Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4277

claiming task on openshift using org.kie.server.bypass.auth.user=true not working

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • 7.12.0.GA
    • Kie-Server
    • None
    • False
    • None
    • False
    • Migration, Compatibility/Configuration, User Experience
    • Hide

      Please refer attached case03189791-ocptest.zip.
      could reproduced the issue internally.

      • kieapp CR

       

      {{apiVersion: app.kiegroup.org/v2
      kind: KieApp
      metadata:
      name: pam
      spec:
      auth:
      sso:
      adminPassword: adminadmin
      realm: rhpam
      url: https://rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth
      commonConfig:
      adminPassword: password
      adminUser: adminuser
      startupStrategy:
      strategyName: OpenShiftStartupStrategy
      environment: rhpam-production
      objects:
      console:
      replicas: 1
      ssoClient:
      name: console
      secret: 616fc12b-66fa-4183-9381-0c7b4b14d936
      servers:
      
      env: name: KIE_SERVER_BYPASS_AUTH_USER
      value: "true" name: LOGGER_CATEGORIES
      value: org.kie.server:DEBUG,org.wildfly.security:TRACE,org.jbpm:TRACE
      replicas: 1
      ssoClient:
      name: kieserver
      secret: c7a611a0-22a9-4417-9778-68eb2a02ca1b}} 

      tested with very simple process that startNode -> HumanTask -> endNode. In HumanTask "cee" is set to Groups, nothing is specified to Actors. There are 2 users in RH-SSO with the following roles(both passwords are 'password').

      ceeuser: kie-server, cee padmin: kie-server, kie-peocess-admin, Administrator

      Start Process:

       

      {{$ curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/processes/case03189791.proc1/instances" -H "accept: application/json" -H "content-type: application/json" -u padmin:password
      
      About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin'
      > POST /services/rest/server/containers/case03189791/processes/case03189791.proc1/instances HTTP/1.1
      > Authorization: Basic cGFkbWluOnBhc3N3b3Jk
      > User-Agent: curl/7.29.0
      > Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com
      > accept: application/json
      > content-type: application/json
      > 
      < HTTP/1.1 201 Created
      < Expires: 0
      < Connection: keep-alive
      < Cache-Control: no-cache, no-store, must-revalidate
      < X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27cedef6a3-4ca4-4f07-a95d-55a39a7b024f%27
      < Pragma: no-cache
      < Content-Type: application/json
      < Content-Length: 1
      < Date: Thu, 07 Apr 2022 07:25:57 GMT
      < Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact
      5$}} 

      ==> processInstanceId 5 is created. taskID must be same with processInstanceId

       

      Claim task:
      {{$ curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser" -H "accept: application/json" -u padmin:password
      
      About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin'
      > POST /services/rest/server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser HTTP/1.1
      > Authorization: Basic cGFkbWluOnBhc3N3b3Jk
      > User-Agent: curl/7.29.0
      > Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com
      > accept: application/json
      > 
      < HTTP/1.1 200 OK
      < Expires: 0
      < Connection: keep-alive
      < Cache-Control: no-cache, no-store, must-revalidate
      < X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27ab44d229-df87-420a-b842-1d2acea02d34%27
      < Pragma: no-cache
      < Content-Type: application/json
      < Content-Length: 0
      < Date: Thu, 07 Apr 2022 07:28:37 GMT
      < Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact
      $}} 

      Rest request succeeded with status 200. But warn happened in the log

       

      07:28:37,646 TRACE [org.wildfly.security] (default task-8) Evidence verification: evidence = org.keycloak.adapters.elytron.SecurityIdentityUtil$1@7a6d2f evidencePrincipal = padmin 07:28:37,646 TRACE [org.wildfly.security] (default task-8) Principal assigning: [padmin], pre-realm rewritten: [padmin], realm name: [KeycloakOIDCRealm], post-realm rewritten: [padmin], realm rewritten: [padmin] 07:28:37,647 TRACE [org.wildfly.security] (default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] 07:28:37,647 TRACE [org.wildfly.security] (default task-8) Authorizing principal padmin. 07:28:37,647 TRACE [org.wildfly.security] (default task-8) Authorizing against the following attributes: [Roles] => [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] 07:28:37,648 TRACE [org.wildfly.security] (default task-8) Authorizing against the following runtime attributes: [Source-Address] => [10.131.0.1] 07:28:37,648 TRACE [org.wildfly.security] (default task-8) Permission mapping: identity [padmin] with roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 07:28:37,660 TRACE [org.wildfly.security] (default task-8) Authorization succeed 07:28:37,660 TRACE [org.wildfly.security] (default task-8) Handling AuthorizeCallback: authenticationID = null authorizationID = null authorized = true 07:28:37,660 TRACE [org.wildfly.security] (default task-8) Handling AuthenticationCompleteCallback: succeed 07:28:37,675 TRACE [org.wildfly.security] (default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo
      {name='KeycloakOIDCRealm', securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc}, creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] (default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='KeycloakOIDCRealm', securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc}
      , creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] (default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default-roles-rhpam] 07:28:37,682 DEBUG [org.kie.server.common.rest.variant.AcceptHeaders] (default task-8) {application/json=org.kie.server.common.rest.variant.QualityValue@3e8} 07:28:37,683 DEBUG [org.kie.server.services.jbpm.UserTaskServiceBase] (default task-8) About to claim task with ids '[5]' as user 'ceeuser' 07:28:37,716 DEBUG [org.jbpm.services.task.persistence.JPATaskPersistenceContext] (default task-8) TaskPersistenceManager configured with em SessionImpl(624835017<open>), isJTA true, pessimistic locking false 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (WebSphereUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (WeblogicUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (JMSUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (TomcatUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] (default task-8) Adding roles from UserGroupAdapter service (ElytronUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupAdapter] (default task-8) Identifier Elytron as ceeuser 07:28:37,732 TRACE [org.wildfly.security] (default task-8) Principal mapping: [ceeuser], pre-realm rewritten: [ceeuser], realm name: [KeycloakOIDCRealm], post realm rewritten: [ceeuser], realm rewritten: [ceeuser] 07:28:37,738 DEBUG [org.jbpm.runtime.manager.impl.error.ExecutionErrorHandlerImpl] (default task-8) Task instance TaskImpl [id=5, name=Task] is being executed 07:28:37,746 WARN [org.jbpm.services.task.persistence.TaskTransactionInterceptor] (default task-8) Could not commit session: org.jbpm.services.task.exception.PermissionDeniedException: User '[UserImpl:'ceeuser']' does not have permissions to execute operation 'Claim' on task id 5
       
      

      and task status is still Ready.

      $

      curl -X GET -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/5" -H "accept: application/json" -u padmin:password { "task-id" : 5, "task-priority" : 0, "task-name" : "Task", "task-subject" : "", "task-description" : "", "task-type" : null, "task-form" : "Task", "task-status" : "Ready", "task-actual-owner" : "", "task-created-by" : "", "task-created-on" :
      { "java.util.Date" : 1649316321977 }
      , "task-activation-time" : { "java.util.Date" : 1649316321977 }, "task-expiration-time" : null, "task-skippable" : false, "task-workitem-id" : 5, "task-process-instance-id" : 5, "task-parent-id" : -1, "task-process-id" : "case03189791.proc1", "task-container-id" : "case03189791", "sla-compliance" : null, "sla-due-date" : null, "task-pot-owners" : null, "task-excl-owners" : null, "task-business-admins" : null, "task-input-data" : null, "task-output-data" : null, "correlation-key" : null, "process-type" : null }$
      

       

      Here are my test environment. please feel free to use it.

      OCP console : https://console-openshift-console.apps.hmiura4.lab.rdu2.cee.redhat.com/ (kubeadmin/jRRWX-4bpfX-LdERa-L5wkb)

      RH-SSO console: https://rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth/admin (admin/adminadmin) Controller : https://pam-rhpamcentrmon-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/ (adminuser/password)

      login ocp from command line(namespace is op2): oc4 login -u=kubeadmin -p=jRRWX-4bpfX-LdERa-L5wkb --server= https://api.apps.hmiura4.lab.rdu2.cee.redhat.com:6443/ --insecure-skip-tls-verify

      I'll attach my kjar, kieapp yaml and server.log to the case.

      I also tested the same process in local env without rh-sso. I created local users with the following cli commands.

      /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=padmin) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=padmin, clear={password="password"}) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=padmin, name=role, value=["kie-process-admin","kie-server","Administrators"]) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=ceeuser) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=ceeuser, clear={password="password"}) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=ceeuser, name=role, value=["cee","kie-server"])

      In this env, claim works as expected when system property org.kie.server.bypass.auth.user is set to true.

      Show
      Please refer attached case03189791-ocptest.zip. could reproduced the issue internally. kieapp CR   {{apiVersion: app.kiegroup.org/v2 kind: KieApp metadata: name: pam spec: auth: sso: adminPassword: adminadmin realm: rhpam url: https: //rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth commonConfig: adminPassword: password adminUser: adminuser startupStrategy: strategyName: OpenShiftStartupStrategy environment: rhpam-production objects: console: replicas: 1 ssoClient: name: console secret: 616fc12b-66fa-4183-9381-0c7b4b14d936 servers: env: name: KIE_SERVER_BYPASS_AUTH_USER value: " true " name: LOGGER_CATEGORIES value: org.kie.server:DEBUG,org.wildfly.security:TRACE,org.jbpm:TRACE replicas: 1 ssoClient: name: kieserver secret: c7a611a0-22a9-4417-9778-68eb2a02ca1b}} tested with very simple process that startNode -> HumanTask -> endNode. In HumanTask "cee" is set to Groups, nothing is specified to Actors. There are 2 users in RH-SSO with the following roles(both passwords are 'password'). ceeuser: kie-server, cee padmin: kie-server, kie-peocess-admin, Administrator Start Process:   {{$ curl -v -X POST -k "https: //pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/ rest /server/containers/case03189791/processes/case03189791.proc1/instances" -H "accept: application/json" -H "content-type: application/json" -u padmin:password About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin' > POST /services/ rest /server/containers/case03189791/processes/case03189791.proc1/instances HTTP/1.1 > Authorization: Basic cGFkbWluOnBhc3N3b3Jk > User-Agent: curl/7.29.0 > Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com > accept: application/json > content-type: application/json > < HTTP/1.1 201 Created < Expires: 0 < Connection: keep-alive < Cache-Control: no-cache, no-store, must-revalidate < X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27cedef6a3-4ca4-4f07-a95d-55a39a7b024f%27 < Pragma: no-cache < Content-Type: application/json < Content-Length: 1 < Date: Thu, 07 Apr 2022 07:25:57 GMT < Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact 5$}} ==> processInstanceId 5 is created. taskID must be same with processInstanceId   Claim task: {{$ curl -v -X POST -k "https: //pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/ rest /server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser" -H "accept: application/json" -u padmin:password About to connect() to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com port 443 (#0) Trying 10.10.94.11... Connected to pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com (10.10.94.11) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb skipping SSL peer certificate verification SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Server certificate: subject: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com start date: Apr 07 03:46:03 2022 GMT expire date: Apr 07 03:46:03 2032 GMT common name: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com issuer: CN=pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com Server auth using Basic with user 'padmin' > POST /services/ rest /server/containers/case03189791/tasks/states/claimed?taskId=5&user=ceeuser HTTP/1.1 > Authorization: Basic cGFkbWluOnBhc3N3b3Jk > User-Agent: curl/7.29.0 > Host: pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com > accept: application/json > < HTTP/1.1 200 OK < Expires: 0 < Connection: keep-alive < Cache-Control: no-cache, no-store, must-revalidate < X-KIE-ConversationId: %27pam-kieserver%27%3A%27case03189791%27%3A%27com.myspace%3Acase03189791%3A1.0.0%27%3A%27ab44d229-df87-420a-b842-1d2acea02d34%27 < Pragma: no-cache < Content-Type: application/json < Content-Length: 0 < Date: Thu, 07 Apr 2022 07:28:37 GMT < Connection #0 to host pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com left intact $}} Rest request succeeded with status 200. But warn happened in the log   07:28:37,646 TRACE [org.wildfly.security] ( default task-8) Evidence verification: evidence = org.keycloak.adapters.elytron.SecurityIdentityUtil$1@7a6d2f evidencePrincipal = padmin 07:28:37,646 TRACE [org.wildfly.security] ( default task-8) Principal assigning: [padmin], pre-realm rewritten: [padmin], realm name: [KeycloakOIDCRealm], post-realm rewritten: [padmin], realm rewritten: [padmin] 07:28:37,647 TRACE [org.wildfly.security] ( default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] 07:28:37,647 TRACE [org.wildfly.security] ( default task-8) Authorizing principal padmin. 07:28:37,647 TRACE [org.wildfly.security] ( default task-8) Authorizing against the following attributes: [Roles] => [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] 07:28:37,648 TRACE [org.wildfly.security] ( default task-8) Authorizing against the following runtime attributes: [Source-Address] => [10.131.0.1] 07:28:37,648 TRACE [org.wildfly.security] ( default task-8) Permission mapping: identity [padmin] with roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] implies ( "org.wildfly.security.auth.permission.LoginPermission" "") = true 07:28:37,660 TRACE [org.wildfly.security] ( default task-8) Authorization succeed 07:28:37,660 TRACE [org.wildfly.security] ( default task-8) Handling AuthorizeCallback: authenticationID = null authorizationID = null authorized = true 07:28:37,660 TRACE [org.wildfly.security] ( default task-8) Handling AuthenticationCompleteCallback: succeed 07:28:37,675 TRACE [org.wildfly.security] ( default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo {name= 'KeycloakOIDCRealm' , securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc}, creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] ( default task-8) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=padmin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4dd13c12, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name= 'KeycloakOIDCRealm' , securityRealm=org.keycloak.adapters.elytron.KeycloakSecurityRealm@43e70edc} , creationTime=2022-04-07T07:28:37.647288Z} 07:28:37,676 TRACE [org.wildfly.security] ( default task-8) Role mapping: principal [padmin] -> decoded roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain decoded roles [] -> realm mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] -> domain mapped roles [offline_access, kie-process-admin, Administrators, uma_authorization, kie-server, default -roles-rhpam] 07:28:37,682 DEBUG [org.kie.server.common. rest .variant.AcceptHeaders] ( default task-8) {application/json=org.kie.server.common. rest .variant.QualityValue@3e8} 07:28:37,683 DEBUG [org.kie.server.services.jbpm.UserTaskServiceBase] ( default task-8) About to claim task with ids '[5]' as user 'ceeuser' 07:28:37,716 DEBUG [org.jbpm.services.task.persistence.JPATaskPersistenceContext] ( default task-8) TaskPersistenceManager configured with em SessionImpl(624835017<open>), isJTA true , pessimistic locking false 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (WebSphereUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (WeblogicUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (JMSUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (TomcatUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl] ( default task-8) Adding roles from UserGroupAdapter service (ElytronUserGroupAdapter) 07:28:37,732 DEBUG [org.kie.server.services.jbpm.security.ElytronUserGroupAdapter] ( default task-8) Identifier Elytron as ceeuser 07:28:37,732 TRACE [org.wildfly.security] ( default task-8) Principal mapping: [ceeuser], pre-realm rewritten: [ceeuser], realm name: [KeycloakOIDCRealm], post realm rewritten: [ceeuser], realm rewritten: [ceeuser] 07:28:37,738 DEBUG [org.jbpm.runtime.manager.impl.error.ExecutionErrorHandlerImpl] ( default task-8) Task instance TaskImpl [id=5, name=Task] is being executed 07:28:37,746 WARN [org.jbpm.services.task.persistence.TaskTransactionInterceptor] ( default task-8) Could not commit session: org.jbpm.services.task.exception.PermissionDeniedException: User '[UserImpl:' ceeuser ']' does not have permissions to execute operation 'Claim' on task id 5   and task status is still Ready. $ curl -X GET -k "https: //pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/ rest /server/containers/case03189791/tasks/5" -H "accept: application/json" -u padmin:password { "task-id" : 5, "task-priority" : 0, "task-name" : "Task" , "task-subject" : "", " task-description " : " ", " task-type " : null , " task-form " : " Task ", " task-status " : " Ready ", " task-actual-owner " : " ", " task-created-by " : " ", " task-created-on" : { "java.util.Date" : 1649316321977 } , "task-activation-time" : { "java.util.Date" : 1649316321977 }, "task-expiration-time" : null , "task-skippable" : false , "task-workitem-id" : 5, "task-process-instance-id" : 5, "task-parent-id" : -1, "task-process-id" : "case03189791.proc1" , "task-container-id" : "case03189791" , "sla-compliance" : null , "sla-due-date" : null , "task-pot-owners" : null , "task-excl-owners" : null , "task-business-admins" : null , "task-input-data" : null , "task-output-data" : null , "correlation-key" : null , "process-type" : null }$   Here are my test environment. please feel free to use it. OCP console : https://console-openshift-console.apps.hmiura4.lab.rdu2.cee.redhat.com/ (kubeadmin/jRRWX-4bpfX-LdERa-L5wkb) RH-SSO console: https://rhsso.apps.hmiura4.lab.rdu2.cee.redhat.com/auth/admin (admin/adminadmin) Controller : https://pam-rhpamcentrmon-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/ (adminuser/password) login ocp from command line(namespace is op2): oc4 login -u=kubeadmin -p=jRRWX-4bpfX-LdERa-L5wkb --server= https://api.apps.hmiura4.lab.rdu2.cee.redhat.com:6443/ --insecure-skip-tls-verify I'll attach my kjar, kieapp yaml and server.log to the case. I also tested the same process in local env without rh-sso. I created local users with the following cli commands. /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=padmin) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=padmin, clear={password= "password" }) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=padmin, name=role, value=[ "kie-process-admin" , "kie-server" , "Administrators" ]) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=ceeuser) /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=ceeuser, clear={password= "password" }) /subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=ceeuser, name=role, value=[ "cee" , "kie-server" ]) In this env, claim works as expected when system property org.kie.server.bypass.auth.user is set to true.
    • ---
    • ---

      We are facing  problem with RHPAM 7.12.0 + RHSSO and openshift. Looks on premise it is working fine.

      Installing below byteman on kie server openshift run to inspect how kie server is check if user is allowed or not:

      https://access.redhat.com/solutions/6715391

       

       

      {{RULE is allowed
      CLASS org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager
      METHOD isAllowed
      AT ENTRY
      IF TRUE
      DO
      traceStack("******** isAllowed is called: "$1", "$2", "$3", "$4"\n", "log", 5)
      ENDRULE}}
       
      

       

      this is a fail from call:

      curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/states/claimed?taskId=10&user=ceeuser" -H "accept: application/json" -u adminuser:password

       

       

      {{******** isAllowed is called: OperationCommand{status=[Ready], previousStatus=null, allowed=[PotentialOwner, BusinessAdministrator], newStatus=Reserved, setNewOwnerToUser=true, setNewOwnerToNull=false, setToPreviousStatus=false, userIsExplicitPotentialOwner=false, addTargetUserToPotentialOwners=false, removeUserFromPotentialOwners=false, groupTargetEntityAllowed=true, skipable=false, exec=null}, TaskImpl [id=10, name=Task], [UserImpl:'ceeuser'], []
      org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.isAllowed(MVELLifeCycleManager.java:-1)
      org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.evalCommand(MVELLifeCycleManager.java:124)
      org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.taskOperation(MVELLifeCycleManager.java:392)
      org.jbpm.services.task.impl.TaskInstanceServiceImpl.claim(TaskInstanceServiceImpl.java:157)
      org.jbpm.services.task.commands.ClaimTaskCommand.execute(ClaimTaskCommand.java:52)}}
       
      

      . . .

      This is a correct claim from business central. (using adminuser)

       

       

      {{isAllowed is called: OperationCommand{status=[Ready], previousStatus=null, allowed=[PotentialOwner, BusinessAdministrator], newStatus=Reserved, setNewOwnerToUser=true, setNewOwnerToNull=false, setToPreviousStatus=false, userIsExplicitPotentialOwner=false, addTargetUserToPotentialOwners=false, removeUserFromPotentialOwners=false, groupTargetEntityAllowed=true, skipable=false, exec=null},TaskImpl [id=10, name=Task],[UserImpl:'adminuser'],[offline_access, kie-process-admin, Administrators, rest-all, uma_authorization, kie-server, default-roles-rhpam]
      org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.isAllowed(MVELLifeCycleManager.java:-1)
      org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.evalCommand(MVELLifeCycleManager.java:124)
      org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.taskOperation(MVELLifeCycleManager.java:392)
      org.jbpm.services.task.impl.TaskInstanceServiceImpl.claim(TaskInstanceServiceImpl.java:157)
      org.jbpm.services.task.commands.ClaimTaskCommand.execute(ClaimTaskCommand.java:52)}}
       
      see groupIds are set correctly here, but empty on rest call.
      Looking into this group ids are setup in claiming task with:
       
      {{ groupIds = doUserGroupCallbackOperation(userId, null, context);
      context.set("local:groups", groupIds);}}
       
      this is related with:
       
      {{ protected List<String> doCallbackGroupsOperation(String userId, List<String> groupIds, TaskContext context) {
      if (userId != null) {
      if (groupIds != null && groupIds.size() > 0) {
      List<String> userGroups = filterGroups(context.getUserGroupCallback().getGroupsForUser(userId));
      for (String groupId : groupIds) {
      if (context.getUserGroupCallback().existsGroup(groupId) && userGroups != null && userGroups.contains(groupId))
      { addGroupFromCallbackOperation(groupId, context); }
      }
      } else {
      if (!(userGroupsMap.containsKey(userId) && userGroupsMap.get(userId).booleanValue())) {
      List<String> userGroups = filterGroups(context.getUserGroupCallback().getGroupsForUser(userId));
      if (userGroups != null && userGroups.size() > 0) {
      for (String group : userGroups)
      { addGroupFromCallbackOperation(group, context); }
      userGroupsMap.put(userId, true);
      groupIds = userGroups;
      }
      }
      }
      } else {
      if (groupIds != null) {
      for (String groupId : groupIds)
      { addGroupFromCallbackOperation(groupId, context); }
      }
      }
      return groupIds;
      }}}
       
      

       

      See using adminuser on rest api all works:

       

      curl -v -X POST -k "https://pam-kieserver-op2.apps.hmiura4.lab.rdu2.cee.redhat.com/services/rest/server/containers/case03189791/tasks/states/claimed?taskId=10&user=adminuser" -H "accept: application/json" -u adminuser:password
       
      

       

       

      It appears that property,  org.kie.server.bypass.auth.user=true has no effect. 

              kverlaen@redhat.com Kris Verlaenen
              rhn-support-vgohel Viral Gohel (Inactive)
              Antonio Fernandez Alhambra Antonio Fernandez Alhambra (Inactive)
              Antonio Fernandez Alhambra Antonio Fernandez Alhambra (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: