[Fiware-tech-help] Fwd: FIWARE Authorization PDP Issue - PolicySet.xml revert to old version after update

DANGERVILLE Cyril cyril.dangerville at thalesgroup.com
Tue Mar 24 12:50:59 CET 2015
Previous message: [Fiware-tech-help] Fwd: FIWARE Authorization PDP Issue - PolicySet.xml revert to old version after update
Next message: [Fiware-tech-help] Fwd: FIWARE Authorization PDP Issue - PolicySet.xml revert to old version after update
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Dino,
This issue should be fixed in the next release. I can send you a new version by the end of the week. We are now switching to .deb packaging to automate the install as much as possible (for Ubuntu/Debian). However, this new .deb package will address Tomcat 7 only (instead of Glassfish). There have been strong demand for Tomcat as target server, and simplifying the installation.
Would you have any issue switching to Tomcat 7?
We will continue to provide instructions for Glassfish if there is still a demand for it (especially for production environments), but  it will still require manual steps as it is now; and not be automated like for Tomcat with .deb package.

Regards,
Cyril




El 19/03/2015 a las 15:22, Dino Osmanovic escribió:
Hi FIWARE Tech Crew,

We have issue with one of the enablers and we are trying to get support. Its related to the access control generic enabler.

Below is the issue:

We have problem with PAP PolicySet update, when i make request for update PolicySet i got response OK and new  PolicySet works fine, but when i try to get PolicySet i got old PolicySet data.

To check what is problem i tried to tail on PolicySet xml file and got file reverted to old version, after regular file update.

This is dump from tail:
tail -f policySet.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
<Target />
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides" PolicyId="permit-all" Version="1.0">
<Target />
<Rule Effect="Permit" RuleId="permit-all" />
</Policy>
</PolicySet>
tail: policySet.xml: file truncated
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root:policy" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
RBAC Policy
</Description><Target/><PolicySet PolicySetId="RPS:Employee_Role" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
Employee Role PolicySet
</Description><Target><AnyOf><AllOf><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue><AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Employee_Role</PolicySetIdReference></PolicySet><PolicySet PolicySetId="RPS:Manager_Role" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
Manager Role PolicySet
</Description><Target><AnyOf><AllOf><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue><AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Manager_Role</PolicySetIdReference></PolicySet><Policy PolicyId="default_deny" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Description>
Default Deny policy
</Description><Target/><Rule RuleId="deny_all" Effect="Deny"/></Policy></PolicySet>t
ail: policySet.xml: file truncated
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
<Target />
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides" PolicyId="permit-all" Version="1.0">
<Target />
<Rule Effect="Permit" RuleId="permit-all" />
</Policy>
</PolicySet>

Red coloured part is value before i make update, blue coloured part is after update is executed, and this green coloured part is problem part.

Do you have any idea why policy file is reverted to the original value automatically?


We believe that in SecurityDomain.Java, method setPolicySet has problem with finally block:

public void setPolicySet(PolicySet policySet) throws IOException, JAXBException
{
// before changing policy, backup current policy
FileUtils.copyFile(this.policySetFile, this.policySetBackupFile);
final Marshaller marshaller;
try
{
marshaller = PdpModelHandler.XACML_3_0_JAXB_CONTEXT.createMarshaller();
marshaller.setSchema(authzApiSchema);
marshaller.setProperty(Marshaller.JAXB_ENCODING, UTF8_JAXB_ENCODING);
marshaller.marshal(policySet, policySetFile);
} catch (JAXBException e)
{
// Replace back with backup in case the file is corrupted due to this exception
FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);
throw new JAXBException("Error marshalling new domain policy to file: " + this.policySetFile.getAbsolutePath(), e);
}

// try updating PDP with new policy
try
{
// TODO: optimization: load policy directly from PolicySet arg (requires changing
// Sunxacml StaticPolicyFinderModule code)
updatePDP(true, null);
} finally
{
FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);
}
}

Issue is because they put backup file back although everything was ok - My assumption is that there should be catch instead of finally??



We reported issue 10 days ago and recently we got response from Mr Cyril that we need to write to this email?! Also mr. Cyril asked for XML file dump (not sure why), we put it below.




<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://thalesgroup.com/authzforce/pdp/model/2014/12" PolicySetId="default" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Target/><Policy PolicyId="permit-all" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Target/><Rule RuleId="deny-all" Effect="Deny"/></Policy></PolicySet>



Hopefully we will get support asap,

Best Regards,
Dino



---------- Forwarded message ----------
From: DANGERVILLE Cyril <cyril.dangerville at thalesgroup.com<mailto:cyril.dangerville at thalesgroup.com>>
Date: Wed, Mar 18, 2015 at 3:24 PM
Subject: RE: FIWARE Authorization PDP Issue - PolicySet.xml revert to old version after update
To: "dino at eloptico.com<mailto:dino at eloptico.com>" <dino at eloptico.com<mailto:dino at eloptico.com>>

Hello Dino,
Sorry for the delay. For such Authzforce technical issues, could you please re-submit your request to the following tech support mailing list?
fiware-tech-help at lists.fi-ware.org<mailto:fiware-tech-help at lists.fi-ware.org>

Please also attach the full policyset.xml you used to produce the bug, so that I can easily reproduce it. Thank you.

Regards,
Cyril

--
Cyril DANGERVILLE, Thales Services
FIWARE Phase II
WP1.7 Security (WPA)
Authorization PDP (ex-Access Control) GE Owner



De : notifications at typeform.com<mailto:notifications at typeform.com> [mailto:notifications at typeform.com<mailto:notifications at typeform.com>]
Envoyé : lundi 9 mars 2015 11:57
À : cyril.dangerville at thalesgroup.com<mailto:cyril.dangerville at thalesgroup.com>
Objet : Typeform: New request to FIWARE.AzPDP.Contact

Your typeform FIWARE.AzPDP.Contact has a new entry. Here are the results:

 *   Please describe the use case for which you intend to use the FIWARE Authorization PDP.
We use Authorization PDP to manage policies (which we later use in Access COntrol)


 *   What type of service do you want to control access to? (Protocol, API... e.g. HTTP/REST)
HTTP REST


 *   You can now formulate your request, at last :)
We have problem with PAP PolicySet update, when i make request for update PolicySet i got response OK and new PolicySet works fine, but when i try to get PolicySet i got old PolicySet back.

To check what is problem i tried to tail on PolicySet xml file directly in the file system and got file reverted to old version, after regular file update.
This is dump from tail:

tail -f policySet.xml


PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">







## after update happnes (we call rest service):

tail: policySet.xml: file truncated

RBAC Policy

Employee Role PolicySet
EmployeePPS:Employee_Role
Manager Role PolicySet
ManagerPPS:Manager_Role
Default Deny policy


##after update is done we see that somehow file is back to the original version:


tail: policySet.xml: file truncated


PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">







.

To complete, please give me some contact information so that we can get back to you.

 *   Your full name (last name last):
DIno Osmanovic


 *   Your email address:
dino at eloptico.com<mailto:dino at eloptico.com>


 *   Name of your organization (company, institution, etc.):
eLoptico ApS


 *   Your job function  (especially in relation to FIWARE):
CTO



Have a nice day :)
Team Typeform



--

--
Kind regards,

Dino Osmanovic
eLoptico.com | tech co-founder

Mobile: +387 61 216 927<tel:%2B387%2061%20216%20927>

Web: www.eloptico.com<http://www.eloptico.com>
E-mail: dino at eloptico.com<mailto:dino at eloptico.com>




_______________________________________________

Fiware-tech-help mailing list

Fiware-tech-help at lists.fi-ware.org<mailto:Fiware-tech-help at lists.fi-ware.org>

https://lists.fi-ware.org/listinfo/fiware-tech-help



--



Please update your address book with my new e-mail address: miguel.carrillopacheco at telefonica.com<mailto:miguel.carrillopacheco at telefonica.com>



----------------------------------------------------------------------

     _/          _/_/                     Miguel Carrillo Pacheco

    _/   _/     _/  _/   Telefónica       Distrito Telefónica

   _/ _/_/_/   _/   _/   Investigación y  Edifico Oeste 1, Planta 6

  _/   _/     _/  _/     Desarrollo       Ronda de la Comunicación S/N

 _/          _/_/                         28050 Madrid (Spain)

                                          Tel:  (+34) 91 483 26 77



                         e-mail: miguel.carrillopacheco at telefonica.com<mailto:miguel.carrillopacheco at telefonica.com>



Follow FIWARE on the net



       Website:  http://www.fiware.org

       Facebook: https://www.facebook.com/eu.fiware

       Twitter:  http://twitter.com/Fiware

       LinkedIn: https://www.linkedin.com/groups/FIWARE-4239932

----------------------------------------------------------------------

________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20150324/6df70b70/attachment.html>
Previous message: [Fiware-tech-help] Fwd: FIWARE Authorization PDP Issue - PolicySet.xml revert to old version after update
Next message: [Fiware-tech-help] Fwd: FIWARE Authorization PDP Issue - PolicySet.xml revert to old version after update
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Fiware-tech-help mailing list
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy