Project

General

Profile

Bug #7117

Getting a NotAuthorized on read with an object's rights-holder certificate.

Added by Andrei Buium almost 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jing Tao
Category:
-
Target version:
CCI-2.0.0
Start date:
2015-05-15
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

While running CNAuthorizationV1IT from d1_integration, many of the test fail with a NotAuthorized exception (testSetAccessPolicy() for example).

The call in this case is against:
https://cn-dev-ucsb-1.test.dataone.org/cn/v1/meta/TierTesting:cn-dev-ucsb-1:setAccess.14

The error was:
NotAuthorized: 1400: READ not allowed on TierTesting:cn-dev-ucsb-1:setAccess.14

This seems to happen after metacat's D1NodeService.isAuthorized() returns false, failing to match up the certificate's subject with those allowed access to the object.

using the testRightsHolder certificate with subject:
DC=org,DC=dataone,CN=testRightsHolder

Note: the object's rights holder subject is saved slightly differently:
CN=testRightsHolder,DC=dataone,DC=org

Also note: The certificate's issuer is:
DC=org,DC=dataone,CN=DataONE Test Intermediate CA
Older certificates had:
DC=org,DC=dataone,CN=DataONE Test CA

History

#1 Updated by Jing Tao almost 9 years ago

  • Target version set to CCI-2.0.0

#2 Updated by Jing Tao almost 9 years ago

For the old certificate which was working, the subject info is:
<?xml version="1.0" encoding="UTF-8"?> CN=testRightsHolder,DC=dataone,DC=org testRightsHolder_givenName testRightsHolder_familyName /d1:subjectInfo

For the new certificate which doesn't work, the subject info is:
<?xml version=1.0 encoding=UTF-8?>CN=testRightsHolder,DC=dataone,DC=orgtestRightsHolder_givenNametestRightsHolder_familyName/d1:subjectInfo

You see, the version and encoding attributes miss ' or ''.

#3 Updated by Jing Tao almost 9 years ago

I use the command to print out the new certificate:

openssl x509 -in testRightsHolder-1.crt -noout -text

....
1.3.6.1.4.1.34998.2.1:
...!<?xml version=1.0 encoding=UTF-8?>CN=testRightsHolder,DC=dataone,DC=orgtestRightsHolder_givenNametestRightsHolder_familyName/d1:subjectInfo

It doesn't have quotes on version and encoding. Is this an error in generating the certificate?

#4 Updated by Jing Tao almost 9 years ago

  • % Done changed from 0 to 30
  • Status changed from New to In Progress

#5 Updated by Jing Tao almost 9 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 30 to 100

Marco regenerated the certificates and the test worked.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)