Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-7831

Authorization error in execution of custom action

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 4.4.1
    • 4.8
    • Security
    • None
    • Active subscription

    Description

      If a custom action using the Task Template described below is executed by non-Super User, an authorization error will occur. I have given http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript, but it is an error.

      https://docs.evolveum.com/midpoint/reference/admin-gui/admin-gui-config/#custom-actions-for-object-lists

      The Task Template is the following file that was guided as a sample.

      https://github.com/Evolveum/midpoint-samples/blob/master/samples/tasks/templates/task-template-change-description.xml

       Error Log

      local-midpoint-1  | 2022-04-06 12:21:55,074 [] [midPointScheduler_Worker-3] ERROR (com.evolveum.midpoint.security.enforcer.impl.SecurityEnforcerImpl): User ''test001'' not authorized for operation http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all
local-midpoint-1  | 2022-04-06 12:21:55,088 [REPOSITORY] [midPointScheduler_Worker-3] ERROR (com.evolveum.midpoint.repo.common.activity.run.processing.ItemProcessingGatekeeper): Iterative scripting of object UserType:test002 (test002, b112c9a4-8632-4fbb-8938-9f8bf674189c) failed: You are not authorized to execute 'execute-script' action.
local-midpoint-1  | com.evolveum.midpoint.util.exception.ScriptExecutionException: You are not authorized to execute 'execute-script' action.
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.actions.BaseActionExecutor.checkRootAuthorization(BaseActionExecutor.java:107)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.actions.ExecuteScriptExecutor.execute(ExecuteScriptExecutor.java:82)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.executeAction(ScriptingExpressionEvaluator.java:205)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.evaluateExpression(ScriptingExpressionEvaluator.java:180)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.evaluateExpression(ScriptingExpressionEvaluator.java:138)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.evaluateExpression(ScriptingExpressionEvaluator.java:111)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.controller.ModelController.evaluateExpression(ModelController.java:2397)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.IterativeScriptingActivityHandler$MyRunSpecifics.executeScriptOnObject(IterativeScriptingActivityHandler.java:121)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.IterativeScriptingActivityHandler$MyRunSpecifics.processItem(IterativeScriptingActivityHandler.java:113)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.scripting.IterativeScriptingActivityHandler$MyRunSpecifics.processItem(IterativeScriptingActivityHandler.java:94)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.SearchBasedActivityRun.processItem(SearchBasedActivityRun.java:456)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.processing.ItemProcessingGatekeeper.doProcessItem(ItemProcessingGatekeeper.java:297)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.processing.ItemProcessingGatekeeper.process(ItemProcessingGatekeeper.java:158)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.processing.ItemProcessingRequest.process(ItemProcessingRequest.java:96)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.processing.ProcessingCoordinator.submit(ProcessingCoordinator.java:113)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.SearchBasedActivityRun.lambda$searchIterative$0(SearchBasedActivityRun.java:501)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.tasks.sources.ModelObjectSource.lambda$searchIterative$0(ModelObjectSource.java:53)
local-midpoint-1  |     at com.evolveum.midpoint.repo.cache.handlers.ReportingResultHandler.handle(ReportingResultHandler.java:34)
local-midpoint-1  |     at com.evolveum.midpoint.repo.cache.handlers.CachingResultHandler.handle(CachingResultHandler.java:72)
local-midpoint-1  |     at com.evolveum.midpoint.repo.sqale.SqaleRepositoryService.executeSearchObjectsIterative(SqaleRepositoryService.java:1014)
local-midpoint-1  |     at com.evolveum.midpoint.repo.sqale.SqaleRepositoryService.searchObjectsIterative(SqaleRepositoryService.java:945)
local-midpoint-1  |     at com.evolveum.midpoint.repo.cache.handlers.SearchOpHandler.searchObjectsIterativeInternal(SearchOpHandler.java:269)
local-midpoint-1  |     at com.evolveum.midpoint.repo.cache.handlers.SearchOpHandler.executeAndCacheSearchIterative(SearchOpHandler.java:230)
local-midpoint-1  |     at com.evolveum.midpoint.repo.cache.handlers.SearchOpHandler.searchObjectsIterative(SearchOpHandler.java:155)
local-midpoint-1  |     at com.evolveum.midpoint.repo.cache.RepositoryCache.searchObjectsIterative(RepositoryCache.java:120)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.ModelObjectResolver.searchIterative(ModelObjectResolver.java:192)
local-midpoint-1  |     at com.evolveum.midpoint.model.impl.tasks.sources.ModelObjectSource.searchIterative(ModelObjectSource.java:48)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.SearchBasedActivityRun.searchIterative(SearchBasedActivityRun.java:503)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.SearchBasedActivityRun.iterateOverItemsInBucket(SearchBasedActivityRun.java:408)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:410)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:370)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:230)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.runLocally(IterativeActivityRun.java:186)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.LocalActivityRun.runInternal(LocalActivityRun.java:81)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.runTreatingExceptions(AbstractActivityRun.java:253)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.run(AbstractActivityRun.java:215)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskRun.run(ActivityBasedTaskRun.java:82)
local-midpoint-1  |     at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskHandler.run(ActivityBasedTaskHandler.java:91)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.HandlerExecutor.executeHandler(HandlerExecutor.java:37)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeHandler(TaskCycleExecutor.java:134)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeTaskCycleRun(TaskCycleExecutor.java:127)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeSingleTask(TaskCycleExecutor.java:81)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.execute(TaskCycleExecutor.java:68)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeHandler(JobExecutor.java:156)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeInternal(JobExecutor.java:125)
local-midpoint-1  |     at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.execute(JobExecutor.java:68)
local-midpoint-1  |     at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
local-midpoint-1  |     at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)

      Cause Analysis

      The owner of the task created from the task template is set to be overridden by the custom action executor.

      https://github.com/Evolveum/midpoint/blob/3f9aa6598e1188581c8d0b0a692fa7c5cea0446c/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java#L3347

      On the other hand, Super User privilege is required to execute the script in the task template.

      https://github.com/Evolveum/midpoint/blob/836a33bc2e84fe9dc5e8e0d37082867d927cdedc/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ExecuteScriptExecutor.java#L82

      Since the custom action executor, which is the owner, is not Super User, it causes the authorization error.

      If the owner of a task created from a task template could be set to Super User, the error would be resolved, but on the other hand, the loss of the task executor information could be problematic for auditing purposes.

      On the other hand, what about unchecking the Super User privilege in ExecuteScriptExecutor? #executeScript permission checks are also currently in place, but is it intentional that additional Super User permission checks are being performed?

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. MID-6913 Unable to run task template groovy script under non-superuser

          • Major - Issue reported by a subscriber, project issue or a planned feature
          • Resolved

          Activity

            People

              h2-wada Hiroyuki Wada
              h2-wada Hiroyuki Wada
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: