Details
Description
Too much security, too much. Running execute-script action from the task requires #all autz. This makes kinda sense, since groovy script can be misused to call arbitrary java code and undermine mp's security model. On the other hand such limitation prohibits launching custom action task for non-superusers. E.g. popular action task for helpdesk operatos would be Reset AD password. We need little groovy script for that.
So how to fix this?
- Preferably introduce runAsRef option +script has to have access to the original actor name. Audit log should metion the original actor too.
- Or maybe better introduce authorized=true option, telling mp that no autz has to be checked and that script handles authorization on its own.
- Interestingly running task template does not honor ownerRef and always runs under the real actor. Maybe this should be fixed, so ownerRef is honored but again, the real actor should be visible to the script and mentioned in the audit log
...
<extension>
<scext:executeScript xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3">
<s:action>
<s:type>execute-script</s:type>
<s:parameter>
<s:name>script</s:name>
<c:value xsi:type="c:ScriptExpressionEvaluatorType">
<c:code> // this requires #all autz
Attachments
Issue Links
- relates to
-
MID-7831 Authorization error in execution of custom action
-
- Resolved
-