Serge Huber created UNOMI-962:
---------------------------------

             Summary: V2 compatibility mode: karaf admin on private endpoints 
fails AGGREGATE checks (GET /cxs/privacy/info)
                 Key: UNOMI-962
                 URL: https://issues.apache.org/jira/browse/UNOMI-962
             Project: Apache Unomi
          Issue Type: Sub-task
          Components: unomi(-core)
    Affects Versions: unomi-3.1.0
            Reporter: Serge Huber
            Assignee: Serge Huber
             Fix For: unomi-3.1.0


h3. Problem

When {{v2.compatibilitymode.enabled=true}}, private REST endpoints 
authenticated with Karaf basic auth ({{karaf:karaf}}) fail with HTTP 500 and:

{code}
SecurityException - Access denied: Missing permission for operation AGGREGATE 
for tenant <defaultTenantId> and roles []
{code}

Observed on {{GET /cxs/privacy/info}} while running the {{3.1-es-v2compat}} 
Docker test stack 
({{UNOMI_REST_AUTHENTICATION_V2COMPATIBILITYMODEENABLED=true}}, 
{{UNOMI_REST_AUTHENTICATION_V2COMPATIBILITYDEFAULTTENANTID=test_tenant}}).

This blocks V2-style admin clients and health checks that call 
{{/cxs/privacy/info}} during migration to 3.1.0.

h3. Root cause

# {{PrivacyServiceImpl.getServerInfo()}} calls 
{{persistenceService.aggregateWithOptimizedQuery(...)}}, which requires the 
*AGGREGATE* permission on the active tenant execution context.
# In normal V3 mode, Karaf-only admin requests (no {{X-Unomi-Tenant-Id}}) use 
{{ExecutionContext.systemContext()}}, which bypasses tenant permission checks 
({{AuthenticationFilter}} ~line 240).
# In V2 compatibility mode, {{handleV2CompatibilityMode()}} merges the JAAS 
subject with a {{TenantPrincipal}} for {{v2CompatibilityDefaultTenantId}} and 
calls {{executionContextManager.createContext(defaultTenantId)}} (~lines 
315–320 in {{AuthenticationFilter.java}}).
# That tenant-scoped context is built with *no Unomi roles* ({{roles []}} in 
the error). Karaf JAAS principals are not mapped to {{ROLE_UNOMI_TENANT_USER}} 
/ {{ROLE_UNOMI_TENANT_ADMIN}} the way tenant API-key auth is via 
{{KarafSecurityService.createSubject()}}.
# Result: authenticated Karaf admin cannot perform persistence operations that 
require AGGREGATE (and likely other permissions on aggregate-heavy code paths).

h3. Expected behaviour (V2 compat contract)

Per v2-compatibility-mode.adoc and UNOMI-904 acceptance criteria:

* *Private endpoints* should work with *system administrator* Karaf 
credentials, same as Unomi 2.x.
* {{GET /cxs/privacy/info}} must return 200 with {{serverVersion}} (used by 
Docker health checks, version detection, and operators).

h3. Suggested fix

In {{AuthenticationFilter.handleV2CompatibilityMode()}}, after successful JAAS 
auth on private endpoints, either:

* Option A (preferred for parity with V3 Karaf admin): use 
{{ExecutionContext.systemContext()}} for data operations (like non-compat V3 
path when no tenant header), *or*
* Option B: augment the merged subject with Unomi admin roles 
({{ROLE_UNOMI_ADMIN}} / {{ROLE_UNOMI_TENANT_ADMIN}} + 
{{ROLE_UNOMI_TENANT_USER}}) before {{createContext()}}, so 
{{getPermissionsForRoles()}} grants AGGREGATE.

h3. Reproduction

{code:bash}
cd server/unomi-rest-api-tests/docker
./build-unomi.sh
./run-tests.sh 3.1-es-v2compat
# Or manually:
curl -fsS -u karaf:karaf http://localhost:8181/cxs/privacy/info
{code}

Server log:

{code}
Internal server error on GET /cxs/privacy/info - Root cause: SecurityException -
Access denied: Missing permission for operation AGGREGATE for tenant 
test_tenant and roles []
{code}

h3. Test gaps

* {{V2CompatibilityModeIT}} tests {{GET /cxs/profiles/{id}}} with Karaf in V2 
mode but does *not* cover {{GET /cxs/privacy/info}}.
* {{unomi-rest-api-tests}} {{3.1-es-v2compat}} stack relies on 
{{/cxs/privacy/info}} for health check and version detection.

h3. Acceptance criteria

* With V2 compat enabled, {{GET /cxs/privacy/info}} with {{karaf:karaf}} 
returns HTTP 200 and includes {{serverVersion}}.
* Karaf-authenticated private endpoints retain full admin capability for 
persistence operations requiring AGGREGATE/QUERY (not only simple GET-by-id).
* Add integration test in {{V2CompatibilityModeIT}} (or REST API test) for 
{{GET /cxs/privacy/info}} under V2 compatibility mode.
* {{3.1-es-v2compat}} Docker stack health check passes without AGGREGATE errors 
in logs.

h3. References

* Parent epic: UNOMI-875
* Original feature: UNOMI-904 (V2 API Compatibility mode)
* Code: 
rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
 (handleV2CompatibilityMode)
* Code: extensions/privacy-extension/services/.../PrivacyServiceImpl.java 
(getServerInfo → aggregate)
* Test stack: 
server/unomi-rest-api-tests/docker/docker-compose.unomi-3.1-es-v2compat.yml



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to