Ticket #218 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

Master/Slave assets / ACLs with groups are not functioning

Reported by: Michiel.Schok Owned by:
Priority: blocker Milestone: MediaMosa 1.7
Component: Core Version: 1.7.2
Keywords: Cc:
MoSCoW: Estimated time after impact analysis:
Related to project: none Tested:
Accepted: no Estimated Hours:

Description

Short version: Now that we have Academia-assets in the VP-Core staging environment that are master/slaved to SURFmedia, we notice that the access control does not work as before. It looks like the Academia.group and @academia.group are not functioning as before.

Long version:
Academia asset 7SdHDBZPZSG6XrYb6tW8qCcv
Access rules for the original mediafile of this asset: 

[GET] mediafile/X4GWXEj0Y9H1GIgG4PUzGQl5/acl?user_id=nibgadmin

<items>
    <item id="1">
      <aut_realm>@teleblik.nl</aut_realm>
    </item>
    <item id="2">
      <aut_domain>ACADEMIA.group</aut_domain>
    </item>
    <item id="3">
      <aut_realm>@ACADEMIA.group</aut_realm>
    </item>
    <item id="4">
      <aut_app>4</aut_app>
    </item>
    <item id="5">
      <aut_app>5</aut_app>
    </item>
    <item id="6">
      <aut_app>104</aut_app>
    </item>

The mediafile is correctly set up. Master/slave to SURFmedia (id 5) and others (Teleblik, Edit) and set up with 'ACADEMIA.group' and '@…'

Checking the groups in SURFmedia:

[GET] autorisation_group/ACADEMIA.group/hostname?limit=20

  <items>
    <item id="1">
      <hostname>surfnet.nl</hostname>
    </item>
  </items>

[GET] autorisation_group/@ACADEMIA.group/hostname?limit=20
  <items>
    <item id="1">
      <hostname>@ibuildings.nl</hostname>
    </item>
    <item id="2">
      <hostname>@surfnet.nl</hostname>
    </item>
  </items>

But then, when checking of a user has access to the asset:

queryparameter<granted>expectedOK?
empty (anonymous user)FALSEFALSE
?aut_realm=@teleblik.nlTRUETRUE
?aut_realm=@surfnet.nlFALSETRUEFAIL
?aut_domain=surfnet.nlFALSETRUEFAIL

So it looks like master/slave ACLs in combination with domain- and realmgroups is broken.

Because this functionality is crucial for SURFmedia, this issue is blocking for 1.7 deployment on production, and is therefore immediately placed under Milestone 1.7.

Change History

Changed 3 years ago by robert

Bug has been found and fixed. Bug was caused by a new situation because of new app and resulting order of the database rows. All older situations were tested on 1 shared master/slave record with 2 groups on 2 apps. The new buggy situation gave 3 apps and 3 or more groups which caused an error in our code.

Bug fix will be in the next update later today.

Changed 3 years ago by MC-arjen

  • status changed from new to closed
  • version set to 1.7.2
  • resolution set to fixed

approved and committed. This patch is released in 1.7.2.

Note: See TracTickets for help on using tickets.