ddf.catalog.plugin.StopProcessingException: User is not authorized to create records

[samuel pouchin]

Hi,

I'm actually trying to ingest metacards using ddf 2.8.1 and I have a problem with the catalog-security-ingestplugin.

I have the following Exception :

ddf.catalog.plugin.StopProcessingException: User is not authorized to create records

at ddf.catalog.security.ingest.IngestPlugin.process(IngestPlugin.java:44)

at ddf.catalog.impl.CatalogFrameworkImpl.create(CatalogFrameworkImpl.java:815)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.8.0_66]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[:1.8.0_66]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_66]

at java.lang.reflect.Method.invoke(Method.java:497)[:1.8.0_66]

at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)

at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58)

at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62)

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:132)

When I deactivate this plugin, the metacards ingestion into ddf works good.

I have tried to use this plugin but for now, I don't understand how I can use this plugin or  may be it's just a specific configuration to set ?

I use the "admin" user to login on DDF UIs.

Thanks in advance for your help

Samuel

[Chris Lockard]

Hi Samuel,

Are you trying to ingest via the search ui upload capability? 

By default the IngestPlugin is configured to allow anyone with the role of guest/anonymous (don't know if the anonymous->guest change happened in 2.8.1) to ingest. The admin user should have this role by default. Check the Ingest Securit Plugin configuration in DDF Catalog and make sure it looks something like http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest (guest might be replaced anonymous). If it is configured correctly then check the Security STS Guest Claims Handler configuration in DDF Security and make sure it has an entry matching the one in the Ingest Plugin. 

Let me know if those properties lineup and you still can't ingest with the plugin on.

Chris

[samuel pouchin]

Hi,

I don't use the search ui to upload new product in ddf.

Actually I have developped a bundle which is in charge to do this job. 

My application flow is  :

1 - The bundle recovers the data from a database

2 - The bundle creates the metacards associated to thr recoverd data

3- The bundle ingests the created metacards into ddf (All works was good with ddf 2.6.1)

I have checked the Ingest Security Plugin configuration in DDF Catalog and the value configured is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=anonymous

For  STS Guest Claims Handler configuration in DDF Security I have :

- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier=anonymous

- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=anonymous

So the config seems to be ok.

Thanks for your help

Samuel

[Chris Lockard]

With the info you provided I think I know what is happening. The IngestPlugin check the thread context for the subject to validate permissions but I am guessing your request from your bundle doesn't have any subject. You can execute your create request using the system subject. An example of how to do this can be found at https://github.com/codice/ddf/blob/master/catalog/content/core/content-core-catalogerplugin/src/main/java/ddf/content/plugin/cataloger/Cataloger.java#L104

Let me know if that works for you.

Chris

[samuel pouchin]

Works good.

Thanks Chris.

[samuel pouchin]

Hi 

I currently use DDF 2.9.0 and I have an issue because the package "ddf.security.common.util.Security" is now deprecated and some function are also unavailable.

Previously in DDF 2.8.2  I used  this code "catalogId = Security.runWithSystemSubjectFallback(callable)" to work with the IngestPlugin.

So my question is, which package I have to use instead of  "ddf.security.common.util.Security" and also which function is equivalent to  "Security.runWithSystemSubjectFallback(callable)"

Thanks

Samuel

[Eric Lessard]

Samuel,

You should be able to use org.codice.ddf.security.common.Security.getInstance().runWithSubjectOrElevate() instead.

Hope this helps.

Eric Lessard

--
You received this message because you are subscribed to the Google Groups "ddf-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ddf-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[samuel pouchin]

Hi,

I have tried "org.codice.ddf.security.common.Security.getInstance().runWithSubjectOrElevate(callable)" instead of "Security.runWithSystemSubjectFallback(callable)" but still  the error "ddf.security.service.SecurityServiceException: Current user doesn't have sufficient privileges to run this command"

Thanks for help

Le mardi 3 mai 2016 20:38:01 UTC-4, Eric Lessard a écrit :

Samuel,

You should be able to use org.codice.ddf.security.common.Security.getInstance().runWithSubjectOrElevate() instead Security.runWithSystemSubjectFallback(callable)

[Scott Tustison]

We restrict elevating to the system Subject has an administrator role, or the thread has a Java Subject with an administrator role. If neither are true, you are not able to elevate to the system subject. This is to protect against someone from easily elevating themselves to the system high set of attributes. It is somewhat dangerous to have your code always elevating to the system Subject. I would recommend using the Guest user account instead. Using the Guest account is much safer, when no other Subject is available, since that user does not have privileges to modify the configuration of the system. We have some examples of where we use that user in the baseline:

https://github.com/codice/ddf/blob/f4d0cde422b5f2b08a94df4565506bdf53edfa9f/platform/security/interceptor/security-interceptor-guest/src/main/java/org/codice/ddf/security/interceptor/GuestInterceptor.java#L214

Scott

[samuel pouchin]

Hi,

First, Eric, Scott thanks for yours answers.

I have created a new subject according to this link https://github.com/codice/ddf/blob/f4d0cde422b5f2b08a94df4565506bdf53edfa9f/platform/security/interceptor/security-interceptor-guest/src/main/java/org/codice/ddf/security/interceptor/GuestInterceptor.java#L214

But I'm still not able to update a metacard.

Below the DDF stacktrace

org.apache.shiro.authc.AuthenticationException: Authentication failed for token submission [Guest IP: 192.168.255.157; realm: karaf].  Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).

at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)[207:org.apache.shiro.core:1.2.4]

at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)[207:org.apache.shiro.core:1.2.4]

at ddf.security.service.impl.SecurityManagerImpl.getSubject(SecurityManagerImpl.java:101)[250:security-core-impl:2.9.0]

at ddf.security.service.impl.SecurityManagerImpl.getSubject(SecurityManagerImpl.java:78)[250:security-core-impl:2.9.0]

at csd.ddf.mapper.Mapper.getSubject(Mapper.java:590)[454:csd-to-ddf-client-osgi:0.0.2]

at csd.ddf.mapper.Mapper.handleStandingQueryEventRecieved(Mapper.java:464)[454:csd-to-ddf-client-osgi:0.0.2]

at csd.queries.standing.CSDstandingQueryListener.standingQueryEventRecieved(CSDstandingQueryListener.java:137)[454:csd-to-ddf-client-osgi:0.0.2]

at ca.dnd.lsec.isra.api.StandingQueryAbstractResult.generateEvent(StandingQueryAbstractResult.java:389)[454:csd-to-ddf-client-osgi:0.0.2]

at ca.dnd.lsec.isra.api.StandingQueryAbstractResult.access$300(StandingQueryAbstractResult.java:75)[454:csd-to-ddf-client-osgi:0.0.2]

at ca.dnd.lsec.isra.api.StandingQueryAbstractResult$StandingQueryCallback._notify(StandingQueryAbstractResult.java:158)[454:csd-to-ddf-client-osgi:0.0.2]

at ca.dnd.lsec.isra.idl.CB.CallbackPOA._invoke(CallbackPOA.java:40)[454:csd-to-ddf-client-osgi:0.0.2]

at com.sun.corba.se.impl.protocol.CorbaServerRequestDispatcherImpl.dispatchToServant(CorbaServerRequestDispatcherImpl.java:654)[:1.8.0_66]

at com.sun.corba.se.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:205)[:1.8.0_66]

at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1700)[:1.8.0_66]

at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1558)[:1.8.0_66]

at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:940)[:1.8.0_66]

at com.sun.corba.se.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:198)[:1.8.0_66]

at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:712)[:1.8.0_66]

at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.dispatch(SocketOrChannelConnectionImpl.java:471)[:1.8.0_66]

at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.doWork(SocketOrChannelConnectionImpl.java:1230)[:1.8.0_66]

at com.sun.corba.se.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.performWork(ThreadPoolImpl.java:490)[:1.8.0_66]

at com.sun.corba.se.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:519)[:1.8.0_66]

Caused by: java.lang.IllegalStateException: Configuration error:  No realms have been configured!  One or more realms must be present to execute an authentication attempt.

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.assertRealmsConfigured(ModularRealmAuthenticator.java:161)[207:org.apache.shiro.core:1.2.4]

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:264)[207:org.apache.shiro.core:1.2.4]

Thanks for your help

Samuel

[Scott Tustison]

Are you able to log into the Admin Console or the Search UI? That error indicates that you don't have any authentication realms configured, which means the system is not in a good state. Did you grab the SecurityManager service reference? Trying to just "new SecurityManagerImpl()" would also give you this error.

Scott

[samuel pouchin]

Scott,

Thanks for your help, previously I was using new SecurityManagerImpl()

Now I grab the SecurityManager service reference and its work fine, no more issue.

Thanks

Samuel