Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2019-12-19 12:07:21
Attachments:
smime.p7s
|
Dear Krzysztof, we have some users who has Inspector privileges. Since we updated to unity 2.8.2 this users got the error "Not authorized to read members of the group" when they try to view the users in admin endpoint. Was this changed behaviour planed? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-12-27 15:50:40
|
Hi Sander, W dniu 19.12.2019 o 13:07, Sander Apweiler pisze: > Dear Krzysztof, > > we have some users who has Inspector privileges. Since we updated to > unity 2.8.2 this users got the error "Not authorized to read members of > the group" when they try to view the users in admin endpoint. Was this > changed behaviour planed? Yes. We have added a lot of optimizations in recent versions, in order to have a fast operation on huge groups. A side effect of this is that in both adminUI and the new console browsing of groups contents requires a slightly higher privilege. Previously we had a very detailed filtering of data returned for role of inspector. Now it was simplified, and while authorization works in the same way (i.e. Inspector can access the same data it could before) it is not enough to use Console UI/Admin UI which are using simplier API for performance. We could also support the original Inspector role, but it would require a separate optimized implementation and at the same time we believe that AdminUI/Console should be rather used by privileged users. The solution is quite straightforward: the "Privileged inspector" role has enough capabilities to use console/adminUI in RO mode, so use it for RO users of Console/AdminUI. The "Inspector" role is still useful as a more limited user on REST API. The difference between the two roles is that Privileged inspector can read also some of the data "hidden" from outside world, like disabled entities, which are not shown to the plain "Inspector". HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-01-02 06:34:34
Attachments:
smime.p7s
|
Dear Krzysztof, first of all I wish you a happy new year and all the best for 2020. Upgrading to privileged inspector would be ok, but I don't have this role anymore. The drop down list does not contain it. It is still listed in the explanation of the roles, but not available. Cheers, Sander On Fri, 2019-12-27 at 16:50 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 19.12.2019 o 13:07, Sander Apweiler pisze: > > Dear Krzysztof, > > > > we have some users who has Inspector privileges. Since we updated > > to > > unity 2.8.2 this users got the error "Not authorized to read > > members of > > the group" when they try to view the users in admin endpoint. Was > > this > > changed behaviour planed? > > Yes. > > We have added a lot of optimizations in recent versions, in order to > have a fast operation on huge groups. A side effect of this is that > in > both adminUI and the new console browsing of groups contents requires > a > slightly higher privilege. Previously we had a very detailed > filtering > of data returned for role of inspector. Now it was simplified, and > while > authorization works in the same way (i.e. Inspector can access the > same > data it could before) it is not enough to use Console UI/Admin UI > which > are using simplier API for performance. We could also support the > original Inspector role, but it would require a separate optimized > implementation and at the same time we believe that AdminUI/Console > should be rather used by privileged users. > > The solution is quite straightforward: the "Privileged inspector" > role > has enough capabilities to use console/adminUI in RO mode, so use it > for > RO users of Console/AdminUI. The "Inspector" role is still useful as > a > more limited user on REST API. The difference between the two roles > is > that Privileged inspector can read also some of the data "hidden" > from > outside world, like disabled entities, which are not shown to the > plain > "Inspector". > > HTH, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-01-03 11:11:44
|
Dear Sander, Happy New Year! W dniu 02.01.2020 o 07:34, Sander Apweiler pisze: > Dear Krzysztof, > first of all I wish you a happy new year and all the best for 2020. > > Upgrading to privileged inspector would be ok, but I don't have this > role anymore. The drop down list does not contain it. It is still > listed in the explanation of the roles, but not available. > Uh! That's very strange. I have no guess around what happened. Couple of ideas to get us started: 1. What drop down has no priv inspector? AdminUI -> Contents Management -> setting an attribute? Or elsewhere? 2. Can you try to play with this a bit? E.g. can you set this attribute for new (even test) user? 3. Can you create a DB JSON dump and inspect what is in sys:Authorizationrole attribute type? Having this may help. 4. Can you set this attribute over REST API? Cheers, KB |
|
From: Sander A. <sa....@fz...> - 2020-01-06 07:08:44
Attachments:
smime.p7s
Screenshot from 2020-01-06 08-00-33.png
|
Dear Krzysztof,
On Fri, 2020-01-03 at 12:11 +0100, Krzysztof Benedyczak wrote:
> Dear Sander,
>
> Happy New Year!
>
> W dniu 02.01.2020 o 07:34, Sander Apweiler pisze:
> > Dear Krzysztof,
> > first of all I wish you a happy new year and all the best for 2020.
> >
> > Upgrading to privileged inspector would be ok, but I don't have
> > this
> > role anymore. The drop down list does not contain it. It is still
> > listed in the explanation of the roles, but not available.
> >
> Uh! That's very strange. I have no guess around what happened. Couple
> of
> ideas to get us started:
>
> 1. What drop down has no priv inspector? AdminUI -> Contents
> Management
> -> setting an attribute? Or elsewhere?
Yes in AdminUI -> Contents Management -> setting an attribute. See
screenshot.
>
> 2. Can you try to play with this a bit? E.g. can you set this
> attribute
> for new (even test) user?
Same behaviour.
>
> 3. Can you create a DB JSON dump and inspect what is in
> sys:Authorizationrole attribute type? Having this may help.
It seems that it is lost in the database:
{
"flags" : 1,
"maxElements" : 10,
"minElements" : 1,
"selfModificable" : false,
"uniqueValues" : true,
"syntaxState" : {
"allowed" : [ "Anonymous User", "Inspector", "Regular User", "Contents Manager", "System Manager" ]
},
"displayedName" : {
"DefaultValue" : "sys:AuthorizationRole",
"Map" : {
"pl" : "Rola autoryzacyjna",
"en" : "Authorization role"
}
},
"i18nDescription" : {
"DefaultValue" : null,
"Map" : {
"pl" : "Definiuje jakie operacje są dozwolone dla posiadacza. Wpływa na dostęp do grupy w której atrybut jest przydzielony oraz wszystkich podgrupach, gdzie może być nadpisany. Dostępne role:\n<b>System Manager</b> - Syst em manager with all privileges.\n<b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes.\n<b>Privileged Insp ector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible\n<b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications a re possible\n<b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing passwords and self managed attributes\n<b>Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves\n",
"en" : "Defines what operations are allowed for the bearer. The attribute of this type defines the access in the group where it is defined and in all subgroups. In subgroup it can be redefined to grant more access. Roles: \n <b>System Manager</b> - System manager with all privileges.\n<b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes.\n<b>Privileged Inspector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible\n<b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications are possible\n<b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing passwords and self managed attributes\n<b> Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves\n"
}
},
"metadata" : { },
"name" : "sys:AuthorizationRole",
"syntaxId" : "enumeration"
},
>
> 4. Can you set this attribute over REST API?
I did not test it because it was not in the database.
Because on other instances we have this role, do you know a database
query to create it?
Cheers,
Sander
>
> Cheers,
> KB
>
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2020-01-06 08:45:00
|
Dear Sander,
W dniu 06.01.2020 o 08:08, Sander Apweiler pisze:
> Dear Krzysztof,
>
> It seems that it is lost in the database:
Yeah, certainly. Any ideas whether this role was dropped during some of
migrations, or maybe was missing from the very beginning?
I.e. have you ever used this missing role on the system in question? Or
you rather suspect that this is result of recent migration (if yes
knowing start version would help)?
> Because on other instances we have this role, do you know a database
> query to create it?
Yes, however this is pretty low level.
You need to do this either on DB (SQL UPDATE) or export the JSON dump,
fix it there, and import.
In any case the missing role needs to be added to the JSON describing
the attribute type.
So in case of DB:
1. take backup :-)
2. in table ATTRIBUTE_TYPES identify PKEY (ID column) of record with
NAME = 'sys:AuthorizationRole' and the current, malformed CONTENTS
column value of the record.
3. update record CONTENTS column with the ID from the above point so it
has the same contents as originally, but additionally the allowed part
in syntaxState is as follows:
"syntaxState":{"allowed":["Privileged Inspector","Anonymous
User","Inspector","System Manager","Contents Manager","Regular User"]}
(the rest should be intact - i.e. you will need to add this "Privileged
Inspector", string)
HTH
KB
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X