Details
-
Type:
extRequest
-
Status: Closed
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
HD-Chapter:Security
-
HD-Enabler:AuthZForce
Description
Hi FIWARE Tech Crew,
We have issue with one of the enablers and we are trying to get support.
Its related to the access control generic enabler.
Below is the issue:
We have problem with PAP PolicySet update, when i make request for update
PolicySet i got response OK and new PolicySet works fine, but when i try
to get PolicySet i got old PolicySet data.
To check what is problem i tried to tail on PolicySet xml file and got file
reverted to old version, after regular file update.
This is dump from tail:
tail -f policySet.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
<Target />
<Policy
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
PolicyId="permit-all" Version="1.0">
<Target />
<Rule Effect="Permit" RuleId="permit-all" />
</Policy>
</PolicySet>
tail: policySet.xml: file truncated
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="root:policy" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
RBAC Policy
</Description><Target/><PolicySet PolicySetId="RPS:Employee_Role"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
Employee Role PolicySet
</Description><Target><AnyOf><AllOf><Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue><AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Employee_Role</PolicySetIdReference></PolicySet><PolicySet
PolicySetId="RPS:Manager_Role" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
Manager Role PolicySet
</Description><Target><AnyOf><AllOf><Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue><AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Manager_Role</PolicySetIdReference></PolicySet><Policy
PolicyId="default_deny" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Description>
Default Deny policy
</Description><Target/><Rule RuleId="deny_all"
Effect="Deny"/></Policy></PolicySet>t
ail: policySet.xml: file truncated
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
<Target />
<Policy
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
PolicyId="permit-all" Version="1.0">
<Target />
<Rule Effect="Permit" RuleId="permit-all" />
</Policy>
</PolicySet>
Red coloured part is value before i make update, blue coloured part is
after update is executed, and this green coloured part is problem part.
Do you have any idea why policy file is reverted to the original value
automatically?
We believe that in SecurityDomain.Java, method setPolicySet has problem
with finally block:
public void setPolicySet(PolicySet policySet) throws IOException,
JAXBException
{
// before changing policy, backup current policy
FileUtils.copyFile(this.policySetFile, this.policySetBackupFile);
final Marshaller marshaller;
try
{
marshaller = PdpModelHandler.XACML_3_0_JAXB_CONTEXT.createMarshaller();
marshaller.setSchema(authzApiSchema);
marshaller.setProperty(Marshaller.JAXB_ENCODING, UTF8_JAXB_ENCODING);
marshaller.marshal(policySet, policySetFile);
} catch (JAXBException e)
{
// Replace back with backup in case the file is corrupted due to this
exception
FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);
throw new JAXBException("Error marshalling new domain policy to file: " +
this.policySetFile.getAbsolutePath(), e);
}
// try updating PDP with new policy
try
{
// TODO: optimization: load policy directly from PolicySet arg (requires
changing
// Sunxacml StaticPolicyFinderModule code)
updatePDP(true, null);
} finally
- {*
- FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);*
- }*
}
Issue is because they put backup file back although everything was ok - My
assumption is that there should be catch instead of finally??
We reported issue 10 days ago and recently we got response from Mr Cyril
that we need to write to this email?! Also mr. Cyril asked for XML file
dump (not sure why), we put it below.
*<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:ns2="http://thalesgroup.com/authzforce/pdp/model/2014/12
<http://thalesgroup.com/authzforce/pdp/model/2014/12>"
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Target/><Policy
PolicyId="permit-all" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Target/><Rule
RuleId="deny-all" Effect="Deny"/></Policy></PolicySet>*
Hopefully we will get support asap,
Best Regards,
Dino
---------- Forwarded message ----------
From: DANGERVILLE Cyril <cyril.dangerville@thalesgroup.com>
Date: Wed, Mar 18, 2015 at 3:24 PM
Subject: RE: FIWARE Authorization PDP Issue - PolicySet.xml revert to old
version after update
To: "dino@eloptico.com" <dino@eloptico.com>
Hello Dino,
Sorry for the delay. For such Authzforce technical issues, *could you
please re-submit your request to the following tech support mailing list?*
fiware-tech-help@lists.fi-ware.org <fiware-tech-help@lists.fi-ware.org>
Please also attach the full policyset.xml you used to produce the bug, so
that I can easily reproduce it. Thank you.
Regards,
Cyril
–
Cyril DANGERVILLE, Thales Services
FIWARE Phase II
WP1.7 Security (WPA)
Authorization PDP (ex-Access Control) GE Owner
De : notifications@typeform.com notifications@typeform.com
Envoy� : lundi 9 mars 2015 11:57
� : cyril.dangerville@thalesgroup.com
Objet : Typeform: New request to FIWARE.AzPDP.Contact
Your typeform FIWARE.AzPDP.Contact has a new entry. Here are the results:
- *Please describe the use case for which you intend to use the FIWARE
Authorization PDP.*
We use Authorization PDP to manage policies (which we later use in
Access COntrol)
- *What type of service do you want to control access to? (Protocol,
API... e.g. HTTP/REST)*
HTTP REST
- You can now formulate your request, at last
We have problem with PAP PolicySet update, when i make request for
update PolicySet i got response OK and new PolicySet works fine, but when i
try to get PolicySet i got old PolicySet back.
To check what is problem i tried to tail on PolicySet xml file directly
in the file system and got file reverted to old version, after regular file
update.
This is dump from tail:
tail -f policySet.xml
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
-
- after update happnes (we call rest service):
tail: policySet.xml: file truncated
RBAC Policy
Employee Role PolicySet
EmployeePPS:Employee_Role
Manager Role PolicySet
ManagerPPS:Manager_Role
Default Deny policy
##after update is done we see that somehow file is back to the original
version:
tail: policySet.xml: file truncated
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
.
*To complete, please give me some contact information so that we can get
back to you.*
- Your full name (last name last):
DIno Osmanovic
- Your email address:
dino@eloptico.com
- Name of your organization (company, institution, etc.):
eLoptico ApS
- Your job function (especially in relation to FIWARE):
CTO
Have a nice day
Team Typeform
–
–
Kind regards,
Dino Osmanovic
eLoptico.com | tech co-founder
Mobile: +387 61 216 927
Web: www.eloptico.com
E-mail: dino@eloptico.com
_______________________________________________
Fiware-tech-help mailing list
Fiware-tech-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-tech-help
[Created via e-mail received from: Dino Osmanovic <dino@eloptico.com>]
Issue Links
- duplicates
-
HELP-2402
FIWARE.Request.Tech.Security.AuthorizationPDP.UnexpectedRevertAfterPolicySetUpdate
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Transitions
Duplicates already closed issue.