Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4277

claiming task on openshift using org.kie.server.bypass.auth.user=true not working

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • None
    • 7.12.0.GA
    • Kie-Server
    • None
    • False
    • None
    • False
    • Migration, Compatibility/Configuration, User Experience
    • Hide

      Please refer attached case03189791-ocptest.zip.
      could reproduced the issue internally.

      • kieapp CR

       

      {{apiVersion: app.kiegroup.org/v2
kind: KieApp
metadata:
name: pam
spec:
auth:
sso:
adminPassword: adminadmin
realm: rhpam
url: https://rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth
commonConfig:
adminPassword: password
adminUser: adminuser
startupStrategy:
strategyName: OpenShiftStartupStrategy
environment: rhpam-production
objects:
console:
replicas: 1
ssoClient:
name: console
secret: 616fc12b-66fa-4183-9381-0c7b4b14d936
servers:

env: name: KIE_SERVER_BYPASS_AUTH_USER
value: "true" name: LOGGER_CATEGORIES
value: org.kie.server:DEBUG,org.wildfly.security:TRACE,org.jbpm:TRACE
replicas: 1
ssoClient:
name: kieserver
secret: c7a611a0-22a9-4417-9778-68eb2a02ca1b}}

      tested with very simple process that startNode -> HumanTask -> endNode. In HumanTask "cee" is set to Groups, nothing is specified to Actors. There are 2 users in RH-SSO with the following roles(both passwords are 'password').

      ceeuser: kie-server, cee padmin: kie-server, kie-peocess-admin, Administrator

      Start Process:

       

      {{$ curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/processes/case03189791.proc1/instances" -H "accept: application/json" -H "content-type: application/json" -u padmin:password

About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin'
> POST /services/rest/server/containers/case03189791/processes/case03189791.proc1/instances HTTP/1.1
> Authorization: Basic cGFkbWluOnBhc3N3b3Jk
> User-Agent: curl/7.29.0
> Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com
> accept: application/json
> content-type: application/json
> 
< HTTP/1.1 201 Created
< Expires: 0
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate
< X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27cedef6a3-4ca4-4f07-a95d-55a39a7b024f%27
< Pragma: no-cache
< Content-Type: application/json
< Content-Length: 1
< Date: Thu, 07 Apr 2022 07:25:57 GMT
< Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact
5$}}

      ==> processInstanceId 5 is created. taskID must be same with processInstanceId

       

      Claim task:
{{$ curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser" -H "accept: application/json" -u padmin:password

About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin'
> POST /services/rest/server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser HTTP/1.1
> Authorization: Basic cGFkbWluOnBhc3N3b3Jk
> User-Agent: curl/7.29.0
> Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com
> accept: application/json
> 
< HTTP/1.1 200 OK
< Expires: 0
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate
< X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27ab44d229-df87-420a-b842-1d2acea02d34%27
< Pragma: no-cache
< Content-Type: application/json
< Content-Length: 0
< Date: Thu, 07 Apr 2022 07:28:37 GMT
< Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact
$}}

      Rest request succeeded with status 200. But warn happened in the log

       

      07:28:37,646 TRACE [org.wildfly.security] (default task-8) Evidence verification: evidence = org.keycloak.adapters.elytron.SecurityIdentityUtil$1@7a6d2f evidencePrincipal = padmin 07:28:37,646 TRACE [org.wildfly.security] (default task-8) Principal assigning: [padmin], pre-realm rewritten: [padmin], realm name: [KeycloakOIDCRealm], post-realm rewritten: [padmin], realm rewritten: [padmin] 07:28:37,647 TRACE [org.wildfly.security] (default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] 07:28:37,647 TRACE [org.wildfly.security] (default task-8) Authorizing principal padmin. 07:28:37,647 TRACE [org.wildfly.security] (default task-8) Authorizing against the following attributes: [Roles] => [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] 07:28:37,648 TRACE [org.wildfly.security] (default task-8) Authorizing against the following runtime attributes: [Source-Address] => [10.131.0.1] 07:28:37,648 TRACE [org.wildfly.security] (default task-8) Permission mapping: identity [padmin] with roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 07:28:37,660 TRACE [org.wildfly.security] (default task-8) Authorization succeed 07:28:37,660 TRACE [org.wildfly.security] (default task-8) Handling AuthorizeCallback: authenticationID = null authorizationID = null authorized = true 07:28:37,660 TRACE [org.wildfly.security] (default task-8) Handling AuthenticationCompleteCallback: succeed 07:28:37,675 TRACE [org.wildfly.security] (default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo
{name='KeycloakOIDCRealm', securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc}, creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] (default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='KeycloakOIDCRealm', securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc}
, creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] (default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] 07:28:37,682 DEBUG [org.kie.server.common.rest.variant.AcceptHeaders] (default task-8) {application/json=org.kie.server.common.rest.variant.QualityValue@3e8} 07:28:37,683 DEBUG [org.kie.server.services.jbpm.UserTaskServiceBase] (default task-8) About to claim task with ids '[5]' as user 'ceeuser' 07:28:37,716 DEBUG [org.jbpm.services.task.persistence.JPATaskPersistenceContext] (default task-8) TaskPersistenceManager configured with em SessionImpl(624835017<open>), isJTA true, pessimistic locking false 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (WebSphereUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (WeblogicUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (JMSUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (TomcatUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (ElytronUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupAdapter] (default task-8) Identifier Elytron as ceeuser 07:28:37,732 TRACE [org.wildfly.security] (default task-8) Principal mapping: [ceeuser], pre-realm rewritten: [ceeuser], realm name: [KeycloakOIDCRealm], post realm rewritten: [ceeuser], realm rewritten: [ceeuser] 07:28:37,738 DEBUG [org.jbpm.runtime.manager.impl.error.ExecutionErrorHandlerImpl] (default task-8) Task instance TaskImpl [id=5, name=Task] is being executed 07:28:37,746 WARN [org.jbpm.services.task.persistence.TaskTransactionInterceptor] (default task-8) Could not commit session: org.jbpm.services.task.exception.PermissionDeniedException: User '[UserImpl:'ceeuser']' does not have permissions to execute operation 'Claim' on task id 5
 

      and task status is still Ready.

      $

      curl -X GET -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/5" -H "accept: application/json" -u padmin:password { "task-id" : 5, "task-priority" : 0, "task-name" : "Task", "task-subject" : "", "task-description" : "", "task-type" : null, "task-form" : "Task", "task-status" : "Ready", "task-actual-owner" : "", "task-created-by" : "", "task-created-on" :
{ "java.util.Date" : 1649316321977 }
, "task-activation-time" : { "java.util.Date" : 1649316321977 }, "task-expiration-time" : null, "task-skippable" : false, "task-workitem-id" : 5, "task-process-instance-id" : 5, "task-parent-id" : -1, "task-process-id" : "case03189791.proc1", "task-container-id" : "case03189791", "sla-compliance" : null, "sla-due-date" : null, "task-pot-owners" : null, "task-excl-owners" : null, "task-business-admins" : null, "task-input-data" : null, "task-output-data" : null, "correlation-key" : null, "process-type" : null }$

       

      Here are my test environment. please feel free to use it.

      OCP console : https://console-openshift-console.apps.hmiura4.lab.rdu2.cee.redhat.com/ (kubeadmin/jRRWX-4bpfX-LdERa-L5wkb)

      RH-SSO console: https://rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth/admin (admin/adminadmin) Controller : https://pam-rhpamcentrmon-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/ (adminuser/password)

      login ocp from command line(namespace is op2): oc4 login -u=kubeadmin -p=jRRWX-4bpfX-LdERa-L5wkb --server= https://api.apps.hmiura4.lab.rdu2.cee.redhat.com:6443/ --insecure-skip-tls-verify

      I'll attach my kjar, kieapp yaml and server.log to the case.

      I also tested the same process in local env without rh-sso. I created local users with the following cli commands.

      /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=padmin) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=padmin, clear={password="password"}) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=padmin, name=role, value=["kie-process-admin","kie-server","Administrators"]) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=ceeuser) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=ceeuser, clear={password="password"}) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=ceeuser, name=role, value=["cee","kie-server"])

      In this env, claim works as expected when system property org.kie.server.bypass.auth.user is set to true.

      Show
      Please refer attached case03189791-ocptest.zip. could reproduced the issue internally. kieapp CR   {{apiVersion: app.kiegroup.org/v2 kind: KieApp metadata: name: pam spec: auth: sso: adminPassword: adminadmin realm: rhpam url: https: //rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth commonConfig: adminPassword: password adminUser: adminuser startupStrategy: strategyName: OpenShiftStartupStrategy environment: rhpam-production objects: console: replicas: 1 ssoClient: name: console secret: 616fc12b-66fa-4183-9381-0c7b4b14d936 servers: env: name: KIE_SERVER_BYPASS_AUTH_USER value: " true " name: LOGGER_CATEGORIES value: org.kie.server:DEBUG,org.wildfly.security:TRACE,org.jbpm:TRACE replicas: 1 ssoClient: name: kieserver secret: c7a611a0-22a9-4417-9778-68eb2a02ca1b}} tested with very simple process that startNode -> HumanTask -> endNode. In HumanTask "cee" is set to Groups, nothing is specified to Actors. There are 2 users in RH-SSO with the following roles(both passwords are 'password'). ceeuser: kie-server, cee padmin: kie-server, kie-peocess-admin, Administrator Start Process:   {{$ curl -v -X POST -k "https: //pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/ rest /server/containers/case03189791/processes/case03189791.proc1/instances" -H "accept: application/json" -H "content-type: application/json" -u padmin:password About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin' > POST /services/ rest /server/containers/case03189791/processes/case03189791.proc1/instances HTTP/1.1 > Authorization: Basic cGFkbWluOnBhc3N3b3Jk > User-Agent: curl/7.29.0 > Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com > accept: application/json > content-type: application/json > < HTTP/1.1 201 Created < Expires: 0 < Connection: keep-alive < Cache-Control: no-cache, no-store, must-revalidate < X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27cedef6a3-4ca4-4f07-a95d-55a39a7b024f%27 < Pragma: no-cache < Content-Type: application/json < Content-Length: 1 < Date: Thu, 07 Apr 2022 07:25:57 GMT < Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact 5$}} ==> processInstanceId 5 is created. taskID must be same with processInstanceId   Claim task: {{$ curl -v -X POST -k "https: //pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/ rest /server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser" -H "accept: application/json" -u padmin:password About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin' > POST /services/ rest /server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser HTTP/1.1 > Authorization: Basic cGFkbWluOnBhc3N3b3Jk > User-Agent: curl/7.29.0 > Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com > accept: application/json > < HTTP/1.1 200 OK < Expires: 0 < Connection: keep-alive < Cache-Control: no-cache, no-store, must-revalidate < X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27ab44d229-df87-420a-b842-1d2acea02d34%27 < Pragma: no-cache < Content-Type: application/json < Content-Length: 0 < Date: Thu, 07 Apr 2022 07:28:37 GMT < Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact $}} Rest request succeeded with status 200. But warn happened in the log   07:28:37,646 TRACE [org.wildfly.security] ( default task-8) Evidence verification: evidence = org.keycloak.adapters.elytron.SecurityIdentityUtil$1@7a6d2f evidencePrincipal = padmin 07:28:37,646 TRACE [org.wildfly.security] ( default task-8) Principal assigning: [padmin], pre-realm rewritten: [padmin], realm name: [KeycloakOIDCRealm], post-realm rewritten: [padmin], realm rewritten: [padmin] 07:28:37,647 TRACE [org.wildfly.security] ( default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] 07:28:37,647 TRACE [org.wildfly.security] ( default task-8) Authorizing principal padmin. 07:28:37,647 TRACE [org.wildfly.security] ( default task-8) Authorizing against the following attributes: [Roles] => [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] 07:28:37,648 TRACE [org.wildfly.security] ( default task-8) Authorizing against the following runtime attributes: [Source-Address] => [10.131.0.1] 07:28:37,648 TRACE [org.wildfly.security] ( default task-8) Permission mapping: identity [padmin] with roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] implies ( "org.wildfly.security.auth.permission.LoginPermission" "") = true 07:28:37,660 TRACE [org.wildfly.security] ( default task-8) Authorization succeed 07:28:37,660 TRACE [org.wildfly.security] ( default task-8) Handling AuthorizeCallback: authenticationID = null authorizationID = null authorized = true 07:28:37,660 TRACE [org.wildfly.security] ( default task-8) Handling AuthenticationCompleteCallback: succeed 07:28:37,675 TRACE [org.wildfly.security] ( default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo {name= 'KeycloakOIDCRealm' , securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc}, creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] ( default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name= 'KeycloakOIDCRealm' , securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc} , creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] ( default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] 07:28:37,682 DEBUG [org.kie.server.common. rest .variant.AcceptHeaders] ( default task-8) {application/json=org.kie.server.common. rest .variant.QualityValue@3e8} 07:28:37,683 DEBUG [org.kie.server.services.jbpm.UserTaskServiceBase] ( default task-8) About to claim task with ids '[5]' as user 'ceeuser' 07:28:37,716 DEBUG [org.jbpm.services.task.persistence.JPATaskPersistenceContext] ( default task-8) TaskPersistenceManager configured with em SessionImpl(624835017<open>), isJTA true , pessimistic locking false 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (WebSphereUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (WeblogicUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (JMSUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (TomcatUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (ElytronUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupAdapter] ( default task-8) Identifier Elytron as ceeuser 07:28:37,732 TRACE [org.wildfly.security] ( default task-8) Principal mapping: [ceeuser], pre-realm rewritten: [ceeuser], realm name: [KeycloakOIDCRealm], post realm rewritten: [ceeuser], realm rewritten: [ceeuser] 07:28:37,738 DEBUG [org.jbpm.runtime.manager.impl.error.ExecutionErrorHandlerImpl] ( default task-8) Task instance TaskImpl [id=5, name=Task] is being executed 07:28:37,746 WARN [org.jbpm.services.task.persistence.TaskTransactionInterceptor] ( default task-8) Could not commit session: org.jbpm.services.task.exception.PermissionDeniedException: User '[UserImpl:' ceeuser ']' does not have permissions to execute operation 'Claim' on task id 5   and task status is still Ready. $ curl -X GET -k "https: //pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/ rest /server/containers/case03189791/tasks/5" -H "accept: application/json" -u padmin:password { "task-id" : 5, "task-priority" : 0, "task-name" : "Task" , "task-subject" : "", " task-description " : " ", " task-type " : null , " task-form " : " Task ", " task-status " : " Ready ", " task-actual-owner " : " ", " task-created-by " : " ", " task-created-on" : { "java.util.Date" : 1649316321977 } , "task-activation-time" : { "java.util.Date" : 1649316321977 }, "task-expiration-time" : null , "task-skippable" : false , "task-workitem-id" : 5, "task-process-instance-id" : 5, "task-parent-id" : -1, "task-process-id" : "case03189791.proc1" , "task-container-id" : "case03189791" , "sla-compliance" : null , "sla-due-date" : null , "task-pot-owners" : null , "task-excl-owners" : null , "task-business-admins" : null , "task-input-data" : null , "task-output-data" : null , "correlation-key" : null , "process-type" : null }$   Here are my test environment. please feel free to use it. OCP console : https://console-openshift-console.apps.hmiura4.lab.rdu2.cee.redhat.com/ (kubeadmin/jRRWX-4bpfX-LdERa-L5wkb) RH-SSO console: https://rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth/admin (admin/adminadmin) Controller : https://pam-rhpamcentrmon-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/ (adminuser/password) login ocp from command line(namespace is op2): oc4 login -u=kubeadmin -p=jRRWX-4bpfX-LdERa-L5wkb --server= https://api.apps.hmiura4.lab.rdu2.cee.redhat.com:6443/ --insecure-skip-tls-verify I'll attach my kjar, kieapp yaml and server.log to the case. I also tested the same process in local env without rh-sso. I created local users with the following cli commands. /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=padmin) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=padmin, clear={password= "password" }) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=padmin, name=role, value=[ "kie-process-admin" , "kie-server" , "Administrators" ]) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=ceeuser) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=ceeuser, clear={password= "password" }) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=ceeuser, name=role, value=[ "cee" , "kie-server" ]) In this env, claim works as expected when system property org.kie.server.bypass.auth.user is set to true.
    • ---
    • ---

    Description

      We are facing  problem with RHPAM 7.12.0 + RHSSO and openshift. Looks on premise it is working fine.

      Installing below byteman on kie server openshift run to inspect how kie server is check if user is allowed or not:

      https://access.redhat.com/solutions/6715391

       

       

      {{RULE is allowed
CLASS org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager
METHOD isAllowed
AT ENTRY
IF TRUE
DO
traceStack("******** isAllowed is called: "$1", "$2", "$3", "$4"\n", "log", 5)
ENDRULE}}
 

       

      this is a fail from call:

      curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/states/claimed?taskId=10&user=ceeuser" -H "accept: application/json" -u adminuser:password

       

       

      {{******** isAllowed is called: OperationCommand{status=[Ready], previousStatus=null, allowed=[PotentialOwner, BusinessAdministrator], newStatus=Reserved, setNewOwnerToUser=true, setNewOwnerToNull=false, setToPreviousStatus=false, userIsExplicitPotentialOwner=false, addTargetUserToPotentialOwners=false, removeUserFromPotentialOwners=false, groupTargetEntityAllowed=true, skipable=false, exec=null}, TaskImpl [id=10, name=Task], [UserImpl:'ceeuser'], []
org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.isAllowed(MVELLifeCycleManager.java:-1)
org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.evalCommand(MVELLifeCycleManager.java:124)
org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.taskOperation(MVELLifeCycleManager.java:392)
org.jbpm.services.task.impl.TaskInstanceServiceImpl.claim(TaskInstanceServiceImpl.java:157)
org.jbpm.services.task.commands.ClaimTaskCommand.execute(ClaimTaskCommand.java:52)}}
 

      . . .

      This is a correct claim from business central. (using adminuser)

       

       

      {{isAllowed is called: OperationCommand{status=[Ready], previousStatus=null, allowed=[PotentialOwner, BusinessAdministrator], newStatus=Reserved, setNewOwnerToUser=true, setNewOwnerToNull=false, setToPreviousStatus=false, userIsExplicitPotentialOwner=false, addTargetUserToPotentialOwners=false, removeUserFromPotentialOwners=false, groupTargetEntityAllowed=true, skipable=false, exec=null},TaskImpl [id=10, name=Task],[UserImpl:'adminuser'],[offline_access, kie-process-admin, Administrators, rest-all, uma_authorization, kie-server, default-roles-rhpam]
org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.isAllowed(MVELLifeCycleManager.java:-1)
org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.evalCommand(MVELLifeCycleManager.java:124)
org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.taskOperation(MVELLifeCycleManager.java:392)
org.jbpm.services.task.impl.TaskInstanceServiceImpl.claim(TaskInstanceServiceImpl.java:157)
org.jbpm.services.task.commands.ClaimTaskCommand.execute(ClaimTaskCommand.java:52)}}
 
see groupIds are set correctly here, but empty on rest call.
Looking into this group ids are setup in claiming task with:
 
{{ groupIds = doUserGroupCallbackOperation(userId, null, context);
context.set("local:groups", groupIds);}}
 
this is related with:
 
{{ protected List<String> doCallbackGroupsOperation(String userId, List<String> groupIds, TaskContext context) {
if (userId != null) {
if (groupIds != null && groupIds.size() > 0) {
List<String> userGroups = filterGroups(context.getUserGroupCallback().getGroupsForUser(userId));
for (String groupId : groupIds) {
if (context.getUserGroupCallback().existsGroup(groupId) && userGroups != null && userGroups.contains(groupId))
{ addGroupFromCallbackOperation(groupId, context); }
}
} else {
if (!(userGroupsMap.containsKey(userId) && userGroupsMap.get(userId).booleanValue())) {
List<String> userGroups = filterGroups(context.getUserGroupCallback().getGroupsForUser(userId));
if (userGroups != null && userGroups.size() > 0) {
for (String group : userGroups)
{ addGroupFromCallbackOperation(group, context); }
userGroupsMap.put(userId, true);
groupIds = userGroups;
}
}
}
} else {
if (groupIds != null) {
for (String groupId : groupIds)
{ addGroupFromCallbackOperation(groupId, context); }
}
}
return groupIds;
}}}
 

       

      See using adminuser on rest api all works:

       

      curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/states/claimed?taskId=10&user=adminuser" -H "accept: application/json" -u adminuser:password
 

       

       

      It appears that property,  org.kie.server.bypass.auth.user=true has no effect. 

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. RHPAM-4136 Incorrect groups are returned when "org.kie.server.bypass.auth.user" is set and JAASUserGroupCallbackImpl is used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Task - Represents a small unit of work that is not end-user facing. BXMSDOC-8562 org.kie.server.bypass.auth.user limitations should be documented

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New

          Activity

            People

              kverlaen@redhat.com Kris Verlaenen
              rhn-support-vgohel Viral Gohel
              Antonio Fernandez Alhambra Antonio Fernandez Alhambra (Inactive)
              Antonio Fernandez Alhambra Antonio Fernandez Alhambra (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: