Re: multi-tenant domain configuration

[Francesco Chicchiriccò]

On 23/07/2018 22:59, Wyllys Ingersoll wrote:
Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd
domain as the default "admin" account, but I cannot login using any
other accounts even if those accounts are assigned a role with all of
the privileges.
You can see the same error on the demo vm using login
"testadm/password2" in domain "Two".

Hi,
since the demo is redeployed every few hours, and persistence gets 
cleared, such user is not there any more.

However, I went to syncope-vm.apache.org, logged in as admin in the Two 
domain, created an user 'ilgrosso' with password 'Password123' and no roles.
After logging out as admin, I was able to log in again as ilgrosso, in 
the Two domain of course, as expected - see

https://snag.gy/mrUpi4.jpg

When using roles, I'd suggest to take a look at

http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console

to see how to define the 'minimal set' of entitlements to grant (you'll 
need to temporary add GROUP_SEARCH to such set, at least until my latest 
commit gets deployed).

Regards.

On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll
<wyllys.ingers...@keepertech.com> wrote:
Done - https://issues.apache.org/jira/browse/SYNCOPE-1342

thanks for confirming this, I thought I was just doing something
stupid or the documentation was missing a step or 2.

On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò
<ilgro...@apache.org> wrote:
Hi,
I have replicated your Docker-based setup, with two domains and
2.1.1-SNAPSHOT, found the same issue.

...that could be easily replicated by attempting to log in on the public
demo:

http://syncope-vm.apache.org:9080/syncope-console

on the Two domain, with credentials admin / password2 - working via REST.

Please raise an issue on JIRA: it seems that the Admin Console's login form
does not take into account the value selected in the 'Domain' combo.
I have verified that the problem only affects 2.1.0, as 2.0.9 works as
expected - this means that there was something missing in the migration to
Wicket 8.

Regards.


On 22/07/2018 17:35, Wyllys Ingersoll wrote:
I created a role in the 2nd domain and granted it all of the
entitlements using the REST api, then assigned that role to a user
("admin2") in the 2nd domain.  Now when I attempt to login to the 2nd
domain on the console UI, I get the following errors in the core.log
file:

Its basically complaining about the connector not having privileges to
authenticate anyone.  Not sure how to fix this since I cant manage the
domain with the UI yet (chicken and egg problem?).
11:21:39.265 INFO
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy -
Authenticate was attempted, although the connector only has these
capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action.


I can get a token for this user with the REST api and validate the
token and see that it does indeed have all of the required
entitlements, the problem seems to be with the console UI and how it
authenticates/authorizes users since going directly to the core for
authentication via REST works as expected.



Full stack trace:

java.util.concurrent.ExecutionException:

org.identityconnectors.framework.common.exceptions.InvalidCredentialException:
Authentication failed for "admin2"
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
~[?:1.8.0_171]
at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171]
at
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke(<generated>)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60)
~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate(<generated>)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.apache.syncope.core.spring.security.JWTAuthenticationFilter.doFilterInternal(JWTAuthenticationFilter.java:90)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_171]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
~[tomcat8-util-8.5.14.jar:8.5.14]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by:
org.identityconnectors.framework.common.exceptions.InvalidCredentialException:
Authentication failed for "admin2"
at
net.tirasa.connid.bundles.ad.authentication.ADAuthenticate.authenticate(ADAuthenticate.java:74)
~[?:?]
at
net.tirasa.connid.bundles.ad.ADConnector.authenticate(ADConnector.java:243)
~[?:?]
at
org.identityconnectors.framework.impl.api.local.operations.AuthenticationImpl.authenticate(AuthenticationImpl.java:85)
~[connector-framework-internal-1.4.4.0.jar:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at
org.identityconnectors.framework.impl.api.AbstractConnectorFacade.authenticate(AbstractConnectorFacade.java:235)
~[connector-framework-internal-1.4.4.0.jar:?]
at
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade.authenticate(AsyncConnectorFacade.java:56)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade$$FastClassBySpringCGLIB$$886ae36a.invoke(<generated>)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_171]
... 1 more
11:21:39.265 INFO
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy -
Authenticate was attempted, although the connector only has these
capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/