[midPoint] End User Role -- Permission denied for reading resource account
Florin. Stingaciu
fstingaciu at mirantis.com
Wed May 25 22:03:21 CEST 2016
Here's the full stack trace for loading the "Profile" page for a user that
only contains an account on the problematic resource:
http://pastebin.com/cthMLBY2
Also what the GUI looks like: http://i.imgur.com/4qfzzcH.png
I believe these are the relevant lines from the trace:
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll
])
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
])
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
is not applicable for phase REQUEST
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
])
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
is not applicable for phase REQUEST
2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials
])
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials
])
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
])
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
])
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
])
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
is not applicable for phase REQUEST
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ search
pre-process: principal=pwmproxy, operation=
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read:
default deny
2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll
])
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
])
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
is not applicable for phase EXECUTION
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
])
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
is not applicable for phase EXECUTION
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials
])
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials
])
2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
])
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
])
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
not applicable for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
authorization [
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
])
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Authorization
is not applicable for phase EXECUTION
2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ search
pre-process: principal=pwmproxy, operation=
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read:
default deny
Also, if this is at all relevant, all of these accounts were created via
the RESTfull API. I've done this on numerous other deployments but never
experienced this issue. Please let me know if there's anything further I
could provide.
Thanks,
-F
On Wed, May 25, 2016 at 11:29 AM, Florin. Stingaciu <fstingaciu at mirantis.com
> wrote:
> Here's the a pastebin with the End User role: http://pastebin.com/hufRebnK
>
> I just tried the same action within my dev environment (the account has
> groups as well), using this exact same role, and everything worked fine.
> This leads me to believe there might be a different issue here?
>
> Thanks,
> -F
>
> On Wed, May 25, 2016 at 11:15 AM, Florin. Stingaciu <
> fstingaciu at mirantis.com> wrote:
>
>> Hey Ivan,
>>
>> Yes, indeed. This other account does reference groups. I'm assuming this
>> means there's an authorization action for reading groups?
>>
>> The end user role is just the default one that comes with midpoint. I'm
>> using version 3.3.1.
>>
>> Thanks,
>> -F
>>
>> On Wed, May 25, 2016 at 11:10 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi Florin,
>>>
>>> is the other account referencing any associations (groups)? If you open
>>> the same user as administrator. Most of the times this was my problem, if I
>>> had not good End user role.
>>>
>>> Which midPoint version is this?
>>>
>>> Ivan
>>>
>>>
>>> On 05/25/2016 07:09 PM, Florin. Stingaciu wrote:
>>>
>>> Hello,
>>>
>>> I'm trying to use the End User role to allow users to login and verify
>>> their accounts. The definition for the End User role is the default
>>> definition, however when I log in as an End User, one of two of my
>>> resources fails to load with the following error:
>>>
>>> 2016-05-25 17:05:17,699 [] [http-bio-8443-exec-2] ERROR
>>> (com.evolveum.midpoint.web.page.admin.PageAdminFocus): Couldn't load
>>> account, reason: Access denied (class
>>> com.evolveum.midpoint.util.exception.AuthorizationException)
>>>
>>> I've used the End User role before without ever having any issues, and
>>> the fact that it loads the other resource just fine is making me a little
>>> worried. Any guidance would be greatly appreciated.
>>>
>>> Thanks,
>>>
>>> -F
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer & IDM Architect
>>> evolveum.com evolveum.com/blog/
>>> ___________________________________________________
>>> "Semper ID(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160525/07d40ae4/attachment.htm>
More information about the midPoint
mailing list