[midPoint] End User Role -- Permission denied for reading resource account
Ivan Noris
ivan.noris at evolveum.com
Thu May 26 09:42:30 CEST 2016
Hi Florin,
I can't see anything about the actual denying access yet.
Could you share whole log?
Also what exception do you see after clicking on "Show more" in the
not-displayed account? Can you also copy/paste it with stacktrace?
I also have another question: are there any tasks related to this user?
Are you using workflow?
Thanks,
regards,
Ivan
On 05/25/2016 10:03 PM, Florin. Stingaciu wrote:
> Here's the full stack trace for loading the "Profile" page for a user
> that only contains an account on the problematic
> resource: http://pastebin.com/cthMLBY2
>
> Also what the GUI looks like: http://i.imgur.com/4qfzzcH.png
>
> I believe these are the relevant lines from the trace:
>
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll])
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read])
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization is not applicable for phase REQUEST
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read])
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization is not applicable for phase REQUEST
> 2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials])
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials])
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify])
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify])
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read])
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization is not applicable for phase REQUEST
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ
> search pre-process: principal=pwmproxy,
> operation=http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read:
> default deny
> 2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll])
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read])
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization is not applicable for phase EXECUTION
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read])
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization is not applicable for phase EXECUTION
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials])
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials])
> 2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify])
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify])
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization not applicable for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating
> authorization
> [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read])
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
> Authorization is not applicable for phase EXECUTION
> 2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE
> (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ
> search pre-process: principal=pwmproxy,
> operation=http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read:
> default deny
>
> Also, if this is at all relevant, all of these accounts were created
> via the RESTfull API. I've done this on numerous other deployments but
> never experienced this issue. Please let me know if there's anything
> further I could provide.
>
> Thanks,
> -F
>
> On Wed, May 25, 2016 at 11:29 AM, Florin. Stingaciu
> <fstingaciu at mirantis.com <mailto:fstingaciu at mirantis.com>> wrote:
>
> Here's the a pastebin with the End User
> role: http://pastebin.com/hufRebnK
>
> I just tried the same action within my dev environment (the
> account has groups as well), using this exact same role, and
> everything worked fine. This leads me to believe there might be a
> different issue here?
>
> Thanks,
> -F
>
> On Wed, May 25, 2016 at 11:15 AM, Florin. Stingaciu
> <fstingaciu at mirantis.com <mailto:fstingaciu at mirantis.com>> wrote:
>
> Hey Ivan,
>
> Yes, indeed. This other account does reference groups. I'm
> assuming this means there's an authorization action for
> reading groups?
>
> The end user role is just the default one that comes with
> midpoint. I'm using version 3.3.1.
>
> Thanks,
> -F
>
> On Wed, May 25, 2016 at 11:10 AM, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Florin,
>
> is the other account referencing any associations
> (groups)? If you open the same user as administrator. Most
> of the times this was my problem, if I had not good End
> user role.
>
> Which midPoint version is this?
>
> Ivan
>
>
> On 05/25/2016 07:09 PM, Florin. Stingaciu wrote:
>> Hello,
>>
>> I'm trying to use the End User role to allow users to
>> login and verify their accounts. The definition for the
>> End User role is the default definition, however when I
>> log in as an End User, one of two of my resources fails
>> to load with the following error:
>>
>> 2016-05-25 17:05:17,699 [] [http-bio-8443-exec-2] ERROR
>> (com.evolveum.midpoint.web.page.admin.PageAdminFocus):
>> Couldn't load account, reason: Access denied (class
>> com.evolveum.midpoint.util.exception.AuthorizationException)
>>
>> I've used the End User role before without ever having
>> any issues, and the fact that it loads the other resource
>> just fine is making me a little worried. Any guidance
>> would be greatly appreciated.
>>
>> Thanks,
>>
>> -F
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> ___________________________________________________
> "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160526/a952aed3/attachment.htm>
More information about the midPoint
mailing list