It's all about the answers!

Ask a question

Bizzare Access Group Problems (BF 7.1.2 M5)


Carl McMullen (1163) | asked Nov 04 '10, 1:44 p.m.
For years with BF3.8, I used the BF API in perl scripts to create/configure all of our projects, libraries, etc. it worked Great!

In November 2009, I started working on BF7, trying to get a few projects created using the BF7 API that I'd "copied" from our current BuildForge 3.8 system. I remember running into the most bizarre problems of not being able to get information on some BF objects, because the API user I was logged in with, didn't have proper permissions - the only API user that worked was 'root'. Finally, I created a PMR which resulted in a long discussion about the BF Permissions White Paper, trying to understand how to configure Access Groups. I learned that the BF 7 Access Control system is very complex.

I had to drop the BF7 work for the last year, now I'm starting to work on it again and am again running into these crazy permissions problems.

At the moment in BF7, I created one user - bf_config_user - that I made a member of all 6 out-of-box Access Groups - Build Engineer, Developer, Guest, Operator, Security & System Manager.

I ran my script as - bf_config_user - and had it create an Access Group named 'og_resources', with Control Level set to BUILD ENGINEER.

Next I had it try to run BuildForge::Services::DBO::AccessGroup->findByName('og_resources') to return an AccessGroup instance and I get an error:

BuildForge::Ex::APIException: CRRBF0101I: API: Access denied: og_resources.

Again, I'm running the script as - bf_config_user, I created Access Group 'og_resources' and the very next thing I try to do is get the 'og_resources' Access Group instance that I just created and I get the above 'Access Denied' error!

BUT if I run the script as 'root' it works fine.

I installed BF 7.1.2 M5 just last week, and this is the very first work I'm doing on this fresh install of BF 7.

Thanks for any help you can provide on this.

5 answers



permanent link
Steven Vaughan (22111) | answered Nov 04 '10, 2:44 p.m.
JAZZ DEVELOPER
Interesting, I'm not immediately seeing anything in the code that should
be throwing this - can you provide the related server-side stack from the
server/tomcat/logs/catalina.out (or catalina.{date}.log on windows) file?

-steve


Next I had it try to run BuildForge::Services::DBO::AccessGroup->findByName('og_resources') to return an AccessGroup instance and I get an error:

BuildForge::Ex::APIException: CRRBF0101I: API: Access denied: og_resources.

Thanks for any help you can provide on this.

permanent link
Carl McMullen (1163) | answered Nov 08 '10, 12:44 p.m.
The following is the contents of my catalina.2010-11-04.log. Let me know if you need anything else - Thanks Much!


Nov 4, 2010 11:03:03 AM com.buildforge.services.server.util.AccessCache check
INFO: check: MISS
Nov 4, 2010 11:03:04 AM com.buildforge.services.server.api.APIServerConnection process
WARNING: !!!
com.buildforge.services.common.api.APIException: CRRBF0101I: API: Access denied: og_resources.
at com.buildforge.services.common.api.APIException.needLevel(APIException.java:386)
at com.buildforge.services.server.api.AuthContext.checkLevel(AuthContext.java:498)
at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:117)
at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:107)
at com.buildforge.services.server.api.commands.ServerAuthCommands.create(ServerAuthCommands.java:136)
at com.buildforge.services.server.api.commands.ServerAuthCommands.invoke(ServerAuthCommands.java:72)
at com.buildforge.services.server.api.APICommandProcessor.process(APICommandProcessor.java:275)
at com.buildforge.services.server.api.APIServerConnection.handleRequest(APIServerConnection.java:236)
at com.buildforge.services.server.api.APIServerConnection.process(APIServerConnection.java:150)
at com.buildforge.services.server.dispatch.callback.BufferedConnection.run(BufferedConnection.java:220)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Thread.java:810)
Nov 4, 2010 11:04:13 AM com.buildforge.services.server.sso.SSOManager authenticate
INFO: CRRBF1414I: Authenticating user 'GUIDANT/root' for UI access.
Nov 4, 2010 11:10:26 AM com.buildforge.services.server.api.APIServerConnection process
WARNING: !!!
com.buildforge.services.common.api.APIException: CRRBF0787I: The Access Group 'og_resources' is referenced by the Selector '02f8a86d0c4f1000b9ab5dd506320632'.
at com.buildforge.services.server.manager.AccessGroupManager.delete(AccessGroupManager.java:855)
at com.buildforge.services.server.api.commands.AccessCommands.delete(AccessCommands.java:287)
at com.buildforge.services.server.api.commands.AccessCommands.invoke(AccessCommands.java:145)
at com.buildforge.services.server.api.APICommandProcessor.process(APICommandProcessor.java:275)
at com.buildforge.services.server.api.APIServerConnection.handleRequest(APIServerConnection.java:236)
at com.buildforge.services.server.api.APIServerConnection.process(APIServerConnection.java:150)
at com.buildforge.services.server.dispatch.callback.BufferedConnection.run(BufferedConnection.java:220)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Thread.java:810)
Nov 4, 2010 12:24:27 PM com.buildforge.services.server.sso.SSOManager authenticate
INFO: CRRBF1414I: Authenticating user 'GUIDANT/root' for UI access.
Nov 4, 2010 12:26:27 PM com.buildforge.services.server.util.AccessCache check
INFO: check: MISS
Nov 4, 2010 12:36:14 PM com.buildforge.services.server.util.AccessCache check
INFO: check: MISS
Nov 4, 2010 12:36:14 PM com.buildforge.services.server.api.APIServerConnection process
WARNING: !!!
com.buildforge.services.common.api.APIException: CRRBF0101I: API: Access denied: og_resources.
at com.buildforge.services.common.api.APIException.needLevel(APIException.java:386)
at com.buildforge.services.server.api.AuthContext.checkLevel(AuthContext.java:498)
at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:117)
at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:107)
at com.buildforge.services.server.api.commands.ServerAuthCommands.create(ServerAuthCommands.java:136)
at com.buildforge.services.server.api.commands.ServerAuthCommands.invoke(ServerAuthCommands.java:72)
at com.buildforge.services.server.api.APICommandProcessor.process(APICommandProcessor.java:275)
at com.buildforge.services.server.api.APIServerConnection.handleRequest(APIServerConnection.java:236)
at com.buildforge.services.server.api.APIServerConnection.process(APIServerConnection.java:150)
at com.buildforge.services.server.dispatch.callback.BufferedConnection.run(BufferedConnection.java:220)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Thread.java:810)

permanent link
Steven Vaughan (22111) | answered Nov 09 '10, 8:54 a.m.
JAZZ DEVELOPER
Much more elucidative, thank you. There are at least a few problems
afoot here. So, you have created your 'og_resources' AccessGroup
whose control group you possess. Your user does not directly (or
indirectly) possess the Group itself, which is what, apparently, is
leading to your problems. Possessing the control group allows you
to modify the target AccessGroup; it does not grant access to the
objects owned by the group itself.

I see three main exceptions from your log :

1) Creating a ServerAuth : You cannot create an object with an
AccessGroup you do not possess. Possessing the control
Group doesn't qualify.

2) Deleting the 'og_resources' AccessGroup. You cannot delete this
Group because it is in-use by another object (a Selector in this
case).

3) Same as #1

-steve

The following is the contents of my catalina.2010-11-04.log. Let me know if you need anything else - Thanks Much!

Nov 4, 2010 11:03:03 AM com.buildforge.services.server.util.AccessCache check
INFO: check: MISS
Nov 4, 2010 11:03:04 AM com.buildforge.services.server.api.APIServerConnection process
WARNING: !!!
com.buildforge.services.common.api.APIException: CRRBF0101I: API: Access denied: og_resources.
at com.buildforge.services.common.api.APIException.needLevel(APIException.java:386)
at com.buildforge.services.server.api.AuthContext.checkLevel(AuthContext.java:498)
at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:117)

{snipped}

com.buildforge.services.server.api.APIServerConnection process
WARNING: !!!
com.buildforge.services.common.api.APIException: CRRBF0787I: The Access Group 'og_resources' is referenced by the Selector '02f8a86d0c4f1000b9ab5dd506320632'.
at com.buildforge.services.server.manager.AccessGroupManager.delete(AccessGroupManager.java:855)
at com.buildforge.services.server.api.commands.AccessCommands.delete(AccessCommands.java:287)

{snipped}

com.buildforge.services.common.api.APIException: CRRBF0101I: API: Access denied: og_resources.
at com.buildforge.services.common.api.APIException.needLevel(APIException.java:386)
at com.buildforge.services.server.api.AuthContext.checkLevel(AuthContext.java:498)
at com.buildforge.services.server.manager.ServerAuthManager.create(ServerAuthManager.java:117)

permanent link
Carl McMullen (1163) | answered Nov 09 '10, 3:04 p.m.
I'm sorry, that didn't help much.

In my code I am trying to create a ServerAuth object named 'scmadm'. But I wrote the code to handle the case where the object might already exist, so I use findByName() to see if the object already exists.

BuildForge::Services::DBO::ServerAuth->findByName($bf7conn,$serverAuthName);

findByName() returns UNDEF, meaning that 'scmadm' does not exist, but at the moment the 'scmadm' object DOES EXIST, yet BF Access Control is not allowing me to know the TRUTH. But since I didn't understand this, I went on and tried to create the 'scmadm' ServerAuth object, then got the 'Access Denied' error, when the real issue is that the 'scmadm' ServerAuth object already exists, yet Access Control won't let me know the TRUTH.

WHY IS THIS?

I originally created 'scmadm' while logged in as 'root'. I assigned the 'og_resources' Access Group to 'scmadm' because I'd planned for Servers, Server Auth, Selector's and Environment Groups to all be owned by 'og_resources'.

We've been using BF3.8 for years. I've used the BF3.8 API over the years to create/configure literally thousands of projects and this has worked very well for us, BF3.8 has been, and still is a great system. We are trying to move to BF7, mainly because BF3.8 hasn't been supported for a couple years, but because BF7 requires Access Control on EVERYTHING, what was trivial in BF3.8 I'm finding is surprisingly complex in BF7.

Would it be helpful if I emailed you the simple Perl script I'm using to do this work?

permanent link
Steven Vaughan (22111) | answered Nov 09 '10, 5:25 p.m.
JAZZ DEVELOPER
I can understand the frustration, hopefully I can adequately explain
in this post ... you may not obtain objects (through findById,
findByName, or any other findXX) to which you do not have access.
The user you are issuing the findByXX call as does not have access
to the 'og_resources' access group, therefore calling the findByXX
method will never return you data. Doing otherwise entirely defeats
the intended security of the system. Even if you possess the control
group of the AccessGroup that governs the access of the object
you want (like the ServerAuth 'scmadm'), you do not have access
to 'og_resources' itself (though you DO have access to modify
that AccessGroup and add yourself to it) and therefore you may
not retrieve or modify objects governed by that AccessGroup.
Were you to add yourself to 'og_resources', you would then have
access to all the objects governed by that AccessGroup, but not
before then.

-steve

I'm sorry, that didn't help much.

In my code I am trying to create a ServerAuth object named 'scmadm'. But I wrote the code to handle the case where the object might already exist, so I use findByName() to see if the object already exists.

BuildForge::Services::DBO::ServerAuth->findByName($bf7conn,$serverAuthName);

findByName() returns UNDEF, meaning that 'scmadm' does not exist, but at the moment the 'scmadm' object DOES EXIST, yet BF Access Control is not allowing me to know the TRUTH. But since I didn't understand this, I went on and tried to create the 'scmadm' ServerAuth object, then got the 'Access Denied' error, when the real issue is that the 'scmadm' ServerAuth object already exists, yet Access Control won't let me know the TRUTH.

WHY IS THIS?

I originally created 'scmadm' while logged in as 'root'. I assigned the 'og_resources' Access Group to 'scmadm' because I'd planned for Servers, Server Auth, Selector's and Environment Groups to all be owned by 'og_resources'.

We've been using BF3.8 for years. I've used the BF3.8 API over the years to create/configure literally thousands of projects and this has worked very well for us, BF3.8 has been, and still is a great system. We are trying to move to BF7, mainly because BF3.8 hasn't been supported for a couple years, but because BF7 requires Access Control on EVERYTHING, what was trivial in BF3.8 I'm finding is surprisingly complex in BF7.

Would it be helpful if I emailed you the simple Perl script I'm using to do this work?

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.