Serge Huber created UNOMI-962:
---------------------------------
Summary: V2 compatibility mode: karaf admin on private endpoints
fails AGGREGATE checks (GET /cxs/privacy/info)
Key: UNOMI-962
URL: https://issues.apache.org/jira/browse/UNOMI-962
Project: Apache Unomi
Issue Type: Sub-task
Components: unomi(-core)
Affects Versions: unomi-3.1.0
Reporter: Serge Huber
Assignee: Serge Huber
Fix For: unomi-3.1.0
h3. Problem
When {{v2.compatibilitymode.enabled=true}}, private REST endpoints
authenticated with Karaf basic auth ({{karaf:karaf}}) fail with HTTP 500 and:
{code}
SecurityException - Access denied: Missing permission for operation AGGREGATE
for tenant <defaultTenantId> and roles []
{code}
Observed on {{GET /cxs/privacy/info}} while running the {{3.1-es-v2compat}}
Docker test stack
({{UNOMI_REST_AUTHENTICATION_V2COMPATIBILITYMODEENABLED=true}},
{{UNOMI_REST_AUTHENTICATION_V2COMPATIBILITYDEFAULTTENANTID=test_tenant}}).
This blocks V2-style admin clients and health checks that call
{{/cxs/privacy/info}} during migration to 3.1.0.
h3. Root cause
# {{PrivacyServiceImpl.getServerInfo()}} calls
{{persistenceService.aggregateWithOptimizedQuery(...)}}, which requires the
*AGGREGATE* permission on the active tenant execution context.
# In normal V3 mode, Karaf-only admin requests (no {{X-Unomi-Tenant-Id}}) use
{{ExecutionContext.systemContext()}}, which bypasses tenant permission checks
({{AuthenticationFilter}} ~line 240).
# In V2 compatibility mode, {{handleV2CompatibilityMode()}} merges the JAAS
subject with a {{TenantPrincipal}} for {{v2CompatibilityDefaultTenantId}} and
calls {{executionContextManager.createContext(defaultTenantId)}} (~lines
315–320 in {{AuthenticationFilter.java}}).
# That tenant-scoped context is built with *no Unomi roles* ({{roles []}} in
the error). Karaf JAAS principals are not mapped to {{ROLE_UNOMI_TENANT_USER}}
/ {{ROLE_UNOMI_TENANT_ADMIN}} the way tenant API-key auth is via
{{KarafSecurityService.createSubject()}}.
# Result: authenticated Karaf admin cannot perform persistence operations that
require AGGREGATE (and likely other permissions on aggregate-heavy code paths).
h3. Expected behaviour (V2 compat contract)
Per v2-compatibility-mode.adoc and UNOMI-904 acceptance criteria:
* *Private endpoints* should work with *system administrator* Karaf
credentials, same as Unomi 2.x.
* {{GET /cxs/privacy/info}} must return 200 with {{serverVersion}} (used by
Docker health checks, version detection, and operators).
h3. Suggested fix
In {{AuthenticationFilter.handleV2CompatibilityMode()}}, after successful JAAS
auth on private endpoints, either:
* Option A (preferred for parity with V3 Karaf admin): use
{{ExecutionContext.systemContext()}} for data operations (like non-compat V3
path when no tenant header), *or*
* Option B: augment the merged subject with Unomi admin roles
({{ROLE_UNOMI_ADMIN}} / {{ROLE_UNOMI_TENANT_ADMIN}} +
{{ROLE_UNOMI_TENANT_USER}}) before {{createContext()}}, so
{{getPermissionsForRoles()}} grants AGGREGATE.
h3. Reproduction
{code:bash}
cd server/unomi-rest-api-tests/docker
./build-unomi.sh
./run-tests.sh 3.1-es-v2compat
# Or manually:
curl -fsS -u karaf:karaf http://localhost:8181/cxs/privacy/info
{code}
Server log:
{code}
Internal server error on GET /cxs/privacy/info - Root cause: SecurityException -
Access denied: Missing permission for operation AGGREGATE for tenant
test_tenant and roles []
{code}
h3. Test gaps
* {{V2CompatibilityModeIT}} tests {{GET /cxs/profiles/{id}}} with Karaf in V2
mode but does *not* cover {{GET /cxs/privacy/info}}.
* {{unomi-rest-api-tests}} {{3.1-es-v2compat}} stack relies on
{{/cxs/privacy/info}} for health check and version detection.
h3. Acceptance criteria
* With V2 compat enabled, {{GET /cxs/privacy/info}} with {{karaf:karaf}}
returns HTTP 200 and includes {{serverVersion}}.
* Karaf-authenticated private endpoints retain full admin capability for
persistence operations requiring AGGREGATE/QUERY (not only simple GET-by-id).
* Add integration test in {{V2CompatibilityModeIT}} (or REST API test) for
{{GET /cxs/privacy/info}} under V2 compatibility mode.
* {{3.1-es-v2compat}} Docker stack health check passes without AGGREGATE errors
in logs.
h3. References
* Parent epic: UNOMI-875
* Original feature: UNOMI-904 (V2 API Compatibility mode)
* Code:
rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
(handleV2CompatibilityMode)
* Code: extensions/privacy-extension/services/.../PrivacyServiceImpl.java
(getServerInfo → aggregate)
* Test stack:
server/unomi-rest-api-tests/docker/docker-compose.unomi-3.1-es-v2compat.yml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)