Alfresco
  1. Alfresco
  2. ALF-21070

Permissions check for inherited groups broken in tenants

    Details

    • Type: Bug Bug
    • Status: New (View Workflow)
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Affects Version/s: 4.1 Enterprise, 4.2 Enterprise
    • Fix Version/s: None
    • Security Level: external (External user)
    • Labels:
      None
    • Security Severity:
      None
    • Triage:
      To Do

      Description

      In non-default tenant, user included in the child group unable to access documents with access rights given to a parent group

      Problem is in AuthorityBridgeTableAsynchronouslyRefreshedCache introduced in 4.1.3. It refreshes asynchronously from thread pool, there current tenant is unknown. buildCache() receives tenantId as a parameter, passes into transaction, but in the doBuildCache() parameter tenantId is not used. Instead, AbstractAuthorityBridgeDAO.getAuthorityBridgeLinks() uses tenant service to get tenant-specific store ID - it is useless, we are in the pooled thread...

      Result is that AuthorityDAU does not have proper ancestors links for tenants, and is unable to trace rights inheritance

        Activity

        Hide
        Andrew Hind added a comment -

        In AuthorityBridgeTableAsynchronouslyRefreshedCache
        the code is running as tenantAdminService.getDomainUser(AuthenticationUtil.getSystemUserName(), tenantId)
        which should mean the tenant context is set up correctly.

        How did you enable multi-tenancy?
        What value do you get for tenantAdminService.getDomainUser(AuthenticationUtil.getSystemUserName(), tenantId) ?

        Show
        Andrew Hind added a comment - In AuthorityBridgeTableAsynchronouslyRefreshedCache the code is running as tenantAdminService.getDomainUser(AuthenticationUtil.getSystemUserName(), tenantId) which should mean the tenant context is set up correctly. How did you enable multi-tenancy? What value do you get for tenantAdminService.getDomainUser(AuthenticationUtil.getSystemUserName(), tenantId) ?
        Hide
        Andrew Hind added a comment -

        If this is related to support for the enterprise product please raise this bug via the appropriate channels and it will get prioritized correctly.

        Show
        Andrew Hind added a comment - If this is related to support for the enterprise product please raise this bug via the appropriate channels and it will get prioritized correctly.
        Hide
        Valery Antonov added a comment -

        This is what I can see

        at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.doBuildCache(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:72)
        at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.access$000(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:34)
        at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache$1.execute(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:65)
        at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache$1.execute(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:61)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:452)
        at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.buildCache(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:60)
        at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.buildCache(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:34)
        at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache$1.doWork(AbstractAsynchronouslyRefreshedCache.java:468)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
        at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.doRefresh(AbstractAsynchronouslyRefreshedCache.java:465)
        at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.doCall(AbstractAsynchronouslyRefreshedCache.java:450)
        at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.call(AbstractAsynchronouslyRefreshedCache.java:415)
        at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.call(AbstractAsynchronouslyRefreshedCache.java:46)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)

        tenant service is not accessible in AbstractAsynchronouslyRefreshedCache at all (it is private field in AbstractAsynchronouslyRefreshedCache). If you talk about AbstractAsynchronouslyRefreshedCache, it gets right tenantId and passes it to buildCache(), but this parameter is not used

        In comments, It is written @since 4.1.3, so I put 4.1 and 4.2 as version affected. In trunk code is unchanged

        Show
        Valery Antonov added a comment - This is what I can see at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.doBuildCache(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:72) at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.access$000(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:34) at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache$1.execute(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:65) at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache$1.execute(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:61) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:452) at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.buildCache(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:60) at org.alfresco.repo.security.authority.AuthorityBridgeTableAsynchronouslyRefreshedCache.buildCache(AuthorityBridgeTableAsynchronouslyRefreshedCache.java:34) at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache$1.doWork(AbstractAsynchronouslyRefreshedCache.java:468) at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548) at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.doRefresh(AbstractAsynchronouslyRefreshedCache.java:465) at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.doCall(AbstractAsynchronouslyRefreshedCache.java:450) at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.call(AbstractAsynchronouslyRefreshedCache.java:415) at org.alfresco.repo.cache.AbstractAsynchronouslyRefreshedCache.call(AbstractAsynchronouslyRefreshedCache.java:46) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) tenant service is not accessible in AbstractAsynchronouslyRefreshedCache at all (it is private field in AbstractAsynchronouslyRefreshedCache). If you talk about AbstractAsynchronouslyRefreshedCache, it gets right tenantId and passes it to buildCache(), but this parameter is not used In comments, It is written @since 4.1.3, so I put 4.1 and 4.2 as version affected. In trunk code is unchanged
        Hide
        Valery Antonov added a comment -

        Ooops, sorry, It my patched version with RunAs - it works this way. I'll put unchanged code shortly

        Show
        Valery Antonov added a comment - Ooops, sorry, It my patched version with RunAs - it works this way. I'll put unchanged code shortly
        Hide
        Valery Antonov added a comment -

        Sorry again, It is patched in trunk

        Show
        Valery Antonov added a comment - Sorry again, It is patched in trunk
        Hide
        Valery Antonov added a comment -

        Please close it

        Show
        Valery Antonov added a comment - Please close it

          People

          • Assignee:
            Valery Antonov
            Reporter:
            Valery Antonov
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Date of First Response: