Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-2402

FIWARE.Request.Tech.Security.AuthorizationPDP.UnexpectedRevertAfterPolicySetUpdate

    Details

    • Type: extRequest
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Fix Version/s: 2021
    • Component/s: FIWARE-TECH-HELP
    • Labels:
      None

      Description

      Hi Cyril,

      Looking forward to get fixed version - We dont have problems with tomcat, i
      believe that it is even better option - just hope that installation / new
      version will work fine with tomcat and that there will be no more major
      bugs.

      Thanks for contacting us,

      Best,
      Dink
      On Mar 24, 2015 12:50 PM, "DANGERVILLE Cyril" <
      cyril.dangerville@thalesgroup.com> wrote:

      > Hello Dino,
      >
      > This issue should be fixed in the next release. I can send you a new
      > version by the end of the week. We are now switching to .deb packaging to
      > automate the install as much as possible (for Ubuntu/Debian). However, this
      > new .deb package will address Tomcat 7 only (instead of Glassfish). There
      > have been strong demand for Tomcat as target server, and simplifying the
      > installation.
      >
      > *Would you have any issue switching to Tomcat 7? *
      >
      > We will continue to provide instructions for Glassfish if there is still a
      > demand for it (especially for production environments), but it will still
      > require manual steps as it is now; and not be automated like for Tomcat
      > with .deb package.
      >
      >
      >
      > Regards,
      >
      > Cyril
      >
      >
      >
      >
      >
      >
      >
      > El 19/03/2015 a las 15:22, Dino Osmanovic escribió:
      >
      > Hi FIWARE Tech Crew,
      >
      >
      >
      > We have issue with one of the enablers and we are trying to get support.
      > Its related to the access control generic enabler.
      >
      >
      >
      > Below is the issue:
      >
      >
      >
      > We have problem with PAP PolicySet update, when i make request for update
      > PolicySet i got response OK and new PolicySet works fine, but when i try
      > to get PolicySet i got old PolicySet data.
      >
      >
      >
      > To check what is problem i tried to tail on PolicySet xml file and got
      > file reverted to old version, after regular file update.
      >
      >
      >
      > This is dump from tail:
      >
      > tail -f policySet.xml
      >
      > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      >
      > <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
      > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      >
      > PolicySetId="default" Version="1.0"
      >
      >
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
      >
      > <Target />
      >
      > <Policy
      > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
      > PolicyId="permit-all" Version="1.0">
      >
      > <Target />
      >
      > <Rule Effect="Permit" RuleId="permit-all" />
      >
      > </Policy>
      >
      > </PolicySet>
      >
      > tail: policySet.xml: file truncated
      >
      > <?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
      > xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
      > PolicySetId="root:policy" Version="1.0"
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
      >
      > RBAC Policy
      >
      > </Description><Target/><PolicySet PolicySetId="RPS:Employee_Role"
      > Version="1.0"
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
      >
      > Employee Role PolicySet
      >
      > </Description><Target><AnyOf><AllOf><Match
      > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
      > DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue><AttributeDesignator
      > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
      > AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
      > http://www.w3.org/2001/XMLSchema#string"
      > MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Employee_Role</PolicySetIdReference></PolicySet><PolicySet
      > PolicySetId="RPS:Manager_Role" Version="1.0"
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
      >
      > Manager Role PolicySet
      >
      > </Description><Target><AnyOf><AllOf><Match
      > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
      > DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue><AttributeDesignator
      > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
      > AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
      > http://www.w3.org/2001/XMLSchema#string"
      > MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Manager_Role</PolicySetIdReference></PolicySet><Policy
      > PolicyId="default_deny" Version="1.0"
      > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Description>
      >
      > Default Deny policy
      >
      > </Description><Target/><Rule RuleId="deny_all"
      > Effect="Deny"/></Policy></PolicySet>t
      >
      > ail: policySet.xml: file truncated
      >
      > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      >
      > <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
      > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      >
      > PolicySetId="default" Version="1.0"
      >
      >
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
      >
      > <Target />
      >
      > <Policy
      > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
      > PolicyId="permit-all" Version="1.0">
      >
      > <Target />
      >
      > <Rule Effect="Permit" RuleId="permit-all" />
      >
      > </Policy>
      >
      > </PolicySet>
      >
      >
      >
      > Red coloured part is value before i make update, blue coloured part is
      > after update is executed, and this green coloured part is problem part.
      >
      >
      >
      > Do you have any idea why policy file is reverted to the original value
      > automatically?
      >
      >
      >
      >
      >
      > We believe that in SecurityDomain.Java, method setPolicySet has
      > problem with finally block:
      >
      >
      >
      > public void setPolicySet(PolicySet policySet) throws IOException,
      > JAXBException
      >
      > {
      >
      > // before changing policy, backup current policy
      >
      > FileUtils.copyFile(this.policySetFile, this.policySetBackupFile);
      >
      > final Marshaller marshaller;
      >
      > try
      >
      >

      { > > marshaller = PdpModelHandler.XACML_3_0_JAXB_CONTEXT.createMarshaller(); > > marshaller.setSchema(authzApiSchema); > > marshaller.setProperty(Marshaller.JAXB_ENCODING, UTF8_JAXB_ENCODING); > > marshaller.marshal(policySet, policySetFile); > > }

      catch (JAXBException e)
      >
      >

      { > > // Replace back with backup in case the file is corrupted due to this > exception > > FileUtils.copyFile(this.policySetBackupFile, this.policySetFile); > > throw new JAXBException("Error marshalling new domain policy to file: " + > this.policySetFile.getAbsolutePath(), e); > > }

      >
      >
      >
      > // try updating PDP with new policy
      >
      > try
      >
      >

      { > > // TODO: optimization: load policy directly from PolicySet arg (requires > changing > > // Sunxacml StaticPolicyFinderModule code) > > updatePDP(true, null); > > }

      finally
      >
      > {
      >
      > FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);
      >
      > }
      >
      > }
      >
      >
      >
      > Issue is because they put backup file back although everything was ok - My
      > assumption is that there should be catch instead of finally??
      >
      >
      >
      >
      >
      >
      >
      > We reported issue 10 days ago and recently we got response from Mr Cyril
      > that we need to write to this email?! Also mr. Cyril asked for XML file
      > dump (not sure why), we put it below.
      >
      >
      >
      >
      >
      >
      >
      >
      >
      > *<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
      > xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="**http://thalesgroup.com/authzforce/pdp/model/2014/12
      > <http://thalesgroup.com/authzforce/pdp/model/2014/12>**"
      > PolicySetId="default" Version="1.0"
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Target/><Policy
      > PolicyId="permit-all" Version="1.0"
      > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Target/><Rule
      > RuleId="deny-all" Effect="Deny"/></Policy></PolicySet>*
      >
      >
      >
      >
      >
      >
      >
      > Hopefully we will get support asap,
      >
      >
      >
      > Best Regards,
      >
      > Dino
      >
      >
      >
      >
      >
      >
      >
      > ---------- Forwarded message ----------
      > From: DANGERVILLE Cyril <cyril.dangerville@thalesgroup.com>
      > Date: Wed, Mar 18, 2015 at 3:24 PM
      > Subject: RE: FIWARE Authorization PDP Issue - PolicySet.xml revert to old
      > version after update
      > To: "dino@eloptico.com" <dino@eloptico.com>
      >
      > Hello Dino,
      >
      > Sorry for the delay. For such Authzforce technical issues, *could you
      > please re-submit your request to the following tech support mailing list?*
      >
      > fiware-tech-help@lists.fi-ware.org <fiware-tech-help@lists.fi-ware.org>
      >
      >
      >
      > Please also attach the full policyset.xml you used to produce the bug,
      > so that I can easily reproduce it. Thank you.
      >
      >
      >
      > Regards,
      >
      > Cyril
      >
      >
      >
      > –
      >
      > Cyril DANGERVILLE, Thales Services
      >
      > FIWARE Phase II
      >
      > WP1.7 Security (WPA)
      >
      > Authorization PDP (ex-Access Control) GE Owner
      >
      >
      >
      >
      >
      >
      >
      > De : notifications@typeform.com notifications@typeform.com
      > Envoyé : lundi 9 mars 2015 11:57
      > À : cyril.dangerville@thalesgroup.com
      > Objet : Typeform: New request to FIWARE.AzPDP.Contact
      >
      >
      >
      > Your typeform FIWARE.AzPDP.Contact has a new entry. Here are the
      > results:
      >
      > - *Please describe the use case for which you intend to use the FIWARE
      > Authorization PDP.*
      > We use Authorization PDP to manage policies (which we later use in
      > Access COntrol)
      >
      >
      >
      > - *What type of service do you want to control access to? (Protocol,
      > API... e.g. HTTP/REST)*
      > HTTP REST
      >
      >
      >
      > - You can now formulate your request, at last
      > We have problem with PAP PolicySet update, when i make request for
      > update PolicySet i got response OK and new PolicySet works fine, but when i
      > try to get PolicySet i got old PolicySet back.
      >
      > To check what is problem i tried to tail on PolicySet xml file
      > directly in the file system and got file reverted to old version, after
      > regular file update.
      > This is dump from tail:
      >
      > tail -f policySet.xml
      >
      >
      > PolicySetId="default" Version="1.0"
      >
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
      >
      >
      >
      >
      >
      >
      >
      > ## after update happnes (we call rest service):
      >
      > tail: policySet.xml: file truncated
      >
      > RBAC Policy
      >
      > Employee Role PolicySet
      > EmployeePPS:Employee_Role
      > Manager Role PolicySet
      > ManagerPPS:Manager_Role
      > Default Deny policy
      >
      >
      > ##after update is done we see that somehow file is back to the
      > original version:
      >
      >
      > tail: policySet.xml: file truncated
      >
      >
      > PolicySetId="default" Version="1.0"
      >
      > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
      >
      >
      >
      >
      >
      >
      >
      > .
      >
      >
      >
      > *To complete, please give me some contact information so that we can get
      > back to you.*
      >
      > - Your full name (last name last):
      > DIno Osmanovic
      >
      >
      >
      > - Your email address:
      > dino@eloptico.com
      >
      >
      >
      > - Name of your organization (company, institution, etc.):
      > eLoptico ApS
      >
      >
      >
      > - Your job function (especially in relation to FIWARE):
      > CTO
      >
      >
      >
      >
      >
      > Have a nice day
      > Team Typeform
      >
      >
      >
      >
      >
      > –
      >
      >
      > –
      > Kind regards,
      >
      > Dino Osmanovic
      > eLoptico.com | tech co-founder
      >
      > Mobile: +387 61 216 927
      >
      > Web: www.eloptico.com
      > E-mail: dino@eloptico.com
      >
      >
      >
      >
      > _______________________________________________
      >
      > Fiware-tech-help mailing list
      >
      > Fiware-tech-help@lists.fi-ware.org
      >
      > https://lists.fi-ware.org/listinfo/fiware-tech-help
      >
      >
      >
      > –
      >
      >
      >
      > Please update your address book with my new e-mail address: miguel.carrillopacheco@telefonica.com
      >
      >
      >
      > ----------------------------------------------------------------------
      >
      > / _// Miguel Carrillo Pacheco
      >
      > _/ _/ _/ _/ Telefónica Distrito Telefónica
      >
      > / _//_/ _/ _/ Investigación y Edifico Oeste 1, Planta 6
      >
      > _/ _/ _/ _/ Desarrollo Ronda de la Comunicación S/N
      >
      > / _// 28050 Madrid (Spain)
      >
      > Tel: (+34) 91 483 26 77
      >
      >
      >
      > e-mail: miguel.carrillopacheco@telefonica.com
      >
      >
      >
      > Follow FIWARE on the net
      >
      >
      >
      > Website: http://www.fiware.org
      >
      > Facebook: https://www.facebook.com/eu.fiware
      >
      > Twitter: http://twitter.com/Fiware
      >
      > LinkedIn: https://www.linkedin.com/groups/FIWARE-4239932
      >
      > ----------------------------------------------------------------------
      >
      >
      > ------------------------------
      >
      >
      > Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
      > puede contener información privilegiada o confidencial y es para uso
      > exclusivo de la persona o entidad de destino. Si no es usted. el
      > destinatario indicado, queda notificado de que la lectura, utilización,
      > divulgación y/o copia sin autorización puede estar prohibida en virtud de
      > la legislación vigente. Si ha recibido este mensaje por error, le rogamos
      > que nos lo comunique inmediatamente por esta misma vía y proceda a su
      > destrucción.
      >
      > The information contained in this transmission is privileged and
      > confidential information intended only for the use of the individual or
      > entity named above. If the reader of this message is not the intended
      > recipient, you are hereby notified that any dissemination, distribution or
      > copying of this communication is strictly prohibited. If you have received
      > this transmission in error, do not read it. Please immediately reply to the
      > sender that you have received this communication in error and then delete
      > it.
      >
      > Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
      > pode conter informação privilegiada ou confidencial e é para uso exclusivo
      > da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
      > indicado, fica notificado de que a leitura, utilização, divulgação e/ou
      > cópia sem autorização pode estar proibida em virtude da legislação vigente.
      > Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
      > imediatamente por esta mesma via e proceda a sua destruição
      >

      _______________________________________________
      Fiware-tech-help mailing list
      Fiware-tech-help@lists.fi-ware.org
      https://lists.fi-ware.org/listinfo/fiware-tech-help

      [Created via e-mail received from: Dino Osmanovic <dino@eloptico.com>]

        Issue Links

          Activity

            People

            • Assignee:
              cdangerville Cyril Dangerville
              Reporter:
              fw.ext.user FW External User
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: