Thanks, I got it to work by giving my "Admin" role a subset of the complete list of entitlements.
It seems that granting the entire list of entitlements to a role or a user makes it unauthorized to access the UI, which is counter-intuitive, IMO. Its also not clear what entitlements are in effect for administering roles. I granted all of the ROLE_* entitlements to a user but when I try to use that user to manage roles, it logs me out and says "Access is Denied" and the core.log shows messages like this: 12:59:23.078 ERROR org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver - An unexpected error occurred during error handling. No further error processing will occur. org.apache.cxf.interceptor.Fault: Access is denied On Tue, Jul 24, 2018 at 3:42 AM, Francesco Chicchiriccò <[email protected]> wrote: > On 23/07/2018 22:59, Wyllys Ingersoll wrote: >> >> Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd >> domain as the default "admin" account, but I cannot login using any >> other accounts even if those accounts are assigned a role with all of >> the privileges. >> >> You can see the same error on the demo vm using login >> "testadm/password2" in domain "Two". > > > Hi, > since the demo is redeployed every few hours, and persistence gets cleared, > such user is not there any more. > > However, I went to syncope-vm.apache.org, logged in as admin in the Two > domain, created an user 'ilgrosso' with password 'Password123' and no roles. > After logging out as admin, I was able to log in again as ilgrosso, in the > Two domain of course, as expected - see > > https://snag.gy/mrUpi4.jpg > > When using roles, I'd suggest to take a look at > > http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console > > to see how to define the 'minimal set' of entitlements to grant (you'll need > to temporary add GROUP_SEARCH to such set, at least until my latest commit > gets deployed). > > Regards. > > >> On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll >> <[email protected]> wrote: >>> >>> Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 >>> >>> thanks for confirming this, I thought I was just doing something >>> stupid or the documentation was missing a step or 2. >>> >>> On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò >>> <[email protected]> wrote: >>>> >>>> Hi, >>>> I have replicated your Docker-based setup, with two domains and >>>> 2.1.1-SNAPSHOT, found the same issue. >>>> >>>> ...that could be easily replicated by attempting to log in on the public >>>> demo: >>>> >>>> http://syncope-vm.apache.org:9080/syncope-console >>>> >>>> on the Two domain, with credentials admin / password2 - working via >>>> REST. >>>> >>>> Please raise an issue on JIRA: it seems that the Admin Console's login >>>> form >>>> does not take into account the value selected in the 'Domain' combo. >>>> I have verified that the problem only affects 2.1.0, as 2.0.9 works as >>>> expected - this means that there was something missing in the migration >>>> to >>>> Wicket 8. >>>> >>>> Regards. >>>> >>>> >>>> On 22/07/2018 17:35, Wyllys Ingersoll wrote: >>>>> >>>>> I created a role in the 2nd domain and granted it all of the >>>>> entitlements using the REST api, then assigned that role to a user >>>>> ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd >>>>> domain on the console UI, I get the following errors in the core.log >>>>> file: >>>>> >>>>> Its basically complaining about the connector not having privileges to >>>>> authenticate anyone. Not sure how to fix this since I cant manage the >>>>> domain with the UI yet (chicken and egg problem?). >>>>> 11:21:39.265 INFO >>>>> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - >>>>> Authenticate was attempted, although the connector only has these >>>>> capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. >>>>> >>>>> >>>>> I can get a token for this user with the REST api and validate the >>>>> token and see that it does indeed have all of the required >>>>> entitlements, the problem seems to be with the console UI and how it >>>>> authenticates/authorizes users since going directly to the core for >>>>> authentication via REST works as expected. >>>>> >>>>> >>>>> >>>>> Full stack trace: >>>>> >>>>> java.util.concurrent.ExecutionException: >>>>> >>>>> >>>>> org.identityconnectors.framework.common.exceptions.InvalidCredentialException: >>>>> Authentication failed for "admin2" >>>>> at java.util.concurrent.FutureTask.report(FutureTask.java:122) >>>>> ~[?:1.8.0_171] >>>>> at java.util.concurrent.FutureTask.get(FutureTask.java:206) >>>>> ~[?:1.8.0_171] >>>>> at >>>>> >>>>> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) >>>>> ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke(<generated>) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >>>>> ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) >>>>> ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) >>>>> ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) >>>>> ~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate(<generated>) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) >>>>> ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) >>>>> ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.apache.syncope.core.spring.security.JWTAuthenticationFilter.doFilterInternal(JWTAuthenticationFilter.java:90) >>>>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) >>>>> ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] >>>>> at >>>>> >>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>>> ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) >>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) >>>>> ~[tomcat8-coyote-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) >>>>> ~[tomcat8-coyote-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) >>>>> ~[tomcat8-coyote-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) >>>>> ~[tomcat8-coyote-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) >>>>> ~[tomcat8-coyote-8.5.14.jar:8.5.14] >>>>> at >>>>> >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> ~[?:1.8.0_171] >>>>> at >>>>> >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> ~[?:1.8.0_171] >>>>> at >>>>> >>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>> ~[tomcat8-util-8.5.14.jar:8.5.14] >>>>> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171] >>>>> Caused by: >>>>> >>>>> org.identityconnectors.framework.common.exceptions.InvalidCredentialException: >>>>> Authentication failed for "admin2" >>>>> at >>>>> >>>>> net.tirasa.connid.bundles.ad.authentication.ADAuthenticate.authenticate(ADAuthenticate.java:74) >>>>> ~[?:?] >>>>> at >>>>> >>>>> net.tirasa.connid.bundles.ad.ADConnector.authenticate(ADConnector.java:243) >>>>> ~[?:?] >>>>> at >>>>> >>>>> org.identityconnectors.framework.impl.api.local.operations.AuthenticationImpl.authenticate(AuthenticationImpl.java:85) >>>>> ~[connector-framework-internal-1.4.4.0.jar:?] >>>>> at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?] >>>>> at >>>>> >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> ~[?:1.8.0_171] >>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171] >>>>> at >>>>> >>>>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98) >>>>> ~[connector-framework-internal-1.4.4.0.jar:?] >>>>> at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?] >>>>> at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?] >>>>> at >>>>> >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> ~[?:1.8.0_171] >>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171] >>>>> at >>>>> >>>>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) >>>>> ~[connector-framework-internal-1.4.4.0.jar:?] >>>>> at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?] >>>>> at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?] >>>>> at >>>>> >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> ~[?:1.8.0_171] >>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171] >>>>> at >>>>> >>>>> org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99) >>>>> ~[connector-framework-internal-1.4.4.0.jar:?] >>>>> at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?] >>>>> at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?] >>>>> at >>>>> >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> ~[?:1.8.0_171] >>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171] >>>>> at >>>>> >>>>> org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83) >>>>> ~[connector-framework-internal-1.4.4.0.jar:?] >>>>> at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?] >>>>> at >>>>> >>>>> org.identityconnectors.framework.impl.api.AbstractConnectorFacade.authenticate(AbstractConnectorFacade.java:235) >>>>> ~[connector-framework-internal-1.4.4.0.jar:?] >>>>> at >>>>> >>>>> org.apache.syncope.core.provisioning.java.AsyncConnectorFacade.authenticate(AsyncConnectorFacade.java:56) >>>>> ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.apache.syncope.core.provisioning.java.AsyncConnectorFacade$$FastClassBySpringCGLIB$$886ae36a.invoke(<generated>) >>>>> ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] >>>>> at >>>>> >>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >>>>> ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at >>>>> >>>>> org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115) >>>>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> ~[?:1.8.0_171] >>>>> at >>>>> >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> ~[?:1.8.0_171] >>>>> at >>>>> >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> ~[?:1.8.0_171] >>>>> ... 1 more >>>>> 11:21:39.265 INFO >>>>> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - >>>>> Authenticate was attempted, although the connector only has these >>>>> capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. > > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ >
