[HELP-2402] FIWARE.Request.Tech.Security.AuthorizationPDP.UnexpectedRevertAfterPolicySetUpdate - JIRA

Details

Type: extRequest
Status: Closed
Priority: Major
Resolution: Done
Fix Version/s: 2021
Component/s: FIWARE-TECH-HELP
Labels:
None

Sender Email:
dino@eloptico.com
HD-Chapter:
Security
HD-Enabler:
AuthZForce

Description

Hi Cyril,

Looking forward to get fixed version - We dont have problems with tomcat, i
believe that it is even better option - just hope that installation / new
version will work fine with tomcat and that there will be no more major
bugs.

Thanks for contacting us,

Best,
Dink
On Mar 24, 2015 12:50 PM, "DANGERVILLE Cyril" <
cyril.dangerville@thalesgroup.com> wrote:

> Hello Dino,
>
> This issue should be fixed in the next release. I can send you a new
> version by the end of the week. We are now switching to .deb packaging to
> automate the install as much as possible (for Ubuntu/Debian). However, this
> new .deb package will address Tomcat 7 only (instead of Glassfish). There
> have been strong demand for Tomcat as target server, and simplifying the
> installation.
>
> *Would you have any issue switching to Tomcat 7? *
>
> We will continue to provide instructions for Glassfish if there is still a
> demand for it (especially for production environments), but it will still
> require manual steps as it is now; and not be automated like for Tomcat
> with .deb package.
>
>
>
> Regards,
>
> Cyril
>
>
>
>
>
>
>
> El 19/03/2015 a las 15:22, Dino Osmanovic escribió:
>
> Hi FIWARE Tech Crew,
>
>
>
> We have issue with one of the enablers and we are trying to get support.
> Its related to the access control generic enabler.
>
>
>
> Below is the issue:
>
>
>
> We have problem with PAP PolicySet update, when i make request for update
> PolicySet i got response OK and new PolicySet works fine, but when i try
> to get PolicySet i got old PolicySet data.
>
>
>
> To check what is problem i tried to tail on PolicySet xml file and got
> file reverted to old version, after regular file update.
>
>
>
> This is dump from tail:
>
> tail -f policySet.xml
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> PolicySetId="default" Version="1.0"
>
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
> <Target />
>
> <Policy
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
> PolicyId="permit-all" Version="1.0">
>
> <Target />
>
> <Rule Effect="Permit" RuleId="permit-all" />
>
> </Policy>
>
> </PolicySet>
>
> tail: policySet.xml: file truncated
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> PolicySetId="root:policy" Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
>
> RBAC Policy
>
> </Description><Target/><PolicySet PolicySetId="RPS:Employee_Role"
> Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
>
> Employee Role PolicySet
>
> </Description><Target><AnyOf><AllOf><Match
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue><AttributeDesignator
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
> http://www.w3.org/2001/XMLSchema#string"
> MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Employee_Role</PolicySetIdReference></PolicySet><PolicySet
> PolicySetId="RPS:Manager_Role" Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
>
> Manager Role PolicySet
>
> </Description><Target><AnyOf><AllOf><Match
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue><AttributeDesignator
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
> http://www.w3.org/2001/XMLSchema#string"
> MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Manager_Role</PolicySetIdReference></PolicySet><Policy
> PolicyId="default_deny" Version="1.0"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Description>
>
> Default Deny policy
>
> </Description><Target/><Rule RuleId="deny_all"
> Effect="Deny"/></Policy></PolicySet>t
>
> ail: policySet.xml: file truncated
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> PolicySetId="default" Version="1.0"
>
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
> <Target />
>
> <Policy
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
> PolicyId="permit-all" Version="1.0">
>
> <Target />
>
> <Rule Effect="Permit" RuleId="permit-all" />
>
> </Policy>
>
> </PolicySet>
>
>
>
> Red coloured part is value before i make update, blue coloured part is
> after update is executed, and this green coloured part is problem part.
>
>
>
> Do you have any idea why policy file is reverted to the original value
> automatically?
>
>
>
>
>
> We believe that in SecurityDomain.Java, method setPolicySet has
> problem with finally block:
>
>
>
> public void setPolicySet(PolicySet policySet) throws IOException,
> JAXBException
>
> {
>
> // before changing policy, backup current policy
>
> FileUtils.copyFile(this.policySetFile, this.policySetBackupFile);
>
> final Marshaller marshaller;
>
> try
>
>

{ > > marshaller = PdpModelHandler.XACML_3_0_JAXB_CONTEXT.createMarshaller(); > > marshaller.setSchema(authzApiSchema); > > marshaller.setProperty(Marshaller.JAXB_ENCODING, UTF8_JAXB_ENCODING); > > marshaller.marshal(policySet, policySetFile); > > }

catch (JAXBException e)
>
>

{ > > // Replace back with backup in case the file is corrupted due to this > exception > > FileUtils.copyFile(this.policySetBackupFile, this.policySetFile); > > throw new JAXBException("Error marshalling new domain policy to file: " + > this.policySetFile.getAbsolutePath(), e); > > }

>
>
>
> // try updating PDP with new policy
>
> try
>
>

{ > > // TODO: optimization: load policy directly from PolicySet arg (requires > changing > > // Sunxacml StaticPolicyFinderModule code) > > updatePDP(true, null); > > }

finally
>
> {
>
> FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);
>
> }
>
> }
>
>
>
> Issue is because they put backup file back although everything was ok - My
> assumption is that there should be catch instead of finally??
>
>
>
>
>
>
>
> We reported issue 10 days ago and recently we got response from Mr Cyril
> that we need to write to this email?! Also mr. Cyril asked for XML file
> dump (not sure why), we put it below.
>
>
>
>
>
>
>
>
>
> *<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="**http://thalesgroup.com/authzforce/pdp/model/2014/12
> <http://thalesgroup.com/authzforce/pdp/model/2014/12>**"
> PolicySetId="default" Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Target/><Policy
> PolicyId="permit-all" Version="1.0"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Target/><Rule
> RuleId="deny-all" Effect="Deny"/></Policy></PolicySet>*
>
>
>
>
>
>
>
> Hopefully we will get support asap,
>
>
>
> Best Regards,
>
> Dino
>
>
>
>
>
>
>
> ---------- Forwarded message ----------
> From: DANGERVILLE Cyril <cyril.dangerville@thalesgroup.com>
> Date: Wed, Mar 18, 2015 at 3:24 PM
> Subject: RE: FIWARE Authorization PDP Issue - PolicySet.xml revert to old
> version after update
> To: "dino@eloptico.com" <dino@eloptico.com>
>
> Hello Dino,
>
> Sorry for the delay. For such Authzforce technical issues, *could you
> please re-submit your request to the following tech support mailing list?*
>
> fiware-tech-help@lists.fi-ware.org <fiware-tech-help@lists.fi-ware.org>
>
>
>
> Please also attach the full policyset.xml you used to produce the bug,
> so that I can easily reproduce it. Thank you.
>
>
>
> Regards,
>
> Cyril
>
>
>
> –
>
> Cyril DANGERVILLE, Thales Services
>
> FIWARE Phase II
>
> WP1.7 Security (WPA)
>
> Authorization PDP (ex-Access Control) GE Owner
>
>
>
>
>
>
>
> De : notifications@typeform.com notifications@typeform.com
> Envoyé : lundi 9 mars 2015 11:57
> À : cyril.dangerville@thalesgroup.com
> Objet : Typeform: New request to FIWARE.AzPDP.Contact
>
>
>
> Your typeform FIWARE.AzPDP.Contact has a new entry. Here are the
> results:
>
> - *Please describe the use case for which you intend to use the FIWARE
> Authorization PDP.*
> We use Authorization PDP to manage policies (which we later use in
> Access COntrol)
>
>
>
> - *What type of service do you want to control access to? (Protocol,
> API... e.g. HTTP/REST)*
> HTTP REST
>
>
>
> - You can now formulate your request, at last
> We have problem with PAP PolicySet update, when i make request for
> update PolicySet i got response OK and new PolicySet works fine, but when i
> try to get PolicySet i got old PolicySet back.
>
> To check what is problem i tried to tail on PolicySet xml file
> directly in the file system and got file reverted to old version, after
> regular file update.
> This is dump from tail:
>
> tail -f policySet.xml
>
>
> PolicySetId="default" Version="1.0"
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
>
>
>
>
>
>
> ## after update happnes (we call rest service):
>
> tail: policySet.xml: file truncated
>
> RBAC Policy
>
> Employee Role PolicySet
> EmployeePPS:Employee_Role
> Manager Role PolicySet
> ManagerPPS:Manager_Role
> Default Deny policy
>
>
> ##after update is done we see that somehow file is back to the
> original version:
>
>
> tail: policySet.xml: file truncated
>
>
> PolicySetId="default" Version="1.0"
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
>
>
>
>
>
>
> .
>
>
>
> *To complete, please give me some contact information so that we can get
> back to you.*
>
> - Your full name (last name last):
> DIno Osmanovic
>
>
>
> - Your email address:
> dino@eloptico.com
>
>
>
> - Name of your organization (company, institution, etc.):
> eLoptico ApS
>
>
>
> - Your job function (especially in relation to FIWARE):
> CTO
>
>
>
>
>
> Have a nice day
> Team Typeform
>
>
>
>
>
> –
>
>
> –
> Kind regards,
>
> Dino Osmanovic
> eLoptico.com | tech co-founder
>
> Mobile: +387 61 216 927
>
> Web: www.eloptico.com
> E-mail: dino@eloptico.com
>
>
>
>
> _______________________________________________
>
> Fiware-tech-help mailing list
>
> Fiware-tech-help@lists.fi-ware.org
>
> https://lists.fi-ware.org/listinfo/fiware-tech-help
>
>
>
> –
>
>
>
> Please update your address book with my new e-mail address: miguel.carrillopacheco@telefonica.com
>
>
>
> ----------------------------------------------------------------------
>
> / _// Miguel Carrillo Pacheco
>
> _/ _/ _/ _/ Telefónica Distrito Telefónica
>
> / _//_/ _/ _/ Investigación y Edifico Oeste 1, Planta 6
>
> _/ _/ _/ _/ Desarrollo Ronda de la Comunicación S/N
>
> / _// 28050 Madrid (Spain)
>
> Tel: (+34) 91 483 26 77
>
>
>
> e-mail: miguel.carrillopacheco@telefonica.com
>
>
>
> Follow FIWARE on the net
>
>
>
> Website: http://www.fiware.org
>
> Facebook: https://www.facebook.com/eu.fiware
>
> Twitter: http://twitter.com/Fiware
>
> LinkedIn: https://www.linkedin.com/groups/FIWARE-4239932
>
> ----------------------------------------------------------------------
>
>
> ------------------------------
>
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>

_______________________________________________
Fiware-tech-help mailing list
Fiware-tech-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-tech-help

[Created via e-mail received from: Dino Osmanovic <dino@eloptico.com>]

Issue Links

is duplicated by

HELP-2867 FIWARE.Request.Tech.Security.AuthorizationPDP.UnexpectedRevertAfterPolicySetUpdate2

Closed

Activity

Hide

Permalink

Cyril Dangerville added a comment - 09/Apr/15 4:40 PM

Response provided directly to the requester, for the record:
Hello Dino,
I have released the new version 4.2.0:
http://catalogue.fiware.org/enablers/authorization-pdp-authzforce/downloads

Please follow the new installation guide for 4.2.0 linked in the Documentation part:
http://catalogue.fiware.org/enablers/authorization-pdp-authzforce/documentation

The API and User guide remains mostly the same.

I also noticed, when trying your PolicySet from your mail down below, that the “PPS:Employee_Role” (used in <PolicySetIdReference>) was not defined anywhere, which should get your PolicySet refused. So please make sure that BEFORE you put the root PolicySet to URL …/domains/

{domainId}/pap/policySet
with such PolicySetIdReference, you first put the “PPS:Employee_Role” PolicySet to URL
…/domains/{domainId}

/pap/refPolicySets:

For example:

<?xml version="1.0" encoding="UTF-8"?>
<az:policySets xmlns:az="http://thalesgroup.com/authz/model/3.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<PolicySet PolicySetId="PPS:Employee_Role" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
…………
</PolicySet>
</az:policySets>

More info:
https://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/Authorization_PDP_-_AuthZForce_-_User_and_Programmers_Guide_%28R4.2.0%29#Re-usable_Policies_.28e.g._for_Hierarchical_RBAC.29
NB: in the example of the doc, the policyset is called “PPS:Employee” instead of “PPS:Employee_Role”, put you can use any name as long as it is the same in the PolicySetIdReference.

Regards,
Cyril

Show

Cyril Dangerville added a comment - 09/Apr/15 4:40 PM Response provided directly to the requester, for the record: Hello Dino, I have released the new version 4.2.0: http://catalogue.fiware.org/enablers/authorization-pdp-authzforce/downloads Please follow the new installation guide for 4.2.0 linked in the Documentation part: http://catalogue.fiware.org/enablers/authorization-pdp-authzforce/documentation The API and User guide remains mostly the same. I also noticed, when trying your PolicySet from your mail down below, that the “PPS:Employee_Role” (used in <PolicySetIdReference>) was not defined anywhere, which should get your PolicySet refused. So please make sure that BEFORE you put the root PolicySet to URL …/domains/ {domainId}/pap/policySet with such PolicySetIdReference, you first put the “PPS:Employee_Role” PolicySet to URL …/domains/{domainId} /pap/refPolicySets: For example: <?xml version="1.0" encoding="UTF-8"?> <az:policySets xmlns:az="http://thalesgroup.com/authz/model/3.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <PolicySet PolicySetId="PPS:Employee_Role" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit"> ………… </PolicySet> </az:policySets> More info: https://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/Authorization_PDP_-_AuthZForce_-_User_and_Programmers_Guide_%28R4.2.0%29#Re-usable_Policies_.28e.g._for_Hierarchical_RBAC.29 NB: in the example of the doc, the policyset is called “PPS:Employee” instead of “PPS:Employee_Role”, put you can use any name as long as it is the same in the PolicySetIdReference. Regards, Cyril

FIWARE.Request.Tech.Security.AuthorizationPDP.UnexpectedRevertAfterPolicySetUpdate

Details

Description

Issue Links

Activity

People

Dates

Agile