Bizzare Access Group Problems (BF 7.1.2 M5)
For years with BF3.8, I used the BF API in perl scripts to create/configure all of our projects, libraries, etc. it worked Great!
In November 2009, I started working on BF7, trying to get a few projects created using the BF7 API that I'd "copied" from our current BuildForge 3.8 system. I remember running into the most bizarre problems of not being able to get information on some BF objects, because the API user I was logged in with, didn't have proper permissions - the only API user that worked was 'root'. Finally, I created a PMR which resulted in a long discussion about the BF Permissions White Paper, trying to understand how to configure Access Groups. I learned that the BF 7 Access Control system is very complex. I had to drop the BF7 work for the last year, now I'm starting to work on it again and am again running into these crazy permissions problems. At the moment in BF7, I created one user - bf_config_user - that I made a member of all 6 out-of-box Access Groups - Build Engineer, Developer, Guest, Operator, Security & System Manager. I ran my script as - bf_config_user - and had it create an Access Group named 'og_resources', with Control Level set to BUILD ENGINEER. Next I had it try to run BuildForge::Services::DBO::AccessGroup->findByName('og_resources') to return an AccessGroup instance and I get an error: BuildForge::Ex::APIException: CRRBF0101I: API: Access denied: og_resources. Again, I'm running the script as - bf_config_user, I created Access Group 'og_resources' and the very next thing I try to do is get the 'og_resources' Access Group instance that I just created and I get the above 'Access Denied' error! BUT if I run the script as 'root' it works fine. I installed BF 7.1.2 M5 just last week, and this is the very first work I'm doing on this fresh install of BF 7. Thanks for any help you can provide on this. |
5 answers
Interesting, I'm not immediately seeing anything in the code that should
be throwing this - can you provide the related server-side stack from the server/tomcat/logs/catalina.out (or catalina.{date}.log on windows) file? -steve
|
|
The following is the contents of my catalina.2010-11-04.log. Let me know if you need anything else - Thanks Much!
Nov 4, 2010 11:03:03 AM com.buildforge.services.server.util.AccessCache check INFO: check: MISS Nov 4, 2010 11:03:04 AM com.buildforge.services.server.api.APIServerConnection process WARNING: !!! com.buildforge.services.common.api.APIException: CRRBF0101I: API: Access denied: og_resources. at com.buildforge.services.common.api.APIException.needLevel(APIException.java:386) at com.buildforge.services.server.api.AuthContext.checkLevel(AuthContext.java:498) at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:117) at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:107) at com.buildforge.services.server.api.commands.ServerAuthCommands.create(ServerAuthCommands.java:136) at com.buildforge.services.server.api.commands.ServerAuthCommands.invoke(ServerAuthCommands.java:72) at com.buildforge.services.server.api.APICommandProcessor.process(APICommandProcessor.java:275) at com.buildforge.services.server.api.APIServerConnection.handleRequest(APIServerConnection.java:236) at com.buildforge.services.server.api.APIServerConnection.process(APIServerConnection.java:150) at com.buildforge.services.server.dispatch.callback.BufferedConnection.run(BufferedConnection.java:220) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690) at java.lang.Thread.run(Thread.java:810) Nov 4, 2010 11:04:13 AM com.buildforge.services.server.sso.SSOManager authenticate INFO: CRRBF1414I: Authenticating user 'GUIDANT/root' for UI access. Nov 4, 2010 11:10:26 AM com.buildforge.services.server.api.APIServerConnection process WARNING: !!! com.buildforge.services.common.api.APIException: CRRBF0787I: The Access Group 'og_resources' is referenced by the Selector '02f8a86d0c4f1000b9ab5dd506320632'. at com.buildforge.services.server.manager.AccessGroupManager.delete(AccessGroupManager.java:855) at com.buildforge.services.server.api.commands.AccessCommands.delete(AccessCommands.java:287) at com.buildforge.services.server.api.commands.AccessCommands.invoke(AccessCommands.java:145) at com.buildforge.services.server.api.APICommandProcessor.process(APICommandProcessor.java:275) at com.buildforge.services.server.api.APIServerConnection.handleRequest(APIServerConnection.java:236) at com.buildforge.services.server.api.APIServerConnection.process(APIServerConnection.java:150) at com.buildforge.services.server.dispatch.callback.BufferedConnection.run(BufferedConnection.java:220) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690) at java.lang.Thread.run(Thread.java:810) Nov 4, 2010 12:24:27 PM com.buildforge.services.server.sso.SSOManager authenticate INFO: CRRBF1414I: Authenticating user 'GUIDANT/root' for UI access. Nov 4, 2010 12:26:27 PM com.buildforge.services.server.util.AccessCache check INFO: check: MISS Nov 4, 2010 12:36:14 PM com.buildforge.services.server.util.AccessCache check INFO: check: MISS Nov 4, 2010 12:36:14 PM com.buildforge.services.server.api.APIServerConnection process WARNING: !!! com.buildforge.services.common.api.APIException: CRRBF0101I: API: Access denied: og_resources. at com.buildforge.services.common.api.APIException.needLevel(APIException.java:386) at com.buildforge.services.server.api.AuthContext.checkLevel(AuthContext.java:498) at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:117) at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:107) at com.buildforge.services.server.api.commands.ServerAuthCommands.create(ServerAuthCommands.java:136) at com.buildforge.services.server.api.commands.ServerAuthCommands.invoke(ServerAuthCommands.java:72) at com.buildforge.services.server.api.APICommandProcessor.process(APICommandProcessor.java:275) at com.buildforge.services.server.api.APIServerConnection.handleRequest(APIServerConnection.java:236) at com.buildforge.services.server.api.APIServerConnection.process(APIServerConnection.java:150) at com.buildforge.services.server.dispatch.callback.BufferedConnection.run(BufferedConnection.java:220) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690) at java.lang.Thread.run(Thread.java:810) |
|
Much more elucidative, thank you. There are at least a few problems
afoot here. So, you have created your 'og_resources' AccessGroup whose control group you possess. Your user does not directly (or indirectly) possess the Group itself, which is what, apparently, is leading to your problems. Possessing the control group allows you to modify the target AccessGroup; it does not grant access to the objects owned by the group itself. I see three main exceptions from your log : 1) Creating a ServerAuth : You cannot create an object with an AccessGroup you do not possess. Possessing the control Group doesn't qualify. 2) Deleting the 'og_resources' AccessGroup. You cannot delete this Group because it is in-use by another object (a Selector in this case). 3) Same as #1 -steve The following is the contents of my catalina.2010-11-04.log. Let me know if you need anything else - Thanks Much! |
|
I'm sorry, that didn't help much.
In my code I am trying to create a ServerAuth object named 'scmadm'. But I wrote the code to handle the case where the object might already exist, so I use findByName() to see if the object already exists. BuildForge::Services::DBO::ServerAuth->findByName($bf7conn,$serverAuthName); findByName() returns UNDEF, meaning that 'scmadm' does not exist, but at the moment the 'scmadm' object DOES EXIST, yet BF Access Control is not allowing me to know the TRUTH. But since I didn't understand this, I went on and tried to create the 'scmadm' ServerAuth object, then got the 'Access Denied' error, when the real issue is that the 'scmadm' ServerAuth object already exists, yet Access Control won't let me know the TRUTH. WHY IS THIS? I originally created 'scmadm' while logged in as 'root'. I assigned the 'og_resources' Access Group to 'scmadm' because I'd planned for Servers, Server Auth, Selector's and Environment Groups to all be owned by 'og_resources'. We've been using BF3.8 for years. I've used the BF3.8 API over the years to create/configure literally thousands of projects and this has worked very well for us, BF3.8 has been, and still is a great system. We are trying to move to BF7, mainly because BF3.8 hasn't been supported for a couple years, but because BF7 requires Access Control on EVERYTHING, what was trivial in BF3.8 I'm finding is surprisingly complex in BF7. Would it be helpful if I emailed you the simple Perl script I'm using to do this work? |
|
I can understand the frustration, hopefully I can adequately explain
in this post ... you may not obtain objects (through findById, findByName, or any other findXX) to which you do not have access. The user you are issuing the findByXX call as does not have access to the 'og_resources' access group, therefore calling the findByXX method will never return you data. Doing otherwise entirely defeats the intended security of the system. Even if you possess the control group of the AccessGroup that governs the access of the object you want (like the ServerAuth 'scmadm'), you do not have access to 'og_resources' itself (though you DO have access to modify that AccessGroup and add yourself to it) and therefore you may not retrieve or modify objects governed by that AccessGroup. Were you to add yourself to 'og_resources', you would then have access to all the objects governed by that AccessGroup, but not before then. -steve I'm sorry, that didn't help much. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.