This is an automated email from the ASF dual-hosted git repository.

asf-gitbox-commits pushed a commit to branch 
fix/v2-compat-karaf-admin-permissions
in repository https://gitbox.apache.org/repos/asf/unomi.git

commit 64941febc3a1b5a2d9d9c18e48517f1307c9f03c
Author: Serge Huber <[email protected]>
AuthorDate: Mon Jul 13 09:19:57 2026 +0200

    Fix V2 compatibility Karaf admin missing tenant permissions on private 
endpoints.
    
    Grant tenant admin roles when merging JAAS auth in V2 compat mode so 
endpoints
    like GET /cxs/privacy/info can run AGGREGATE queries, and add an IT 
assertion.
---
 .../java/org/apache/unomi/itests/V2CompatibilityModeIT.java   | 10 +++++++---
 .../unomi/rest/authentication/AuthenticationFilter.java       | 11 +++++++++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git 
a/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java 
b/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java
index e8318fb5b..cce6c5484 100644
--- a/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java
+++ b/itests/src/test/java/org/apache/unomi/itests/V2CompatibilityModeIT.java
@@ -293,9 +293,13 @@ public class V2CompatibilityModeIT extends BaseIT {
         try (CloseableHttpClient adminClient = HttpClients.custom()
                 .setDefaultCredentialsProvider(credsProvider)
                 .setDefaultRequestConfig(requestConfig)
-                .build();
-             CloseableHttpResponse jaasResponse = 
adminClient.execute(getRequest)) {
-            assertEquals("Private endpoint with JAAS auth should work in V2 
compatibility mode", 200, jaasResponse.getStatusLine().getStatusCode());
+                .build()) {
+            try (CloseableHttpResponse jaasResponse = 
adminClient.execute(getRequest)) {
+                assertEquals("Private endpoint with JAAS auth should work in 
V2 compatibility mode", 200, jaasResponse.getStatusLine().getStatusCode());
+            }
+            try (CloseableHttpResponse privacyResponse = 
adminClient.execute(new HttpGet(getFullUrl("/cxs/privacy/info")))) {
+                assertEquals("GET /cxs/privacy/info with Karaf auth should 
work in V2 compatibility mode", 200, 
privacyResponse.getStatusLine().getStatusCode());
+            }
         }
     }
 
diff --git 
a/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
 
b/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
index b4db2754e..91e550fc4 100644
--- 
a/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
+++ 
b/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
@@ -47,7 +47,9 @@ import org.apache.commons.lang3.StringUtils;
 import java.io.IOException;
 import java.util.Base64;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 /**
  * A filter that combines JAAS authentication with tenant API key 
authentication:
@@ -316,8 +318,13 @@ public class AuthenticationFilter implements 
ContainerRequestFilter {
                 Subject mergedSubject = new Subject();
                 
mergedSubject.getPrincipals().addAll(jaasSubject.getPrincipals());
                 if (StringUtils.isNotBlank(defaultTenantId)) {
-                    mergedSubject.getPrincipals().add(new 
TenantPrincipal(defaultTenantId));
-                    
executionContextManager.setCurrentContext(executionContextManager.createContext(defaultTenantId));
+                    
mergedSubject.getPrincipals().addAll(securityService.createSubject(defaultTenantId,
 true).getPrincipals());
+                    Set<String> roles = 
securityService.extractRolesFromSubject(mergedSubject);
+                    Set<String> permissions = new HashSet<>();
+                    for (String role : roles) {
+                        
permissions.addAll(securityService.getPermissionsForRole(role));
+                    }
+                    executionContextManager.setCurrentContext(new 
ExecutionContext(defaultTenantId, roles, permissions));
                 } else {
                     
executionContextManager.setCurrentContext(ExecutionContext.systemContext());
                 }

Reply via email to