Project

General

Profile

Story #8868

d1_solr_extension can't handle the permission rules for the ORCID

Added by Jing Tao 11 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-09-01
Due date:
% Done:

100%

Story Points:

Description

We found a user (ORCHID) can't read a private object's solr index even though the user is in the group which has the read permission. The d1_solr_entension log shows:

[DEBUG] 2020-09-01 21:09:34,622 (CNIdentityLDAPImpl:getSubjectInfo:934) subjectInfo requested for: 'http://orcid.org/0000-0002-1209-5268'
[DEBUG] 2020-09-01 21:09:34,622 (CNIdentityLDAPImpl:getSubjectInfo:935) checking if redaction holds for the calling user: 'http://orcid.org/0000-0002-1209-5268'
[DEBUG] 2020-09-01 21:09:34,622 (CNIdentityLDAPImpl:getSubjectInfo:942) subject MATCH. lifting redaction for the calling user: 'http://orcid.org/0000-0002-1209-5268'
[ WARN] 2020-09-01 21:09:34,623 (CNIdentityLDAPImpl:constructDn:786) Subject not a valid DN: http://orcid.org/0000-0002-1209-5268
[ INFO] 2020-09-01 21:09:34,623 (CNIdentityLDAPImpl:constructDn:789) Created DN from subject: uid=http://orcid.org/0000-0002-1209-5268,dc=dataone,dc=cilogon,dc=org
[ WARN] 2020-09-01 21:09:34,626 (CNIdentityLDAPImpl:getSubjectInfo:958) Could not find: uid=http://orcid.org/0000-0002-1209-5268,dc=dataone,dc=cilogon,dc=org : in Ldap: [LDAP: error code 32 - No Such Object]
[ INFO] 2020-09-01 21:09:34,627 (CNIdentityLDAPImpl:getSubjectInfo:921) 9 returning DirContext
[DEBUG] 2020-09-01 21:09:34,627 (AuthUtils:findPersonsSubjects:122) traversing person: http://orcid.org/0000-0002-1209-5268
[DEBUG] 2020-09-01 21:09:34,628 (CertificateManager:standardizeDN:624) name: http://orcid.org/0000-0002-1209-5268
[ WARN] 2020-09-01 21:09:34,628 (SessionAuthorizationUtil:addAuthenticatedSubjectsToRequest:177) Could not standardize DN for: http://orcid.org/0000-0002-1209-5268
java.lang.IllegalArgumentException: improperly specified input name: http://orcid.org/0000-0002-1209-5268
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:183)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:128)
at org.dataone.client.auth.CertificateManager.standardizeDN(CertificateManager.java:625)
at org.dataone.solr.servlet.SessionAuthorizationUtil.addAuthenticatedSubjectsToRequest(SessionAuthorizationUtil.java:174)
at org.dataone.solr.servlet.SearchServiceSessionAuthorizationFilter.addAuthenticatedSubjectsToRequest(SearchServiceSessionAuthorizationFilter.java:51)
at org.dataone.solr.servlet.SessionAuthorizationFilterStrategy.doFilter(SessionAuthorizationFilterStrategy.java:254)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:497)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Incorrect AVA format
at sun.security.x509.AVA.readChar(AVA.java:555)
at sun.security.x509.AVA.<init>(AVA.java:181)
at sun.security.x509.AVA.<init>(AVA.java:147)
at sun.security.x509.RDN.<init>(RDN.java:147)
at sun.security.x509.X500Name.parseDN(X500Name.java:933)
at sun.security.x509.X500Name.<init>(X500Name.java:163)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:181)
... 25 more

History

#1 Updated by Jing Tao 11 months ago

This issue may be resolved by reconfiguring the identity.properties file in d1_solr_extensions. Its current value is

identity.ldap.base=dc=cilogon,dc=org

We may change to

identity.ldap.base=dc=dc=org

I tested it on cn-sandbox and the problem was resolved. However, I worried about if this modification would break a cilogon account. A testing turned out the change doesn't break the search for a cilogon account.

This ldap base property is used in the d1_identity component (note: not d1_extensions) to construct a dn string. It is only in the fall-back part to handle strings like orcid which is not formatted like a ldap account. But a cilogon account, which look like an LDAP account, will be handled in another route. Here is the code:
~~~
String dn = subject;
LdapName ldapName = null;
try {
ldapName = new LdapName(subject);
} catch (InvalidNameException e) {
log.warn("Subject not a valid DN: " + subject);
//dn = "uid=" + subject.replaceAll("/", "\2f") + "," + subtree + "," + this.getBase();
dn = "uid=" + subject + "," + subtree + "," + this.getBase();
log.info("Created DN from subject: " + dn);

}
~~~
So I believe this simple fix can handle different ldap trees and should work.

I guess Ben made changes on d1_identity part but didn't tell Skye. So the issue happens. I am surprised that the issue hadn't surfaced for a very long time.

#2 Updated by Jing Tao 11 months ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

I updated the property file on production cns and also changed the code on d1_solr_extension 2.3 branch and trunk.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)