Hi All,
I debug code of our and found issue. It seems implementation of some API
changed in user-core. Let me explain the flow.
Our queue/topic creation has two call.
1. We create internal role when adding queue and assign "changePermission",
"publish", "consume" permissions to it. Which means that, user who created
particular queue can update permission, publish or consume.
- Below code line used to get internal role name:
UserCoreUtil.addInternalDomainName(QUEUE_ROLE_PREFIX +
queueName.replace(".","-").replace("/", "-"))
result = {java.lang.String@10289}"*Internal/Q_userQueue*"
value = {char[21]@10290}
hash = 0
hash32 = 0
- assign permission as below:
userStoreManager.addRole(roleName, user, null);
userRealm.getAuthorizationManager().authorizeRole(roleName, queueId,
PERMISSION_CHANGE_PERMISSION);
userRealm.getAuthorizationManager().authorizeRole(roleName, queueId,
TreeNode.Permission.CONSUME.toString().toLowerCase());
userRealm.getAuthorizationManager().authorizeRole(roleName, queueId,
TreeNode.Permission.PUBLISH.toString().toLowerCase());
2. User can select some other role listed in in queue add page. He can
select these role when adding queue or later by updating queue. So in
update permission we checked whether any of user's role has above assign
change permission.
- get role list of user:
userRealm.getUserStoreManager().getRoleListOfUser(loggedInUser)
result = {java.lang.String[3]@9689}
[0] = {java.lang.String@9690}"*Internal/Q_userQueue*"
[1] = {java.lang.String@9691}"Internal/everyone"
[2] = {java.lang.String@9692}"role1"
- check whether any of role has change permission
for (String userRole : userRoles) {
if
(userRealm.getAuthorizationManager().isRoleAuthorized(userRole, queueID,
PERMISSION_CHANGE_PERMISSION)) {
isUserHasChangePermission = true;
}
}
Issue is above check false for all roles. But we assigned change permission
to *Internal/Q_userQueue* role when creating queue.
3. Next I evaluate below code line to check whether which role has change
permission to queueID. Result is as below:
userRealm.getAuthorizationManager().getAllowedRolesForResource(queueID,
PERMISSION_CHANGE_PERMISSION)
result = {java.lang.String[1]@9694}
[0] = {java.lang.String@9686}"*INTERNAL/Q_userQueue*"
Result has different role name. We created role name called
*Internal/Q_userQueue* and assign permissions but it has created with
different name *INTERNAL/Q_userQueue* and assign permission.
Please have look into this because it is blocking issue to our
implementation.
Cheers!
On Tue, Oct 13, 2015 at 5:22 PM, Kishanthan Thangarajah <[email protected]
> wrote:
> Was this issue found in 4.4.2 RC1 too?
>
> On Tue, Oct 13, 2015 at 4:58 PM, Sasikala Kottegoda <[email protected]>
> wrote:
>
>> Hi Manuri,
>>
>> We tested MB 3.0.0 with this release and our scenario of queue creation
>> fails after giving a permission denied error. The scenario is as follows:
>>
>> 1. Create a user "user1" with a role assigned with permission to create
>> queues.
>> 2. Login from "user1" and try to create a queue, we get a permission
>> denied error.
>>
>> When creating a queue the following happens from our code.
>>
>> 1. We create an internal role for the queue and assign it to the current
>> user with permissions assigned.
>>
>> userRealm.getAuthorizationManager().authorizeRole(roleName, queueId,
>>
>> PERMISSION_CHANGE_PERMISSION);
>>
>> 2. Next, we create the queue and update permissions for the queue. In this
>> step, we check if the current user has permissions to change the queue.
>>
>> String[] userRoles =
>> userRealm.getUserStoreManager().getRoleListOfUser(loggedInUser);
>> for (String userRole : userRoles) {
>> if (userRealm.getAuthorizationManager().isRoleAuthorized(
>> userRole, queueID, PERMISSION_CHANGE_PERMISSION)) {
>> isUserHasChangePermission = true;
>> }
>> }
>>
>> At this stage, *'*(userRealm.getAuthorizationManager().isRoleAuthorized(
>> userRole, queueID, PERMISSION_CHANGE_PERMISSION))' false
>> implying that any of roles assigned to the user do not have permissions to
>> change the queue, thus not allowing the user to create the queue.
>>
>>
>> Thank you
>>
>>
>> On Mon, Oct 12, 2015 at 9:24 PM, Manuri Amaya Perera <[email protected]>
>> wrote:
>>
>>> Hi Devs,
>>>
>>> WSO2 Carbon Kernel 4.4.2 RC2 Release Vote.
>>>
>>> This release fixes the following issues:
>>> https://wso2.org/jira/issues/?filter=12396
>>>
>>> Please download and test your products with kernel 4.4.2 RC2 and vote.
>>> Vote will be open for 72 hours or longer as needed.
>>>
>>> *​Source and binary distribution files:*
>>> https://svn.wso2.org/repos/wso2/people/aruna/v4.4.2-rc2
>>>
>>> *Maven staging repository:*
>>> http://maven.wso2.org/nexus/content/repositories/orgwso2carbon-019/
>>>
>>> *The tag to be voted upon:*
>>> https://github.com/wso2/carbon-kernel/tree/v4.4.2-rc2
>>>
>>>
>>> [ ] Broken - do not release (explain why)
>>> [ ] Stable - go ahead and release
>>>
>>>
>>> Thank you
>>> Carbon Team
>>>
>>> --
>>>
>>> *Manuri Amaya Perera*
>>>
>>> *Software Engineer*
>>>
>>> *WSO2 Inc.*
>>>
>>> *Blog: http://manuriamayaperera.blogspot.com
>>> <http://manuriamayaperera.blogspot.com>*
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> [email protected]
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Sasikala Kottegoda
>> *Software Engineer*
>> WSO2 Inc., http://wso2.com/
>> lean. enterprise. middleware
>> Mobile: +94 774835928/712792401
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Kishanthan Thangarajah*
> Associate Technical Lead,
> Platform Technologies Team,
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - +94773426635
> Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>*
> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Indika Sampath
Senior Software Engineer
WSO2 Inc.
http://wso2.com
Phone: +94 716 424 744
Blog: http://indikasampath.blogspot.com/
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
