Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4087

Incorrect response for REST service when "org.kie.server.bypass.auth.user" used with JAASUserGroupCallbackImpl

    XMLWordPrintable

Details

    • ER1
    • Hide

      1) Download the reproducer from the attachment.

      2) Open "createprocess.sh" and update required config details like project location, host, port, credentials etc.

      4) Run "createprocess.sh" script, confirm script is executed successfully and potential owners are fetched for different scenarios.

      5) GetTasksbypotentialowners returns incorrect results.

      Show
      1) Download the reproducer from the attachment . 2) Open "createprocess.sh" and update required config details like project location, host, port, credentials etc. 4) Run "createprocess.sh" script, confirm script is executed successfully and potential owners are fetched for different scenarios. 5) GetTasksbypotentialowners returns incorrect results.
    • 2021 Week 49-51 (from Dec 6th), 2022 Week 02-04 (from Jan 10)
    • +

    Description

      1) Observed incorrect behavior for User Task operations when "org.kie.server.bypass.auth.user" property is set to true with default usergroupcallback implementation "JAASUserGroupCallbackImpl".

      2) The search behavior is different for users compared to groups in such cases. Tested for the endpoint "/kie-server/services/rest/server/queries/tasks/instances/pot-owners?user=

      {user}

      ".

      for example
      -----------------

      1) If there are 2 tasks, one with a user (eg-: testuser) as potential owner and other with a group (testgroup) as potential owner. Here is testuser belongs to testgroup.

      Task 1 -: potential owner testuser

      Task 2 -: potential owner testgroup

      Then

      Scenario 1
      -----------------
      If I authenticate with a different user (for eg -: rhpamAdmin) and send "testUser '' as a query parameter then it only fetches "task1". "Task 2" is not fetched.

      ~~~~
      2021-12-15 00:17:12,099 DEBUG [org.kie.server.services.jbpm.RuntimeDataServiceBase] (default task-4) About to search for task assigned as potential owner for user 'testuser'
      2021-12-15 00:17:12,100 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Adding roles from JAAS subject rhpamAdmin
      2021-12-15 00:17:12,100 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) rhpamAdmin Roles name Roles
      2021-12-15 00:17:12,100 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles Roles name Roles
      2021-12-15 00:17:12,100 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name kie-server
      2021-12-15 00:17:12,100 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name admin
      2021-12-15 00:17:12,100 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name rest-all
      2021-12-15 00:17:12,113 DEBUG [org.kie.server.services.jbpm.RuntimeDataServiceBase] (default task-4) Found 1 tasks for user 'testuser' assigned as potential owner
      ~~~

      Scenario 2
      -----------------
      If I authenticate with a "testuser" user and send any random user as a query parameter then it only fetches "task2". "Task 1" is ignored.

      ~~~
      2021-12-15 00:17:12,141 DEBUG [org.kie.server.services.jbpm.RuntimeDataServiceBase] (default task-4) About to search for task assigned as potential owner for user 'rhpamAdmin'
      2021-12-15 00:17:12,141 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Adding roles from JAAS subject testuser
      2021-12-15 00:17:12,141 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) testuser Roles name Roles
      2021-12-15 00:17:12,141 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles Roles name Roles
      2021-12-15 00:17:12,141 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name test_group
      2021-12-15 00:17:12,141 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name kie-server
      2021-12-15 00:17:12,141 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name rest-all
      2021-12-15 00:17:12,143 DEBUG [org.kie.server.services.jbpm.RuntimeDataServiceBase] (default task-4) Found 1 tasks for user 'rhpamAdmin' assigned as potential owner
      ~~~

      Scenario 3
      -----------------
      If I authenticate with a "testuser" user and send "testUser '' as a query parameter also then it fetches both "task1 & task2". Only scenario 3 gives correct results.

      ~~~
      2021-12-15 00:17:12,156 DEBUG [org.kie.server.services.jbpm.RuntimeDataServiceBase] (default task-4) About to search for task assigned as potential owner for user 'testuser'
      2021-12-15 00:17:12,156 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Adding roles from JAAS subject testuser
      2021-12-15 00:17:12,156 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) testuser Roles name Roles
      2021-12-15 00:17:12,156 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles Roles name Roles
      2021-12-15 00:17:12,156 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name test_group
      2021-12-15 00:17:12,157 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name kie-server
      2021-12-15 00:17:12,157 DEBUG [org.jbpm.services.task.identity.JAASUserGroupCallbackImpl] (default task-4) Roles name rest-all
      2021-12-15 00:17:12,163 DEBUG [org.kie.server.services.jbpm.RuntimeDataServiceBase] (default task-4) Found 2 tasks for user 'testuser' assigned as potential owner
      ~~~

      It seems like the user search is done on the basis of query parameter [1] whereas group search is done on the basis of the authenticated user [2].

      [1] https://github.com/kiegroup/jbpm/blob/main/jbpm-services/jbpm-kie-services/src/main/java/org/jbpm/kie/services/impl/RuntimeDataServiceImpl.java#L860

      [2] https://github.com/kiegroup/jbpm/blob/main/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/services/task/identity/JAASUserGroupCallbackImpl.java#L117

      Attachments

        Issue Links

          Activity

            People

              rhn-support-egonzale Enrique Gonzalez Martinez
              rhn-support-sudnair Sudhish Nair
              Gonzalo Muñoz Fernández Gonzalo Muñoz Fernández
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: