This is an automated email from the ASF dual-hosted git repository. asf-gitbox-commits pushed a commit to branch fix/v2-compat-karaf-admin-permissions in repository https://gitbox.apache.org/repos/asf/unomi.git
commit 64941febc3a1b5a2d9d9c18e48517f1307c9f03c Author: Serge Huber <[email protected]> AuthorDate: Mon Jul 13 09:19:57 2026 +0200 Fix V2 compatibility Karaf admin missing tenant permissions on private endpoints. Grant tenant admin roles when merging JAAS auth in V2 compat mode so endpoints like GET /cxs/privacy/info can run AGGREGATE queries, and add an IT assertion. --- .../java/org/apache/unomi/itests/V2CompatibilityModeIT.java | 10 +++++++--- .../unomi/rest/authentication/AuthenticationFilter.java | 11 +++++++++-- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java b/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java index e8318fb5b..cce6c5484 100644 --- a/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java +++ b/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java @@ -293,9 +293,13 @@ public class V2CompatibilityModeIT extends BaseIT { try (CloseableHttpClient adminClient = HttpClients.custom() .setDefaultCredentialsProvider(credsProvider) .setDefaultRequestConfig(requestConfig) - .build(); - CloseableHttpResponse jaasResponse = adminClient.execute(getRequest)) { - assertEquals("Private endpoint with JAAS auth should work in V2 compatibility mode", 200, jaasResponse.getStatusLine().getStatusCode()); + .build()) { + try (CloseableHttpResponse jaasResponse = adminClient.execute(getRequest)) { + assertEquals("Private endpoint with JAAS auth should work in V2 compatibility mode", 200, jaasResponse.getStatusLine().getStatusCode()); + } + try (CloseableHttpResponse privacyResponse = adminClient.execute(new HttpGet(getFullUrl("/cxs/privacy/info")))) { + assertEquals("GET /cxs/privacy/info with Karaf auth should work in V2 compatibility mode", 200, privacyResponse.getStatusLine().getStatusCode()); + } } } diff --git a/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java b/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java index b4db2754e..91e550fc4 100644 --- a/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java +++ b/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java @@ -47,7 +47,9 @@ import org.apache.commons.lang3.StringUtils; import java.io.IOException; import java.util.Base64; import java.util.Collections; +import java.util.HashSet; import java.util.List; +import java.util.Set; /** * A filter that combines JAAS authentication with tenant API key authentication: @@ -316,8 +318,13 @@ public class AuthenticationFilter implements ContainerRequestFilter { Subject mergedSubject = new Subject(); mergedSubject.getPrincipals().addAll(jaasSubject.getPrincipals()); if (StringUtils.isNotBlank(defaultTenantId)) { - mergedSubject.getPrincipals().add(new TenantPrincipal(defaultTenantId)); - executionContextManager.setCurrentContext(executionContextManager.createContext(defaultTenantId)); + mergedSubject.getPrincipals().addAll(securityService.createSubject(defaultTenantId, true).getPrincipals()); + Set<String> roles = securityService.extractRolesFromSubject(mergedSubject); + Set<String> permissions = new HashSet<>(); + for (String role : roles) { + permissions.addAll(securityService.getPermissionsForRole(role)); + } + executionContextManager.setCurrentContext(new ExecutionContext(defaultTenantId, roles, permissions)); } else { executionContextManager.setCurrentContext(ExecutionContext.systemContext()); }
