directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: rolePerms REST request
Date Mon, 27 Apr 2015 14:07:34 GMT
> 
> 
> On Apr 27, 2015, at 7:39 AM, Oleksandr Bodriagov (Polystar) <oleksandr.bodriagov@polystar.com>
wrote:
> 
> 1. I would like to clarify for myself if Fortress request to http://<SERVER_IP>:8080/fortress-rest-<VERSION>/rbacPerms
has the following form:
> 
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <FortRequest>
>     <entity … />
>     <contextId>HOME</contextId>
>     <session>…</session>
> </FortResponse>
> 
> Where <entity>, and <session> elements come from the Fortress response from
http://<SERVER_IP>:8080/fortress-rest-<VERSION>/rbacCreate.
> 

Fortress Rest uses this entity to pass data into the server:

https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/rest/FortRequest.html

The elements that are used vary by service but contextId must be passed on every request.
  Only apis in access manager must pass a session, with exception of create session, which
of course doesn’t have one yet.

There is a fairly easy way to generate examples for how the requests must be formatted.  The
fortress core can communicate with fortress rest.  You would add these props to build.properties:

# Using REST/HTTP allows Fortress communications to pass through firewalls and other non-LDAP
network intermediaries.
enable.mgr.impl.rest=true

# This user account is added automatically during init-slapd or init-apacheds target via 'FortressDemoUsers.xml'
policy file:
http.user=demouser4
http.pw=password
http.host=localhost
http.port=8080
http.protocol=http

run mvn install from command line to get these changes inserted into fortress.properties.

Next you will run:

mvn test -Pconsole

The request/responses generated by the test console app will communicate over rest.  You can
place a sniffer on the wire, or route the requests through a monitor to see what gets sent.

One catch, you have to do another pull on core.  I had to add the client side rest dependencies
to the profiles.

https://issues.apache.org/jira/browse/FC-95


> On Apr 27, 2015, at 7:39 AM, Oleksandr Bodriagov (Polystar) <oleksandr.bodriagov@polystar.com>
wrote:
> 
> 2. How does a request for getting permissions for a specific role looks like?


rolePerms is the name of the service that returns permissions for a given role.  I ran a trace
of that service and pasted it here:

https://paste.apache.org/0KUs

> 
> On Apr 27, 2015, at 7:39 AM, Oleksandr Bodriagov (Polystar) <oleksandr.bodriagov@polystar.com>
wrote:
> 
> 3. I get <warnings><id>2051</id><msg>validateConstraints role
[GalileoDataReader] for user [Bob] was deactivated reason code [2051]</msg><type>ROLE</type><name>GalileoDataReader</name></warnings>
when sending a request to http://<SERVER_IP>:8080/fortress-rest-<VERSION>/rbacCreate.
> What could be the reason? I have attached a description of temporal constraints for the
GalileoDataReader role. User Bob has the following temporal constraints:
> 
> <FortResponse> … <session> … <userId>Bob</userId><description>my
user 1</description><name>Bob</name><internalId>19305e67-b556-47b6-8461-f58aeac4a230</internalId><ou>Bla-Mobile</ou><sn>Bob</sn><cn>Bob</cn><dn>uid=Bob,ou=People,dc=example,dc=com</dn><address/><props><modId>72791a08-9cf0-4638-b519-c7a78b8a26d9</modId><entry><key>init</key><value></value></entry></props><locked>false</locked><reset>false</reset><system>false</system><beginDate>20150201</beginDate><endDate>20400301</endDate><beginLockDate>20300301</beginLockDate><endLockDate>20300401</endLockDate><dayMask>1234567</dayMask><timeout>5</timeout></user><isAuthenticated>true</isAuthenticated><sessionId>2343e7f1-766e-4a47-b5d0-4178e82fa184</sessionId><lastAccess>1430137954924</lastAccess><timeout>0</timeout><errorId>0</errorId><expirationSeconds>0</expirationSeconds><graceLogins>0</graceLogins><warnings><id>2051</id><msg>validateConstraints
role [GalileoDataReader] for user [Bob] was deactivated reason code [2051]</msg><type>ROLE</type><name>GalileoDataReader</name></warnings></session></FortResponse>
> 

2051 is:

public static final int ACTV_FAILED_DATE
Entity activation failed due to date validation failure.

The list of fortress error codes is in the javadoc here:

https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/SecurityException.html

That error will occur if the current date falls outside the range stated in beginDate and
endDate.  In this case the role gaileodatareader failed that date check.


Shawn
smckinney@apache.org

Mime
View raw message