[midPoint-git] [Evolveum/midpoint] 8ddadd: Add PoC of "run as task template owner" feature

mederly noreply at github.com
Sat Mar 27 13:11:47 CET 2021 

  Branch: refs/heads/experiment/mid-6913
  Home:   https://github.com/Evolveum/midpoint
  Commit: 8ddadd1ffea272cc68b11b2ecae44fed2d4ac637
      https://github.com/Evolveum/midpoint/commit/8ddadd1ffea272cc68b11b2ecae44fed2d4ac637
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2021-03-27 (Sat, 27 Mar 2021)

  Changed paths:
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
    M infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
    M infra/schema/src/main/resources/xml/ns/public/model/extension-3.xsd
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/BaseActionExecutor.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ExecuteScriptExecutor.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/NotifyExecutor.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/scripting/AbstractBasicScriptingTest.java
    A model/model-intest/src/test/resources/scripting/role-operator.xml
    M model/model-intest/src/test/resources/scripting/scripting-users-in-background-task.xml
    A model/model-intest/src/test/resources/scripting/user-operator.xml

  Log Message:
  -----------
  Add PoC of "run as task template owner" feature

When a task template is instantiated, the identify of the currently
logged-in user is used as the task owner for newly created task. This is
clearly the most safe approach.

However, there can be situations where this restriction is too strong.
One of those is described in MID-6913. Unfortunately, lifting this
restriction in a secure way is not a simple thing, as it requires
deep consideration of the effects on midPoint security model.

This commit provides a proof of concept for the idea of running
tasks created from templates under the identity of the task template
owner.

To enable this feature the following must be done:

1) The feature must be enabled in system configuration by setting
internals/enableRunAsTaskTemplateOwnerAuthorization to true.

2) Any user that need to run tasks under templates owners must have
#runAsTaskTemplateOwner authorization granted.

3) Any task template that allows running under its owner must have
mext:useTaskTemplateOwner extension property set to true.

After these conditions are met, the newly instantiated task is created
with the ownerRef pointing to the template owner. The original user
identity is preserved in mext:taskTemplateExecutionInitiatorRef
extension item. It is the responsibility of the deployer to set up
e.g. custom auditing properties to properly audit this information.

Final note: All of the code is EXPERIMENTAL and, at the same time,
deprecated since its inception. Do not consider any of the code
as something more than a PoC that will disappear sooner or later
from midPoint. I assume it will be replaced by serious approach
in the future.

Unrelated change:
- The custom code execution in execute-script action as well as in
notify action with custom notifier required #all authorization. This
was changed to #executeCustomCode. Actually this is not needed for
the new feature; it is used for testing it. But it looks like a good
idea.

More information about the midPoint-svn mailing list