[ 
https://issues.apache.org/jira/browse/UNOMI-962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Serge Huber updated UNOMI-962:
------------------------------
    Summary: 3.1 REST API validation failures: V2 compat admin auth, missing 
resources, and export errors  (was: V2 compatibility mode: karaf admin on 
private endpoints fails AGGREGATE checks (GET /cxs/privacy/info))

> 3.1 REST API validation failures: V2 compat admin auth, missing resources, 
> and export errors
> --------------------------------------------------------------------------------------------
>
>                 Key: UNOMI-962
>                 URL: https://issues.apache.org/jira/browse/UNOMI-962
>             Project: Apache Unomi
>          Issue Type: Sub-task
>          Components: unomi(-core)
>    Affects Versions: unomi-3.1.0
>            Reporter: Serge Huber
>            Assignee: Serge Huber
>            Priority: Major
>             Fix For: unomi-3.1.0
>
>
> h3. Problem
> When {{v2.compatibilitymode.enabled=true}}, private REST endpoints 
> authenticated with Karaf basic auth ({{karaf:karaf}}) fail with HTTP 500 and:
> {code}
> SecurityException - Access denied: Missing permission for operation AGGREGATE 
> for tenant <defaultTenantId> and roles []
> {code}
> Observed on {{GET /cxs/privacy/info}} while running the {{3.1-es-v2compat}} 
> Docker test stack 
> ({{UNOMI_REST_AUTHENTICATION_V2COMPATIBILITYMODEENABLED=true}}, 
> {{UNOMI_REST_AUTHENTICATION_V2COMPATIBILITYDEFAULTTENANTID=test_tenant}}).
> This blocks V2-style admin clients and health checks that call 
> {{/cxs/privacy/info}} during migration to 3.1.0.
> h3. Root cause
> # {{PrivacyServiceImpl.getServerInfo()}} calls 
> {{persistenceService.aggregateWithOptimizedQuery(...)}}, which requires the 
> *AGGREGATE* permission on the active tenant execution context.
> # In normal V3 mode, Karaf-only admin requests (no {{X-Unomi-Tenant-Id}}) use 
> {{ExecutionContext.systemContext()}}, which bypasses tenant permission checks 
> ({{AuthenticationFilter}} ~line 240).
> # In V2 compatibility mode, {{handleV2CompatibilityMode()}} merges the JAAS 
> subject with a {{TenantPrincipal}} for {{v2CompatibilityDefaultTenantId}} and 
> calls {{executionContextManager.createContext(defaultTenantId)}} (~lines 
> 315–320 in {{AuthenticationFilter.java}}).
> # That tenant-scoped context is built with *no Unomi roles* ({{roles []}} in 
> the error). Karaf JAAS principals are not mapped to 
> {{ROLE_UNOMI_TENANT_USER}} / {{ROLE_UNOMI_TENANT_ADMIN}} the way tenant 
> API-key auth is via {{KarafSecurityService.createSubject()}}.
> # Result: authenticated Karaf admin cannot perform persistence operations 
> that require AGGREGATE (and likely other permissions on aggregate-heavy code 
> paths).
> h3. Expected behaviour (V2 compat contract)
> Per v2-compatibility-mode.adoc and UNOMI-904 acceptance criteria:
> * *Private endpoints* should work with *system administrator* Karaf 
> credentials, same as Unomi 2.x.
> * {{GET /cxs/privacy/info}} must return 200 with {{serverVersion}} (used by 
> Docker health checks, version detection, and operators).
> h3. Suggested fix
> In {{AuthenticationFilter.handleV2CompatibilityMode()}}, after successful 
> JAAS auth on private endpoints, either:
> * Option A (preferred for parity with V3 Karaf admin): use 
> {{ExecutionContext.systemContext()}} for data operations (like non-compat V3 
> path when no tenant header), *or*
> * Option B: augment the merged subject with Unomi admin roles 
> ({{ROLE_UNOMI_ADMIN}} / {{ROLE_UNOMI_TENANT_ADMIN}} + 
> {{ROLE_UNOMI_TENANT_USER}}) before {{createContext()}}, so 
> {{getPermissionsForRoles()}} grants AGGREGATE.
> h3. Reproduction
> {code:bash}
> cd server/unomi-rest-api-tests/docker
> ./build-unomi.sh
> ./run-tests.sh 3.1-es-v2compat
> # Or manually:
> curl -fsS -u karaf:karaf http://localhost:8181/cxs/privacy/info
> {code}
> Server log:
> {code}
> Internal server error on GET /cxs/privacy/info - Root cause: 
> SecurityException -
> Access denied: Missing permission for operation AGGREGATE for tenant 
> test_tenant and roles []
> {code}
> h3. Test gaps
> * {{V2CompatibilityModeIT}} tests {{GET /cxs/profiles/{id}}} with Karaf in V2 
> mode but does *not* cover {{GET /cxs/privacy/info}}.
> * {{unomi-rest-api-tests}} {{3.1-es-v2compat}} stack relies on 
> {{/cxs/privacy/info}} for health check and version detection.
> h3. Acceptance criteria
> * With V2 compat enabled, {{GET /cxs/privacy/info}} with {{karaf:karaf}} 
> returns HTTP 200 and includes {{serverVersion}}.
> * Karaf-authenticated private endpoints retain full admin capability for 
> persistence operations requiring AGGREGATE/QUERY (not only simple GET-by-id).
> * Add integration test in {{V2CompatibilityModeIT}} (or REST API test) for 
> {{GET /cxs/privacy/info}} under V2 compatibility mode.
> * {{3.1-es-v2compat}} Docker stack health check passes without AGGREGATE 
> errors in logs.
> h3. References
> * Parent epic: UNOMI-875
> * Original feature: UNOMI-904 (V2 API Compatibility mode)
> * Code: 
> rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
>  (handleV2CompatibilityMode)
> * Code: extensions/privacy-extension/services/.../PrivacyServiceImpl.java 
> (getServerInfo → aggregate)
> * Test stack: 
> server/unomi-rest-api-tests/docker/docker-compose.unomi-3.1-es-v2compat.yml



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to