Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
-
Grouper 2.5.33 Docker container
Description
When creating a GDG application template structure, the inherited privileges break if ruleActAsSubjectId value is set to a user no longer in the wheel group. We are using external accounts with shib auth, rules.act.as.group = etc:sysadmingroup NOT set at the system level.
Steps to reproduce:
- Create a new application template structure as a user in the groups.wheel.group
- Remove user from wheel group
- Attempt to create a new group or folder in the newly created template structure as an account with admin rights (wheel group or via security policy group).
Setting the ruleActAsSubjectId to a valid user the wheel group fixes the permissions.
Stack trace:
2020-08-07 18:19:50,881: [ajp-nio-127.0.0.1-8009-exec-5] WARN UiV2Group.newGroupSubmit(1956) - - Error creating group: 'lvicker2'/'person'/'unccperson', null |
edu.internet2.middleware.grouper.exception.GrantPrivilegeException: null, group name: app:testing_template:service:policy:testing-nonadmin, subject: Subject groupName: app:testing_template:security:testing_templateUpdaters, sourceId: g:gsa, privilege: update, |
Problem in HibernateSession: HibernateSession (68c5f4d2): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (7020baa4),
|
Problem in HibernateSession: HibernateSession (69bd7be9): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (7020baa4),
|
Problem in HibernateSession: HibernateSession (52844ce4): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (7020baa4), |
Problem saving group: app:testing_template:service:policy:testing-nonadmin, thread: 3c72b7d3
|
at edu.internet2.middleware.grouper.Group$12.callback(Group.java:4396) |
at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703) |
at edu.internet2.middleware.grouper.Group.internal_grantPriv(Group.java:4356) |
at edu.internet2.middleware.grouper.Group.grantPriv(Group.java:4320) |
at edu.internet2.middleware.grouper.rules.RuleThenEnum$10.fireRule(RuleThenEnum.java:785) |
at edu.internet2.middleware.grouper.rules.RuleThen.fireRule(RuleThen.java:241) |
at edu.internet2.middleware.grouper.rules.RuleEngine$2.callback(RuleEngine.java:463) |
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976) |
at edu.internet2.middleware.grouper.rules.RuleEngine.fireRule(RuleEngine.java:455) |
at edu.internet2.middleware.grouper.Stem$5.callback(Stem.java:2454) |
at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703) |
at edu.internet2.middleware.grouper.Stem.internal_addChildGroup(Stem.java:2347) |
at edu.internet2.middleware.grouper.Stem.internal_addChildGroup(Stem.java:2319) |
at edu.internet2.middleware.grouper.Stem.internal_addChildGroup(Stem.java:2301) |
at edu.internet2.middleware.grouper.GroupSave$1$1.callback(GroupSave.java:607) |
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976) |
at edu.internet2.middleware.grouper.GroupSave$1.callback(GroupSave.java:498) |
at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO$1.callback(Hib3TransactionDAO.java:66) |
at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703) |
at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO.transactionCallback(Hib3TransactionDAO.java:56) |
at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:87) |
at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:106) |
at edu.internet2.middleware.grouper.GroupSave.save(GroupSave.java:489) |
at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.newGroupSubmit(UiV2Group.java:1937) |
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
|
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) |
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) |
at java.lang.reflect.Method.invoke(Method.java:498) |
at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4268) |
at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4219) |
at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:337) |
at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204) |
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) |
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) |
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) |
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88) |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) |
at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1163) |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) |
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) |
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) |
at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) |
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) |
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) |
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) |
at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97) |
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) |
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) |
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:525) |
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) |
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) |
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627) |
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) |
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) |
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) |
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) |
at java.lang.Thread.run(Thread.java:748) |
Caused by: edu.internet2.middleware.grouper.exception.UnableToPerformException
|
at edu.internet2.middleware.grouper.privs.AccessWrapper.grantPrivilege(AccessWrapper.java:177) |
at edu.internet2.middleware.grouper.privs.AccessResolverDecorator.grantPrivilege(AccessResolverDecorator.java:164) |
at edu.internet2.middleware.grouper.privs.AccessResolverDecorator.grantPrivilege(AccessResolverDecorator.java:164) |
at edu.internet2.middleware.grouper.privs.CachingAccessResolver.grantPrivilege(CachingAccessResolver.java:138) |
at edu.internet2.middleware.grouper.privs.AccessResolverDecorator.grantPrivilege(AccessResolverDecorator.java:164) |
at edu.internet2.middleware.grouper.privs.ValidatingAccessResolver.grantPrivilege(ValidatingAccessResolver.java:137) |
at edu.internet2.middleware.grouper.Group$12.callback(Group.java:4368) |
... 62 more |
Caused by: edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException
|
at edu.internet2.middleware.grouper.privs.GrouperNonDbAccessAdapter$1.callback(GrouperNonDbAccessAdapter.java:305) |
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976) |
at edu.internet2.middleware.grouper.privs.GrouperNonDbAccessAdapter.grantPriv(GrouperNonDbAccessAdapter.java:294) |
at edu.internet2.middleware.grouper.privs.AccessWrapper.grantPrivilege(AccessWrapper.java:168) |
... 68 more |