Bug #3998
Log Aggregation is not handling equivalent identities correctly
100%
Description
Ci Logon certs will have equivalent identities embedded in them. The solr extensions project should review the equivalent identities in the cert to query against the aggregation index.
The aggregation aggregation LogAccessRestriction.subjectsAllowedRead will need to be updated to include non DN or non-valid D1 constants subject name. (already changed on line 50, review rest of code -rpw)
Class is called SessionAuthUtil in solr extension project. use addAuthSubjectstorequest method. It supposed to do identity extensions.
Subtasks
Related issues
History
#1 Updated by Robert Waltz about 11 years ago
- Description updated (diff)
#2 Updated by Robert Waltz almost 11 years ago
- Target version changed from 2013.44-Block.6.1 to 2014.8-Block.1.4
- Due date changed from 2013-11-09 to 2014-03-01
#3 Updated by Robert Waltz over 10 years ago
- Due date changed from 2014-03-01 to 2014-04-26
- Target version changed from 2014.8-Block.1.4 to 2014.16-Block.2.4
#4 Updated by Robert Waltz over 10 years ago
- Milestone changed from CCI-1.2 to CCI-1.3
- Description updated (diff)
#5 Updated by Robert Waltz over 10 years ago
- Start date deleted (
2013-09-24) - Milestone changed from CCI-1.3 to CCI-1.4
- Due date deleted (
2014-04-26) - Target version deleted (
2014.16-Block.2.4)
#6 Updated by Robert Waltz over 10 years ago
- Product Version changed from * to 1.4.0
#7 Updated by Robert Waltz about 10 years ago
- Target version set to Release Backlog
- Product Version changed from 1.4.0 to *
- Due date set to 2014-09-04
- Start date set to 2014-09-04
#8 Updated by Robert Waltz about 10 years ago
- Due date changed from 2014-09-04 to 2014-09-24
- Target version changed from Release Backlog to CCI-1.4.1
#9 Updated by Robert Waltz about 10 years ago
- Assignee changed from Robert Waltz to Rob Nahf
#10 Updated by Robert Waltz about 10 years ago
- Target version changed from CCI-1.4.1 to CCI-1.4.2
#11 Updated by Rob Nahf about 10 years ago
updated the SessionAuthorizationUtils in d1_cn_index_extensions to handle the RTE from CertificateManager (see #6479). I don't have a way to test it, so will rely on Jenkins…
By accepting these non-X500 compatible subject strings, the index should add them automagically along with the others. (There isn't an expanded character set or anything…) So, maybe the only thing left is updating the existing aggregatedLogs in Solr to include those types of subjects. However, those log records may never have been recorded if Runtime Ecxeptions were being thrown.
#12 Updated by Rob Nahf about 10 years ago
- Status changed from New to In Progress
#13 Updated by Rob Nahf about 10 years ago
- Description updated (diff)
- Due date changed from 2014-09-25 to 2014-09-26
#14 Updated by Robert Waltz about 10 years ago
- Target version changed from CCI-1.4.2 to CCI-1.4.1
#15 Updated by Rob Nahf about 10 years ago
- Due date changed from 2014-10-02 to 2014-10-17
#16 Updated by Rob Nahf about 10 years ago
- Status changed from In Progress to Testing
just need to tag and release.
#17 Updated by Rob Nahf almost 10 years ago
- Status changed from Testing to Closed
new log events in staging environment against an object with null appear in the logsolr index, so confirm the new desired behavior (allowing subjects that aren't x509 DN formatted).
root@cn-stage-ucsb-1:/etc/dataone/client/private# curl --trace curl.out --cert /etc/dataone/client/private/urn_node_cnStageUCSB1.pem --cacert /etc/ssl/certs/DataONERootCA.crt "https://cn-stage-ucsb-1.test.dataone.org/cn/v1/query/logsolr/select?q=id:\"urn\:node\:cnStageUCSB1\.480691\""
<?xml version="1.0" encoding="UTF-8"?>
01id:"urn:node:cnStageUCSB1.480691"71463285512149327881225AlbuquerqueUnited States2014-11-05T19:09:06.535Z2014-11-04T20:12:58.339Z1900-01-01T00:00:00Z480691reademl://ecoinformatics.org/eml-2.0.1METADATA99w9wh9whp9whpm9whpmw9whpmwp9whpmwpn9whpmwpndurn:node:cnStageUCSB1.480691174.56.61.185false35.0585, -106.6236urn:node:cnStageUCSB1doi:10.6085/AA/SRKX00_XXXIBTNXMBR12_20110616.50.1nullCN=data-managers,O=PISCOGROUPS,DC=ecoinformatics,DC=orgCN=pisco-intertidal-write,O=PISCOGROUPS,DC=ecoinformatics,DC=orgNew Mexiconull16096CN=Robert Nahf A579,O=Google,C=US,DC=cilogon,DC=orgN/A