Project

General

Profile

Bug #3998

Log Aggregation is not handling equivalent identities correctly

Added by Robert Waltz over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
d1_log_aggregation
Target version:
Start date:
2014-09-25
Due date:
2014-10-17
% Done:

100%

Milestone:
CCI-1.4
Product Version:
*
Story Points:
Sprint:

Description

Ci Logon certs will have equivalent identities embedded in them. The solr extensions project should review the equivalent identities in the cert to query against the aggregation index.

The aggregation aggregation LogAccessRestriction.subjectsAllowedRead will need to be updated to include non DN or non-valid D1 constants subject name. (already changed on line 50, review rest of code -rpw)

Class is called SessionAuthUtil in solr extension project. use addAuthSubjectstorequest method. It supposed to do identity extensions.


Subtasks

Task #6479: update SessionAuthorizationUtils to handle nonStandardizable Subject valuesClosedRob Nahf

Task #6481: update aggregation index to include non X500 compatible subjectsRejectedRob Nahf

Task #6501: review and update ability to store non-RFC2253 compliant subjects in the index.ClosedRob Nahf


Related issues

Related to Infrastructure - Story #6500: CCI 1.4.1 Release Closed 2014-10-08 2014-10-17

History

#1 Updated by Robert Waltz over 10 years ago

  • Description updated (diff)

#2 Updated by Robert Waltz over 10 years ago

  • Target version changed from 2013.44-Block.6.1 to 2014.8-Block.1.4
  • Due date changed from 2013-11-09 to 2014-03-01

#3 Updated by Robert Waltz about 10 years ago

  • Due date changed from 2014-03-01 to 2014-04-26
  • Target version changed from 2014.8-Block.1.4 to 2014.16-Block.2.4

#4 Updated by Robert Waltz about 10 years ago

  • Milestone changed from CCI-1.2 to CCI-1.3
  • Description updated (diff)

#5 Updated by Robert Waltz over 9 years ago

  • Start date deleted (2013-09-24)
  • Milestone changed from CCI-1.3 to CCI-1.4
  • Due date deleted (2014-04-26)
  • Target version deleted (2014.16-Block.2.4)

#6 Updated by Robert Waltz over 9 years ago

  • Product Version changed from * to 1.4.0

#7 Updated by Robert Waltz over 9 years ago

  • Target version set to Release Backlog
  • Product Version changed from 1.4.0 to *
  • Due date set to 2014-09-04
  • Start date set to 2014-09-04

#8 Updated by Robert Waltz over 9 years ago

  • Due date changed from 2014-09-04 to 2014-09-24
  • Target version changed from Release Backlog to CCI-1.4.1

#9 Updated by Robert Waltz over 9 years ago

  • Assignee changed from Robert Waltz to Rob Nahf

#10 Updated by Robert Waltz over 9 years ago

  • Target version changed from CCI-1.4.1 to CCI-1.4.2

#11 Updated by Rob Nahf over 9 years ago

updated the SessionAuthorizationUtils in d1_cn_index_extensions to handle the RTE from CertificateManager (see #6479). I don't have a way to test it, so will rely on Jenkins…

By accepting these non-X500 compatible subject strings, the index should add them automagically along with the others. (There isn't an expanded character set or anything…) So, maybe the only thing left is updating the existing aggregatedLogs in Solr to include those types of subjects. However, those log records may never have been recorded if Runtime Ecxeptions were being thrown.

#12 Updated by Rob Nahf over 9 years ago

  • Status changed from New to In Progress

#13 Updated by Rob Nahf over 9 years ago

  • Description updated (diff)
  • Due date changed from 2014-09-25 to 2014-09-26

#14 Updated by Robert Waltz over 9 years ago

  • Target version changed from CCI-1.4.2 to CCI-1.4.1

#15 Updated by Rob Nahf over 9 years ago

  • Due date changed from 2014-10-02 to 2014-10-17

#16 Updated by Rob Nahf over 9 years ago

  • Status changed from In Progress to Testing

just need to tag and release.

#17 Updated by Rob Nahf over 9 years ago

  • Status changed from Testing to Closed

new log events in staging environment against an object with null appear in the logsolr index, so confirm the new desired behavior (allowing subjects that aren't x509 DN formatted).

root@cn-stage-ucsb-1:/etc/dataone/client/private# curl --trace curl.out --cert /etc/dataone/client/private/urn_node_cnStageUCSB1.pem --cacert /etc/ssl/certs/DataONERootCA.crt "https://cn-stage-ucsb-1.test.dataone.org/cn/v1/query/logsolr/select?q=id:\"urn\:node\:cnStageUCSB1\.480691\""

<?xml version="1.0" encoding="UTF-8"?>

01id:"urn:node:cnStageUCSB1.480691"71463285512149327881225AlbuquerqueUnited States2014-11-05T19:09:06.535Z2014-11-04T20:12:58.339Z1900-01-01T00:00:00Z480691reademl://ecoinformatics.org/eml-2.0.1METADATA99w9wh9whp9whpm9whpmw9whpmwp9whpmwpn9whpmwpndurn:node:cnStageUCSB1.480691174.56.61.185false35.0585, -106.6236urn:node:cnStageUCSB1doi:10.6085/AA/SRKX00_XXXIBTNXMBR12_20110616.50.1nullCN=data-managers,O=PISCOGROUPS,DC=ecoinformatics,DC=orgCN=pisco-intertidal-write,O=PISCOGROUPS,DC=ecoinformatics,DC=orgNew Mexiconull16096CN=Robert Nahf A579,O=Google,C=US,DC=cilogon,DC=orgN/A

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)