.NativeBroker.openCollection(NativeBroker.java:738) > at > org.exist.xmlrpc.RpcConnection.describeCollection(RpcConnection.java:730) > at > org.exist.xmlrpc.RpcConnection.describeCollection(RpcConnection.java:711) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at > org.apache.xmlrpc.server.ReflectiveXmlRpcHandler.invoke(ReflectiveXmlRpcHandler.java:115) > at > org.apache.xmlrpc.server.ReflectiveXmlRpcHandler.execute(ReflectiveXmlRpcHandler.java:106) > at > org.apache.xmlrpc.server.XmlRpcServerWorker.execute(XmlRpcServerWorker.java:46) > at org.apache.xmlrpc.server.XmlRpcServer.execute(XmlRpcServer.java:86) > at > org.apache.xmlrpc.server.XmlRpcStreamServer.execute(XmlRpcStreamServer.java:200) > at > org.apache.xmlrpc.webserver.XmlRpcServletServer.execute(XmlRpcServletServer.java:112) > at > org.apache.xmlrpc.webserver.XmlRpcServlet.doPost(XmlRpcServlet.java:196) > at org.exist.xmlrpc.RpcServlet.doPost(RpcServlet.java:68) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:598) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:486) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542) > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:233) > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1065) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:413) > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:192) > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:999) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) > at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:224) > at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:98) > at org.exist.http.urlrewrite.Forward.doRewrite(Forward.java:47) > at > org.exist.http.urlrewrite.XQueryURLRewrite.service(XQueryURLRewrite.java:211) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:598) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:486) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:499) > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:233) > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1065) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:413) > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:192) > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:999) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) > at > org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111) > at org.eclipse.jetty.server.Server.handle(Server.java:350) > at > org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:454) > at > org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:900) > at > org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:954) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:851) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77) > at > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:606) > at > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538) > at java.lang.Thread.run(Thread.java:636) > > Anyone know whats going on here? > > -- > -- > Casey Jordan > easyDITA a product of Jorsek LLC > "CaseyDJordan" on LinkedIn, Twitter & Facebook > (585) 348 7399 > easydita.com > > > This message is intended only for the use of the Addressee(s) and may > contain information that is privileged, confidential, and/or exempt from > disclosure under applicable law. If you are not the intended recipient, > please be advised that any disclosure copying, distribution, or use of > the information contained herein is prohibited. If you have received > this communication in error, please destroy all copies of the message, > whether in electronic or hard copy format, as well as attachments, and > immediately contact the sender by replying to this e-mail or by phone. > Thank you. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Exist-development mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-development > -- Adam Retter eXist Developer { United Kingdom } ad...@ex... irc://irc.freenode.net/existdb |
