You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by Georg Kallidis <gk...@cedis.fu-berlin.de> on 2017/11/24 14:59:31 UTC
Re: Re: Problem with grant and revoke user roles in turbine-4
Hi Jeffery,
that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).
The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService implementing
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..
As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just review
the changes).
I posted a copy to the dev list, where the discussion might continue ...
Best regards, Georg
Von: Jeffery Painter <je...@jivecast.com>
An: user@turbine.apache.org
Datum: 18.11.2017 00:43
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....
maybe you can take a look at the following method.
Here is my logging output.
2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
o.a.t.o.s.User type:
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
o.a.f.s.m.t.e.TurbineUser type:
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
remove user: org.apache.fulcrum.security.util.UnknownEntityException:
Could not find User/Group/Role
and the method call I am trying to use to delete the user...
/**
* ActionEvent responsible for removing a user from the Tambora
system.
*/
public void doDelete(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
String username = data.getParameters().getString("username");
if (!StringUtils.isEmpty(username)) {
if (security.accountExists(username)) {
// this is always returning the wrapper version of
our user
User user1 = security.getUser(username);
log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );
// same and does not work
User user2 = (org.apache.turbine.om.security.User)
security.getUser(username);
log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );
// no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );
// Tried using reflection to cast and still doesn't
work
org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );
//security.revokeAll(user);
// remove user does the revokeAll above...
security.removeUser(forceUser);
} else {
log.error("User does not exist!");
}
}
} catch (Exception e) {
log.error("Could not remove user: " + e);
}
}
On 11/17/2017 06:03 PM, Jeffery Painter wrote:
> Hi Georg,
>
> I did a quick test on the remove role method with the following change
> and it works. My problem with role removal was that in my test case,
> the role was associated with users and could not be removed. Maybe a
> better error message would help? :-) The user management needs a bit
> more work as well to make it comply with the SecurityService. I will
> work on that. The old flux tool also had some weirdness in the way it
> handled the getRole() getGroup() getUser() method where it was caching
> the last loaded entry... I am fixing that as well.
>
> I inserted a few new roles and was able to remove them. I am working
> on updating the rest of the FluxTool methods so they behave
> appropriately. When I get it into decent shape, I will push updates
> to my github project for you to test out if you like before we make a
> space to put it into the apache source control.
>
> That will most likely be after Nov 25th when I get back into town. Who
> knows - if I get bored, I may open up some code on my laptop, but not
> likely as we are going on a cruise where it will be nice and warm!
>
> Thanks,
> Jeff
>
>
>
> On 11/17/2017 05:17 PM, Georg Kallidis wrote:
>> Hi Jeff,
>>
>> as far as I can see, I assume the implementation class might be
>> TorqueTurbineModelManagerImpl? Could you check this? Your second
>> attempt may be indeed close, but the reason is missing. Could you
>> provide the stack/cause of the exception?
>>
>> Probably, if this is the case, at this point of the code of the model
>> manager the role, group and user are already checked, but what might
>> have caused the exception is a failing cast to
>>
>> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
>> user object or
>> -
>>
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>> of any of the objects, which may be the reason, if in your schema the
>> baseclass attribute is not set to
>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
>> (XXX = User|Role|Group) class (or another class implementing the
>> required interface, cft. the example torque-security-schem.xml in the
>> Turbine webapp archetype)...
>>
>> And thanks for your efforts to migrate / use the flux library!
>>
>> Best regards, Georg
>>
>> -----Jeffery Painter <je...@jivecast.com> schrieb: -----
>> An: user@turbine.apache.org
>> Von: Jeffery Painter <je...@jivecast.com>
>> Datum: 16.11.2017 23:29
>> Betreff: Re: Problem with grant and revoke user roles in turbine-4
>>
>> I looked a little more at the test cases, and got my code setup enough
>> to try and call the fulcrum security service directly...
>>
>> // try using fulcrum service
>>
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
>>
>> group, role);
>>
>> The error logs are still reporting problems:
>>
>> I verified that this loaded the user "dean" from the database as a
>> fulcrumUser and it came through with a class type of
>> com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
>> turbine security service provided. and now I get a DataBackendException
>> error on the grant call...
>>
>> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
>> the service 'org.apache.fulcrum.security.UserManager' in the local
>> container
>> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
>> com.jivecast.smartorder.modules.actions.admin.UserAction - fulcrumUser:
>> com.jivecast.smartorder.om.TurbineUser
>> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>> role to user: inventory
>> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
>> the service 'org.apache.fulcrum.security.ModelManager' in the local
>> container
>> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>> container
>> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
>> the service 'org.apache.fulcrum.security.UserManager' in the local
>> container
>> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
>> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>> container
>> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>> - get cached
>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
>> roles: org.apache.fulcrum.security.util.DataBackendException:
>> grant('dean', 'global', 'inventory') failed
>>
>>
>> any ideas?
>>
>> --
>> Jeff
>>
>>
>>
>> On 11/16/2017 05:00 PM, Jeffery Painter wrote:
>>> Hi Georg,
>>>
>>> I am making some good progress. I don't know if you remember the old
>>> flux library for user management, but I have started to re-write that
>>> to work with Turbine 4.0. I am having some troubles however with the
>>> grant/revoke roles with casting the user object incorrectly from the
>>> TurbineWrapper class. Can you help me with the issue I am having
>>> below? I looked at the unit tests in the Turbine source for
>>> inspiration on migrating, but it isn't recognizing the user class
>>> properly. I even tried to manually downcast (see my code below), and
>>> still cannot make it work.
>>>
>>> If I can get this all working, I thought it might be useful to publish
>>> a new flux library compatible with Turbine-4.0 for user management as
>>> a guide to others on how to get started.
>>>
>>>
>>> My logs show the following error when calling the grant/revoke method
>>> on the security service when trying to add the "inventory" role to a
>>> user:
>>>
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>> role to user: inventory
>>>
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>> container
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>> avalon.peerManager - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b
>>>
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>> container
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>> avalon.peerManager - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624
>>>
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>> container
>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>> avalon.peerManager - get cached
>>>
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d
>>>
>>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>>> setting roles: java.lang.ClassCastException:
>>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
>>>
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>
>>>
>>>
>>> Here is the relevant code in my doRoles() method to make the new
>>> assignment... it is modeled after the old flux methods:
>>>
>>> I have the following import:
>>>
>>> import org.apache.turbine.services.security.SecurityService;
>>>
>>> and in the body of the class, I use the injection to get the instance
>>> mapped
>>>
>>> /** Injected service instance */
>>> @TurbineService
>>> private SecurityService security;
>>>
>>> .... then my action class method is called doRoles() which does the
>>> role assignment and fails
>>>
>>> /**
>>> * Update the roles that are to assigned to a user for a project.
>>> */
>>> public void doRoles(PipelineData pipelineData, Context context)
>>> throws Exception {
>>>
>>> try {
>>>
>>> RunData data = getRunData(pipelineData);
>>>
>>> // Get the Turbine ACL implementation for our current
>>> user, only admin can update user roles
>>> TurbineAccessControlList adminAcl =
>>> getRunData(data).getACL();
>>> if (adminAcl.hasRole("administrator")) {
>>>
>>> // Username of the account we are updating
>>> String username =
>>> data.getParameters().getString("username");
>>> if (security.accountExists(username)) {
>>>
>>> // Try to downcast for the security grant
function
>>> org.apache.turbine.om.security.User user =
>>> (org.apache.turbine.om.security.User) security.getUser(username);
>>>
>>> // Get the Turbine ACL implementation
>>> TurbineAccessControlList acl =
>>> security.getACL(user);
>>>
>>> /*
>>> * Grab all the Groups and Roles in the system.
>>> */
>>> GroupSet groups = security.getAllGroups();
>>> RoleSet roles = security.getAllRoles();
>>>
>>> for (Group group : groups) {
>>> String groupName = group.getName();
>>> for (Role role : roles) {
>>> String roleName = role.getName();
>>>
>>> /*
>>> * In the UserRoleForm.vm we made a
>>> checkbox for every possible Group/Role
>>> * combination so we will compare every
>>> possible combination with the values
>>> * that were checked off in the form. If
>>> we have a match then we will grant the
>>> * user the role in the group.
>>> */
>>> String groupRole = groupName + roleName;
>>> String formGroupRole =
>>> data.getParameters().getString(groupRole);
>>>
>>> if (formGroupRole != null &&
>>> !acl.hasRole(role, group)) {
>>> // add the role for this user
>>> if (acl.hasRole(role) == false) {
>>> log.debug("Adding new role to
>>> user: " + role.getName());
>>> security.grant(user, group,
role);
>>> }
>>> } else if (formGroupRole == null &&
>>> acl.hasRole(role, group)) {
>>> // revoke the role for this user
>>> log.debug("Revoke role: " +
>>> role.getName());
>>> security.revoke(user, group, role);
>>> }
>>> }
>>> }
>>>
>>> } else {
>>> log.error("User does not exist!");
>>> }
>>> } else {
>>> data.setMessage("You do not have access to perform
>>> this action.");
>>> }
>>> } catch (Exception e) {
>>> log.error("Error setting roles: " + e.toString());
>>> }
>>>
>>> }
>>>
>>>
>
--
Jeff Painter
CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com
301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: Re: Problem with grant and revoke user roles in turbine-4
Posted by Georg Kallidis <gk...@cedis.fu-berlin.de>.
Hi Jeffery,
>The weird part is the security.changePassword(user, oldpw, newpw) method
>works with the wrapped user object whereas none of the other methods
>like security.revokeAll(user) are working... maybe there is a clue in
that.
The simple reason for this is that in the Turbine security service
changePassword method the delegate is already called, but only by the
called user manager (DefaultUserManager)!
umDelegate.changePassword( ((TurbineUserDelegate)user).getUserDelegate(),
oldPassword, newPassword);
The same is true for the method store, but not for a couple of other
security service methods (grant, revoke, revokeAll, addUser, removeUser,
in user manager: forcePassword, getACL, removeAccount, createAccount,
accountExists). Provided that we use Torque Security (Hibernate may be the
same) we need using the delegate because only the OM classes extend from
the (abstract) classes, which implement the required methods in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
used by the Fulcrum Torque managers.
I think about how to better define the interface in Fulcrum Turbine Torque
(require the class, which is effectively used later). I'll nevertheless
update Turbine (4.1-SNAPSHOT) Fulcrum Security 1.1.2-SNAPSHOT and Turbine
Webapp for what we know now is bug.
If we think about a more robust approach, the question is of course, where
should the tests be placed? Fulcrum is a abstract module to Turbine and
Turbine has up to now no Torque dependency and the tests are incomplete
apparently. The only place where both Torque Fulcrum module and Turbine
module come together is in the Turbine Webapp. It may be there, where a
test should be added... it' s already kind of evolving into a test
environment. I ´ll check this..
We may consider a follow-up Turbine release (better 4.0.1 than 4.1!) as
well as a Fulcrum Security Torque 1.1.2. What do you think?
Best regards, Georg
Von: Jeffery Painter <je...@jivecast.com>
An: dev@turbine.apache.org
Datum: 26.11.2017 16:26
Betreff: Re: Problem with grant and revoke user roles in turbine-4
Hi Georg,
I was able to develop a work around but it is pretty ugly. I can now
add/delete/update user accounts. I have posted the flux update here:
https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4
The weird part is the security.changePassword(user, oldpw, newpw) method
works with the wrapped user object whereas none of the other methods
like security.revokeAll(user) are working... maybe there is a clue in
that.
--
Jeff
On 11/25/2017 02:59 PM, Jeffery Painter wrote:
> Hi Georg,
>
> That helped a lot with the grant/revoke of roles. I updated the code
> for revoking as well to match. I have flux tool now managing the
> add/removal/update for both groups and roles. Permissions was still
> giving me some issues and I need to look into that more when I have
> time. I don't use permission level security (just groups and roles)
> but to call the tool complete, I should get it working as well.
>
> I pushed my last updates here:
>
>
https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
>
>
> The one main issue I see now is that I cannot add/update/delete a
> user. I am getting the same cryptic DataBackendException error and
> can't seem to get past it. It looks like it is most likely related to
> the issue you have already identified below.
>
> Let me know where I can help with this.
>
> Thanks,
> Jeff
>
>
>
> On 11/24/2017 09:59 AM, Georg Kallidis wrote:
>> Hi Jeffery,
>>
>> that´s in any case very cool to do this fluxTooling! ;-)
>>
>> I checked out your GitHub project fluxtest and I may have found the bug
>> (in Turbine).
>>
>> The issue is that the Turbine service class
>> org.apache.turbine.services.security.DefaultSecurityService
implementing
>> org.apache.turbine.services.security.SecurityService requires as user
>> model org.apache.turbine.om.security.User (=User).
>> On the other side the Fulcrum implementation of the grant method uses a
>> method (update) (defined in
>>
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
>>
>> seems to expect as contract fulcrum user object, but also
>> TorqueAbstractSecurityEntity, which is implemented by the Turbineuser
om
>> class by extending the appropriate baseClass
>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser
in
>> the schema (= TurbineUser).
>> How to match this? It WOULD be possible to retrieve the backing
>> TurbineUser object from the User with the getUserDelegate() method.
>> But the interface TurbineUserDelegate is not part of the contract of
>> turbine.om.security.User (though DefaultUserImpl DOES implement
>> TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
>> cast would be required later on).
>> The easiest and most transparent solution would be (in my view), that
>> org.apache.turbine.om.security.User interface extends
>> TurbineUserDelegate
>> and that at one point the delegate is called (as the TurbineUser OM
>> class
>> does implement Fulcrum TurbineUser, which implements Fulcrum User this
>> would be no problem. We have to call getUserDelegate before the
>> modelManager grant method is called, i.e. in DefaultSecurityService).
No
>> other changes seem to be needed .. I'll create an issue in TRB JIRA as
>> soon as possible..
>>
>> As a result you may have to use the Torque mapper for now, cft. your
>> action FluxUserAction, cft. the github patch
>> (https://github.com/jlpainter/turbine-flux/pull/1, you might just
review
>> the changes).
>>
>> I posted a copy to the dev list, where the discussion might continue
...
>>
>> Best regards, Georg
>>
>>
>>
>> Von: Jeffery Painter <je...@jivecast.com>
>> An: user@turbine.apache.org
>> Datum: 18.11.2017 00:43
>> Betreff: Re: Problem with grant and revoke user roles in
>> turbine-4
>>
>>
>>
>>
>> I gave it one last shot, but I am still having trouble with casting the
>> user object. The security service seems to only want to give me the
>> wrapper version and I cannot cast it to anything that the removeUser()
>> method likes....
>>
>> maybe you can take a look at the following method.
>>
>>
>> Here is my logging output.
>>
>> 2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
>> type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>
>> 2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
>> o.a.t.o.s.User type:
>> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>
>> 2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
>> o.a.f.s.m.t.e.TurbineUser type:
>> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>
>> 2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
>> remove user: org.apache.fulcrum.security.util.UnknownEntityException:
>> Could not find User/Group/Role
>>
>> and the method call I am trying to use to delete the user...
>>
>>
>> /**
>> * ActionEvent responsible for removing a user from the Tambora
>> system.
>> */
>> public void doDelete(PipelineData pipelineData, Context context)
>> throws Exception {
>>
>> try {
>> RunData data = getRunData(pipelineData);
>> String username =
>> data.getParameters().getString("username");
>> if (!StringUtils.isEmpty(username)) {
>> if (security.accountExists(username)) {
>>
>> // this is always returning the wrapper version
of
>> our user
>> User user1 = security.getUser(username);
>> log.debug("getUser() type: " +
>> user1.getClass().getTypeName().toString() );
>>
>> // same and does not work
>> User user2 =
(org.apache.turbine.om.security.User)
>> security.getUser(username);
>> log.debug("o.a.t.o.s.User type: " +
>> user2.getClass().getTypeName().toString() );
>>
>> // no change - and you cannot use the interface
>> class as a parameter to the removeUser method
>> org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
>> (org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
>> security.getUser(username);
>> log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
>> user3.getClass().getTypeName().toString() );
>>
>> // Tried using reflection to cast and still
>> doesn't
>> work
>> org.apache.turbine.om.security.User forceUser =
>> org.apache.turbine.om.security.User.class.cast(
>> security.getUser(username) );
>> log.debug("o.a.t.o.s.User type: " +
>> forceUser.getClass().getTypeName().toString() );
>>
>> //security.revokeAll(user);
>> // remove user does the revokeAll above...
>> security.removeUser(forceUser);
>>
>> } else {
>> log.error("User does not exist!");
>> }
>> }
>> } catch (Exception e) {
>> log.error("Could not remove user: " + e);
>> }
>> }
>>
>>
>> On 11/17/2017 06:03 PM, Jeffery Painter wrote:
>>> Hi Georg,
>>>
>>> I did a quick test on the remove role method with the following change
>>> and it works. My problem with role removal was that in my test case,
>>> the role was associated with users and could not be removed. Maybe a
>>> better error message would help? :-) The user management needs a bit
>>> more work as well to make it comply with the SecurityService. I will
>>> work on that. The old flux tool also had some weirdness in the way it
>>> handled the getRole() getGroup() getUser() method where it was caching
>>> the last loaded entry... I am fixing that as well.
>>>
>>> I inserted a few new roles and was able to remove them. I am working
>>> on updating the rest of the FluxTool methods so they behave
>>> appropriately. When I get it into decent shape, I will push updates
>>> to my github project for you to test out if you like before we make a
>>> space to put it into the apache source control.
>>>
>>> That will most likely be after Nov 25th when I get back into town. Who
>>> knows - if I get bored, I may open up some code on my laptop, but not
>>> likely as we are going on a cruise where it will be nice and warm!
>>>
>>> Thanks,
>>> Jeff
>>>
>>>
>>>
>>> On 11/17/2017 05:17 PM, Georg Kallidis wrote:
>>>> Hi Jeff,
>>>>
>>>> as far as I can see, I assume the implementation class might be
>>>> TorqueTurbineModelManagerImpl? Could you check this? Your second
>>>> attempt may be indeed close, but the reason is missing. Could you
>>>> provide the stack/cause of the exception?
>>>>
>>>> Probably, if this is the case, at this point of the code of the model
>>>> manager the role, group and user are already checked, but what might
>>>> have caused the exception is a failing cast to
>>>>
>>>> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
>>>> user object or
>>>> -
>>>>
>>
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>> of any of the objects, which may be the reason, if in your schema the
>>>> baseclass attribute is not set to
>>>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
>>>> (XXX = User|Role|Group) class (or another class implementing the
>>>> required interface, cft. the example torque-security-schem.xml in the
>>>> Turbine webapp archetype)...
>>>>
>>>> And thanks for your efforts to migrate / use the flux library!
>>>>
>>>> Best regards, Georg
>>>>
>>>> -----Jeffery Painter <je...@jivecast.com> schrieb: -----
>>>> An: user@turbine.apache.org
>>>> Von: Jeffery Painter <je...@jivecast.com>
>>>> Datum: 16.11.2017 23:29
>>>> Betreff: Re: Problem with grant and revoke user roles in turbine-4
>>>>
>>>> I looked a little more at the test cases, and got my code setup
enough
>>>> to try and call the fulcrum security service directly...
>>>>
>>>> // try using fulcrum service
>>>>
>>
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
>>
>>
>>>> group, role);
>>>>
>>>> The error logs are still reporting problems:
>>>>
>>>> I verified that this loaded the user "dean" from the database as a
>>>> fulcrumUser and it came through with a class type of
>>>> com.jivecast.smartorder.om.TurbineUser rather than the wrapper that
>>>> the
>>>> turbine security service provided. and now I get a
>>>> DataBackendException
>>>> error on the grant call...
>>>>
>>>> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>> container
>>>> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction -
>>>> fulcrumUser:
>>>> com.jivecast.smartorder.om.TurbineUser
>>>> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>>
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>>
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>>
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>>> role to user: inventory
>>>> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.ModelManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
>>>> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>>
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>> setting
>>>> roles: org.apache.fulcrum.security.util.DataBackendException:
>>>> grant('dean', 'global', 'inventory') failed
>>>>
>>>>
>>>> any ideas?
>>>>
>>>> --
>>>> Jeff
>>>>
>>>>
>>>>
>>>> On 11/16/2017 05:00 PM, Jeffery Painter wrote:
>>>>> Hi Georg,
>>>>>
>>>>> I am making some good progress. I don't know if you remember the
old
>>>>> flux library for user management, but I have started to re-write
that
>>>>> to work with Turbine 4.0. I am having some troubles however with
the
>>>>> grant/revoke roles with casting the user object incorrectly from the
>>>>> TurbineWrapper class. Can you help me with the issue I am having
>>>>> below? I looked at the unit tests in the Turbine source for
>>>>> inspiration on migrating, but it isn't recognizing the user class
>>>>> properly. I even tried to manually downcast (see my code below),
and
>>>>> still cannot make it work.
>>>>>
>>>>> If I can get this all working, I thought it might be useful to
>>>>> publish
>>>>> a new flux library compatible with Turbine-4.0 for user management
as
>>>>> a guide to others on how to get started.
>>>>>
>>>>>
>>>>> My logs show the following error when calling the grant/revoke
method
>>>>> on the security service when trying to add the "inventory" role to a
>>>>> user:
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding
new
>>>>> role to user: inventory
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>> Located
>>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>>> container
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> avalon.peerManager - get cached
>>>>>
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b
>>>>>
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>> Located
>>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>>> container
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> avalon.peerManager - get cached
>>>>>
PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624
>>>>>
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>> Located
>>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>>> container
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> avalon.peerManager - get cached
>>>>>
>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d
>>>>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>>>>> setting roles: java.lang.ClassCastException:
>>>>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
>>>>>
>>
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>>>
>>>>>
>>>>> Here is the relevant code in my doRoles() method to make the new
>>>>> assignment... it is modeled after the old flux methods:
>>>>>
>>>>> I have the following import:
>>>>>
>>>>> import org.apache.turbine.services.security.SecurityService;
>>>>>
>>>>> and in the body of the class, I use the injection to get the
instance
>>>>> mapped
>>>>>
>>>>> /** Injected service instance */
>>>>> @TurbineService
>>>>> private SecurityService security;
>>>>>
>>>>> .... then my action class method is called doRoles() which does the
>>>>> role assignment and fails
>>>>>
>>>>> /**
>>>>> * Update the roles that are to assigned to a user for a
>>>>> project.
>>>>> */
>>>>> public void doRoles(PipelineData pipelineData, Context
context)
>>>>> throws Exception {
>>>>>
>>>>> try {
>>>>>
>>>>> RunData data = getRunData(pipelineData);
>>>>>
>>>>> // Get the Turbine ACL implementation for our current
>>>>> user, only admin can update user roles
>>>>> TurbineAccessControlList adminAcl =
>>>>> getRunData(data).getACL();
>>>>> if (adminAcl.hasRole("administrator")) {
>>>>>
>>>>> // Username of the account we are updating
>>>>> String username =
>>>>> data.getParameters().getString("username");
>>>>> if (security.accountExists(username)) {
>>>>>
>>>>> // Try to downcast for the security grant
>> function
>>>>> org.apache.turbine.om.security.User user =
>>>>> (org.apache.turbine.om.security.User) security.getUser(username);
>>>>>
>>>>> // Get the Turbine ACL implementation
>>>>> TurbineAccessControlList acl =
>>>>> security.getACL(user);
>>>>>
>>>>> /*
>>>>> * Grab all the Groups and Roles in the
system.
>>>>> */
>>>>> GroupSet groups = security.getAllGroups();
>>>>> RoleSet roles = security.getAllRoles();
>>>>>
>>>>> for (Group group : groups) {
>>>>> String groupName = group.getName();
>>>>> for (Role role : roles) {
>>>>> String roleName = role.getName();
>>>>>
>>>>> /*
>>>>> * In the UserRoleForm.vm we made a
>>>>> checkbox for every possible Group/Role
>>>>> * combination so we will compare
every
>>>>> possible combination with the values
>>>>> * that were checked off in the
>>>>> form. If
>>>>> we have a match then we will grant the
>>>>> * user the role in the group.
>>>>> */
>>>>> String groupRole = groupName +
>>>>> roleName;
>>>>> String formGroupRole =
>>>>> data.getParameters().getString(groupRole);
>>>>>
>>>>> if (formGroupRole != null &&
>>>>> !acl.hasRole(role, group)) {
>>>>> // add the role for this user
>>>>> if (acl.hasRole(role) == false) {
>>>>> log.debug("Adding new role to
>>>>> user: " + role.getName());
>>>>> security.grant(user, group,
>> role);
>>>>> }
>>>>> } else if (formGroupRole == null &&
>>>>> acl.hasRole(role, group)) {
>>>>> // revoke the role for this user
>>>>> log.debug("Revoke role: " +
>>>>> role.getName());
>>>>> security.revoke(user, group,
role);
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> } else {
>>>>> log.error("User does not exist!");
>>>>> }
>>>>> } else {
>>>>> data.setMessage("You do not have access to perform
>>>>> this action.");
>>>>> }
>>>>> } catch (Exception e) {
>>>>> log.error("Error setting roles: " + e.toString());
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>>
>
--
Jeff Painter
CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com
301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: Problem with grant and revoke user roles in turbine-4
Posted by Jeffery Painter <je...@jivecast.com>.
Further testing with permissions reveals some more issues regarding the
security interface. I was able to get a role-permission model
enforcement to work using the same kind of work around you had for
revoke/grant of user roles.
Last update for the night here:
https://github.com/jlpainter/turbine-flux/commit/1ff398ce2b48427dc94115bb389f89fac9f29856
--
Jeff
On 11/26/2017 10:26 AM, Jeffery Painter wrote:
> Hi Georg,
>
> I was able to develop a work around but it is pretty ugly. I can now
> add/delete/update user accounts. I have posted the flux update here:
>
> https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4
>
>
> The weird part is the security.changePassword(user, oldpw, newpw)
> method works with the wrapped user object whereas none of the other
> methods like security.revokeAll(user) are working... maybe there is a
> clue in that.
>
>
> --
> Jeff
>
>
>
> On 11/25/2017 02:59 PM, Jeffery Painter wrote:
>> Hi Georg,
>>
>> That helped a lot with the grant/revoke of roles. I updated the code
>> for revoking as well to match. I have flux tool now managing the
>> add/removal/update for both groups and roles. Permissions was still
>> giving me some issues and I need to look into that more when I have
>> time. I don't use permission level security (just groups and roles)
>> but to call the tool complete, I should get it working as well.
>>
>> I pushed my last updates here:
>>
>> https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
>>
>>
>> The one main issue I see now is that I cannot add/update/delete a
>> user. I am getting the same cryptic DataBackendException error and
>> can't seem to get past it. It looks like it is most likely related to
>> the issue you have already identified below.
>>
>> Let me know where I can help with this.
>>
>> Thanks,
>> Jeff
>>
>>
>>
>> On 11/24/2017 09:59 AM, Georg Kallidis wrote:
>>> Hi Jeffery,
>>>
>>> that´s in any case very cool to do this fluxTooling! ;-)
>>>
>>> I checked out your GitHub project fluxtest and I may have found the bug
>>> (in Turbine).
>>>
>>> The issue is that the Turbine service class
>>> org.apache.turbine.services.security.DefaultSecurityService
>>> implementing
>>> org.apache.turbine.services.security.SecurityService requires as user
>>> model org.apache.turbine.om.security.User (=User).
>>> On the other side the Fulcrum implementation of the grant method uses a
>>> method (update) (defined in
>>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
>>>
>>> seems to expect as contract fulcrum user object, but also
>>> TorqueAbstractSecurityEntity, which is implemented by the
>>> Turbineuser om
>>> class by extending the appropriate baseClass
>>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser
>>> in
>>> the schema (= TurbineUser).
>>> How to match this? It WOULD be possible to retrieve the backing
>>> TurbineUser object from the User with the getUserDelegate() method.
>>> But the interface TurbineUserDelegate is not part of the contract of
>>> turbine.om.security.User (though DefaultUserImpl DOES implement
>>> TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
>>> cast would be required later on).
>>> The easiest and most transparent solution would be (in my view), that
>>> org.apache.turbine.om.security.User interface extends
>>> TurbineUserDelegate
>>> and that at one point the delegate is called (as the TurbineUser OM
>>> class
>>> does implement Fulcrum TurbineUser, which implements Fulcrum User this
>>> would be no problem. We have to call getUserDelegate before the
>>> modelManager grant method is called, i.e. in
>>> DefaultSecurityService). No
>>> other changes seem to be needed .. I'll create an issue in TRB JIRA as
>>> soon as possible..
>>>
>>> As a result you may have to use the Torque mapper for now, cft. your
>>> action FluxUserAction, cft. the github patch
>>> (https://github.com/jlpainter/turbine-flux/pull/1, you might just
>>> review
>>> the changes).
>>>
>>> I posted a copy to the dev list, where the discussion might continue
>>> ...
>>>
>>> Best regards, Georg
>>>
>>>
>>>
>>> Von: Jeffery Painter <je...@jivecast.com>
>>> An: user@turbine.apache.org
>>> Datum: 18.11.2017 00:43
>>> Betreff: Re: Problem with grant and revoke user roles in
>>> turbine-4
>>>
>>>
>>>
>>>
>>> I gave it one last shot, but I am still having trouble with casting the
>>> user object. The security service seems to only want to give me the
>>> wrapper version and I cannot cast it to anything that the removeUser()
>>> method likes....
>>>
>>> maybe you can take a look at the following method.
>>>
>>>
>>> Here is my logging output.
>>>
>>> 2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
>>> org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
>>> type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>>
>>> 2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
>>> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
>>> o.a.t.o.s.User type:
>>> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>>
>>> 2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
>>> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
>>> o.a.f.s.m.t.e.TurbineUser type:
>>> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>>
>>> 2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
>>> org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
>>> remove user: org.apache.fulcrum.security.util.UnknownEntityException:
>>> Could not find User/Group/Role
>>>
>>> and the method call I am trying to use to delete the user...
>>>
>>>
>>> /**
>>> * ActionEvent responsible for removing a user from the Tambora
>>> system.
>>> */
>>> public void doDelete(PipelineData pipelineData, Context context)
>>> throws Exception {
>>>
>>> try {
>>> RunData data = getRunData(pipelineData);
>>> String username =
>>> data.getParameters().getString("username");
>>> if (!StringUtils.isEmpty(username)) {
>>> if (security.accountExists(username)) {
>>>
>>> // this is always returning the wrapper
>>> version of
>>> our user
>>> User user1 = security.getUser(username);
>>> log.debug("getUser() type: " +
>>> user1.getClass().getTypeName().toString() );
>>>
>>> // same and does not work
>>> User user2 =
>>> (org.apache.turbine.om.security.User)
>>> security.getUser(username);
>>> log.debug("o.a.t.o.s.User type: " +
>>> user2.getClass().getTypeName().toString() );
>>>
>>> // no change - and you cannot use the interface
>>> class as a parameter to the removeUser method
>>> org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
>>> (org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
>>> security.getUser(username);
>>> log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
>>> user3.getClass().getTypeName().toString() );
>>>
>>> // Tried using reflection to cast and still
>>> doesn't
>>> work
>>> org.apache.turbine.om.security.User forceUser =
>>> org.apache.turbine.om.security.User.class.cast(
>>> security.getUser(username) );
>>> log.debug("o.a.t.o.s.User type: " +
>>> forceUser.getClass().getTypeName().toString() );
>>>
>>> //security.revokeAll(user);
>>> // remove user does the revokeAll above...
>>> security.removeUser(forceUser);
>>>
>>> } else {
>>> log.error("User does not exist!");
>>> }
>>> }
>>> } catch (Exception e) {
>>> log.error("Could not remove user: " + e);
>>> }
>>> }
>>>
>>>
>>> On 11/17/2017 06:03 PM, Jeffery Painter wrote:
>>>> Hi Georg,
>>>>
>>>> I did a quick test on the remove role method with the following change
>>>> and it works. My problem with role removal was that in my test case,
>>>> the role was associated with users and could not be removed. Maybe a
>>>> better error message would help? :-) The user management needs a bit
>>>> more work as well to make it comply with the SecurityService. I will
>>>> work on that. The old flux tool also had some weirdness in the way it
>>>> handled the getRole() getGroup() getUser() method where it was caching
>>>> the last loaded entry... I am fixing that as well.
>>>>
>>>> I inserted a few new roles and was able to remove them. I am working
>>>> on updating the rest of the FluxTool methods so they behave
>>>> appropriately. When I get it into decent shape, I will push updates
>>>> to my github project for you to test out if you like before we make a
>>>> space to put it into the apache source control.
>>>>
>>>> That will most likely be after Nov 25th when I get back into town. Who
>>>> knows - if I get bored, I may open up some code on my laptop, but not
>>>> likely as we are going on a cruise where it will be nice and warm!
>>>>
>>>> Thanks,
>>>> Jeff
>>>>
>>>>
>>>>
>>>> On 11/17/2017 05:17 PM, Georg Kallidis wrote:
>>>>> Hi Jeff,
>>>>>
>>>>> as far as I can see, I assume the implementation class might be
>>>>> TorqueTurbineModelManagerImpl? Could you check this? Your second
>>>>> attempt may be indeed close, but the reason is missing. Could you
>>>>> provide the stack/cause of the exception?
>>>>>
>>>>> Probably, if this is the case, at this point of the code of the model
>>>>> manager the role, group and user are already checked, but what might
>>>>> have caused the exception is a failing cast to
>>>>>
>>>>> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
>>>>> user object or
>>>>> -
>>>>>
>>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>
>>>>> of any of the objects, which may be the reason, if in your schema the
>>>>> baseclass attribute is not set to
>>>>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
>>>>> (XXX = User|Role|Group) class (or another class implementing the
>>>>> required interface, cft. the example torque-security-schem.xml in the
>>>>> Turbine webapp archetype)...
>>>>>
>>>>> And thanks for your efforts to migrate / use the flux library!
>>>>>
>>>>> Best regards, Georg
>>>>>
>>>>> -----Jeffery Painter <je...@jivecast.com> schrieb: -----
>>>>> An: user@turbine.apache.org
>>>>> Von: Jeffery Painter <je...@jivecast.com>
>>>>> Datum: 16.11.2017 23:29
>>>>> Betreff: Re: Problem with grant and revoke user roles in turbine-4
>>>>>
>>>>> I looked a little more at the test cases, and got my code setup
>>>>> enough
>>>>> to try and call the fulcrum security service directly...
>>>>>
>>>>> // try using fulcrum service
>>>>>
>>> ((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
>>>
>>>
>>>>> group, role);
>>>>>
>>>>> The error logs are still reporting problems:
>>>>>
>>>>> I verified that this loaded the user "dean" from the database as a
>>>>> fulcrumUser and it came through with a class type of
>>>>> com.jivecast.smartorder.om.TurbineUser rather than the wrapper
>>>>> that the
>>>>> turbine security service provided. and now I get a
>>>>> DataBackendException
>>>>> error on the grant call...
>>>>>
>>>>> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>>> container
>>>>> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction -
>>>>> fulcrumUser:
>>>>> com.jivecast.smartorder.om.TurbineUser
>>>>> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>>>
>>>>> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>>> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>>> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>>> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>>>
>>>>> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>>>
>>>>> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>>> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>>>> role to user: inventory
>>>>> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>>> the service 'org.apache.fulcrum.security.ModelManager' in the local
>>>>> container
>>>>> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>>> container
>>>>> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>>> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>>> container
>>>>> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
>>>>> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>>> container
>>>>> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
>>>>> avalon.peerManager
>>>>> - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>>>
>>>>> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>>> setting
>>>>> roles: org.apache.fulcrum.security.util.DataBackendException:
>>>>> grant('dean', 'global', 'inventory') failed
>>>>>
>>>>>
>>>>> any ideas?
>>>>>
>>>>> --
>>>>> Jeff
>>>>>
>>>>>
>>>>>
>>>>> On 11/16/2017 05:00 PM, Jeffery Painter wrote:
>>>>>> Hi Georg,
>>>>>>
>>>>>> I am making some good progress. I don't know if you remember the
>>>>>> old
>>>>>> flux library for user management, but I have started to re-write
>>>>>> that
>>>>>> to work with Turbine 4.0. I am having some troubles however with
>>>>>> the
>>>>>> grant/revoke roles with casting the user object incorrectly from the
>>>>>> TurbineWrapper class. Can you help me with the issue I am having
>>>>>> below? I looked at the unit tests in the Turbine source for
>>>>>> inspiration on migrating, but it isn't recognizing the user class
>>>>>> properly. I even tried to manually downcast (see my code below),
>>>>>> and
>>>>>> still cannot make it work.
>>>>>>
>>>>>> If I can get this all working, I thought it might be useful to
>>>>>> publish
>>>>>> a new flux library compatible with Turbine-4.0 for user
>>>>>> management as
>>>>>> a guide to others on how to get started.
>>>>>>
>>>>>>
>>>>>> My logs show the following error when calling the grant/revoke
>>>>>> method
>>>>>> on the security service when trying to add the "inventory" role to a
>>>>>> user:
>>>>>>
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding
>>>>>> new
>>>>>> role to user: inventory
>>>>>>
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>>> Located
>>>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>>>> container
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>>> avalon.peerManager - get cached
>>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b
>>>>>>
>>>>>>
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>>> Located
>>>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>>>> container
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>>> avalon.peerManager - get cached
>>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624
>>>>>>
>>>>>>
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>>> Located
>>>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>>>> container
>>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>>> avalon.peerManager - get cached
>>>>>>
>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d
>>>>>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
>>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>>>>>> setting roles: java.lang.ClassCastException:
>>>>>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
>>>>>>
>>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>
>>>>>>
>>>>>>
>>>>>> Here is the relevant code in my doRoles() method to make the new
>>>>>> assignment... it is modeled after the old flux methods:
>>>>>>
>>>>>> I have the following import:
>>>>>>
>>>>>> import org.apache.turbine.services.security.SecurityService;
>>>>>>
>>>>>> and in the body of the class, I use the injection to get the
>>>>>> instance
>>>>>> mapped
>>>>>>
>>>>>> /** Injected service instance */
>>>>>> @TurbineService
>>>>>> private SecurityService security;
>>>>>>
>>>>>> .... then my action class method is called doRoles() which does the
>>>>>> role assignment and fails
>>>>>>
>>>>>> /**
>>>>>> * Update the roles that are to assigned to a user for a
>>>>>> project.
>>>>>> */
>>>>>> public void doRoles(PipelineData pipelineData, Context
>>>>>> context)
>>>>>> throws Exception {
>>>>>>
>>>>>> try {
>>>>>>
>>>>>> RunData data = getRunData(pipelineData);
>>>>>>
>>>>>> // Get the Turbine ACL implementation for our current
>>>>>> user, only admin can update user roles
>>>>>> TurbineAccessControlList adminAcl =
>>>>>> getRunData(data).getACL();
>>>>>> if (adminAcl.hasRole("administrator")) {
>>>>>>
>>>>>> // Username of the account we are updating
>>>>>> String username =
>>>>>> data.getParameters().getString("username");
>>>>>> if (security.accountExists(username)) {
>>>>>>
>>>>>> // Try to downcast for the security grant
>>> function
>>>>>> org.apache.turbine.om.security.User user =
>>>>>> (org.apache.turbine.om.security.User) security.getUser(username);
>>>>>>
>>>>>> // Get the Turbine ACL implementation
>>>>>> TurbineAccessControlList acl =
>>>>>> security.getACL(user);
>>>>>>
>>>>>> /*
>>>>>> * Grab all the Groups and Roles in the
>>>>>> system.
>>>>>> */
>>>>>> GroupSet groups = security.getAllGroups();
>>>>>> RoleSet roles = security.getAllRoles();
>>>>>>
>>>>>> for (Group group : groups) {
>>>>>> String groupName = group.getName();
>>>>>> for (Role role : roles) {
>>>>>> String roleName = role.getName();
>>>>>>
>>>>>> /*
>>>>>> * In the UserRoleForm.vm we made a
>>>>>> checkbox for every possible Group/Role
>>>>>> * combination so we will compare
>>>>>> every
>>>>>> possible combination with the values
>>>>>> * that were checked off in the
>>>>>> form. If
>>>>>> we have a match then we will grant the
>>>>>> * user the role in the group.
>>>>>> */
>>>>>> String groupRole = groupName +
>>>>>> roleName;
>>>>>> String formGroupRole =
>>>>>> data.getParameters().getString(groupRole);
>>>>>>
>>>>>> if (formGroupRole != null &&
>>>>>> !acl.hasRole(role, group)) {
>>>>>> // add the role for this user
>>>>>> if (acl.hasRole(role) == false) {
>>>>>> log.debug("Adding new role to
>>>>>> user: " + role.getName());
>>>>>> security.grant(user, group,
>>> role);
>>>>>> }
>>>>>> } else if (formGroupRole == null &&
>>>>>> acl.hasRole(role, group)) {
>>>>>> // revoke the role for this user
>>>>>> log.debug("Revoke role: " +
>>>>>> role.getName());
>>>>>> security.revoke(user, group,
>>>>>> role);
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> } else {
>>>>>> log.error("User does not exist!");
>>>>>> }
>>>>>> } else {
>>>>>> data.setMessage("You do not have access to perform
>>>>>> this action.");
>>>>>> }
>>>>>> } catch (Exception e) {
>>>>>> log.error("Error setting roles: " + e.toString());
>>>>>> }
>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>
>
--
Jeff Painter
CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com
301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: Problem with grant and revoke user roles in turbine-4
Posted by Jeffery Painter <je...@jivecast.com>.
Hi Georg,
I was able to develop a work around but it is pretty ugly. I can now
add/delete/update user accounts. I have posted the flux update here:
https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4
The weird part is the security.changePassword(user, oldpw, newpw) method
works with the wrapped user object whereas none of the other methods
like security.revokeAll(user) are working... maybe there is a clue in that.
--
Jeff
On 11/25/2017 02:59 PM, Jeffery Painter wrote:
> Hi Georg,
>
> That helped a lot with the grant/revoke of roles. I updated the code
> for revoking as well to match. I have flux tool now managing the
> add/removal/update for both groups and roles. Permissions was still
> giving me some issues and I need to look into that more when I have
> time. I don't use permission level security (just groups and roles)
> but to call the tool complete, I should get it working as well.
>
> I pushed my last updates here:
>
> https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
>
>
> The one main issue I see now is that I cannot add/update/delete a
> user. I am getting the same cryptic DataBackendException error and
> can't seem to get past it. It looks like it is most likely related to
> the issue you have already identified below.
>
> Let me know where I can help with this.
>
> Thanks,
> Jeff
>
>
>
> On 11/24/2017 09:59 AM, Georg Kallidis wrote:
>> Hi Jeffery,
>>
>> that´s in any case very cool to do this fluxTooling! ;-)
>>
>> I checked out your GitHub project fluxtest and I may have found the bug
>> (in Turbine).
>>
>> The issue is that the Turbine service class
>> org.apache.turbine.services.security.DefaultSecurityService implementing
>> org.apache.turbine.services.security.SecurityService requires as user
>> model org.apache.turbine.om.security.User (=User).
>> On the other side the Fulcrum implementation of the grant method uses a
>> method (update) (defined in
>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
>>
>> seems to expect as contract fulcrum user object, but also
>> TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
>> class by extending the appropriate baseClass
>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
>> the schema (= TurbineUser).
>> How to match this? It WOULD be possible to retrieve the backing
>> TurbineUser object from the User with the getUserDelegate() method.
>> But the interface TurbineUserDelegate is not part of the contract of
>> turbine.om.security.User (though DefaultUserImpl DOES implement
>> TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
>> cast would be required later on).
>> The easiest and most transparent solution would be (in my view), that
>> org.apache.turbine.om.security.User interface extends
>> TurbineUserDelegate
>> and that at one point the delegate is called (as the TurbineUser OM
>> class
>> does implement Fulcrum TurbineUser, which implements Fulcrum User this
>> would be no problem. We have to call getUserDelegate before the
>> modelManager grant method is called, i.e. in DefaultSecurityService). No
>> other changes seem to be needed .. I'll create an issue in TRB JIRA as
>> soon as possible..
>>
>> As a result you may have to use the Torque mapper for now, cft. your
>> action FluxUserAction, cft. the github patch
>> (https://github.com/jlpainter/turbine-flux/pull/1, you might just review
>> the changes).
>>
>> I posted a copy to the dev list, where the discussion might continue ...
>>
>> Best regards, Georg
>>
>>
>>
>> Von: Jeffery Painter <je...@jivecast.com>
>> An: user@turbine.apache.org
>> Datum: 18.11.2017 00:43
>> Betreff: Re: Problem with grant and revoke user roles in
>> turbine-4
>>
>>
>>
>>
>> I gave it one last shot, but I am still having trouble with casting the
>> user object. The security service seems to only want to give me the
>> wrapper version and I cannot cast it to anything that the removeUser()
>> method likes....
>>
>> maybe you can take a look at the following method.
>>
>>
>> Here is my logging output.
>>
>> 2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
>> type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>
>> 2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
>> o.a.t.o.s.User type:
>> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>
>> 2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
>> o.a.f.s.m.t.e.TurbineUser type:
>> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>>
>> 2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
>> org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
>> remove user: org.apache.fulcrum.security.util.UnknownEntityException:
>> Could not find User/Group/Role
>>
>> and the method call I am trying to use to delete the user...
>>
>>
>> /**
>> * ActionEvent responsible for removing a user from the Tambora
>> system.
>> */
>> public void doDelete(PipelineData pipelineData, Context context)
>> throws Exception {
>>
>> try {
>> RunData data = getRunData(pipelineData);
>> String username =
>> data.getParameters().getString("username");
>> if (!StringUtils.isEmpty(username)) {
>> if (security.accountExists(username)) {
>>
>> // this is always returning the wrapper version of
>> our user
>> User user1 = security.getUser(username);
>> log.debug("getUser() type: " +
>> user1.getClass().getTypeName().toString() );
>>
>> // same and does not work
>> User user2 = (org.apache.turbine.om.security.User)
>> security.getUser(username);
>> log.debug("o.a.t.o.s.User type: " +
>> user2.getClass().getTypeName().toString() );
>>
>> // no change - and you cannot use the interface
>> class as a parameter to the removeUser method
>> org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
>> (org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
>> security.getUser(username);
>> log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
>> user3.getClass().getTypeName().toString() );
>>
>> // Tried using reflection to cast and still
>> doesn't
>> work
>> org.apache.turbine.om.security.User forceUser =
>> org.apache.turbine.om.security.User.class.cast(
>> security.getUser(username) );
>> log.debug("o.a.t.o.s.User type: " +
>> forceUser.getClass().getTypeName().toString() );
>>
>> //security.revokeAll(user);
>> // remove user does the revokeAll above...
>> security.removeUser(forceUser);
>>
>> } else {
>> log.error("User does not exist!");
>> }
>> }
>> } catch (Exception e) {
>> log.error("Could not remove user: " + e);
>> }
>> }
>>
>>
>> On 11/17/2017 06:03 PM, Jeffery Painter wrote:
>>> Hi Georg,
>>>
>>> I did a quick test on the remove role method with the following change
>>> and it works. My problem with role removal was that in my test case,
>>> the role was associated with users and could not be removed. Maybe a
>>> better error message would help? :-) The user management needs a bit
>>> more work as well to make it comply with the SecurityService. I will
>>> work on that. The old flux tool also had some weirdness in the way it
>>> handled the getRole() getGroup() getUser() method where it was caching
>>> the last loaded entry... I am fixing that as well.
>>>
>>> I inserted a few new roles and was able to remove them. I am working
>>> on updating the rest of the FluxTool methods so they behave
>>> appropriately. When I get it into decent shape, I will push updates
>>> to my github project for you to test out if you like before we make a
>>> space to put it into the apache source control.
>>>
>>> That will most likely be after Nov 25th when I get back into town. Who
>>> knows - if I get bored, I may open up some code on my laptop, but not
>>> likely as we are going on a cruise where it will be nice and warm!
>>>
>>> Thanks,
>>> Jeff
>>>
>>>
>>>
>>> On 11/17/2017 05:17 PM, Georg Kallidis wrote:
>>>> Hi Jeff,
>>>>
>>>> as far as I can see, I assume the implementation class might be
>>>> TorqueTurbineModelManagerImpl? Could you check this? Your second
>>>> attempt may be indeed close, but the reason is missing. Could you
>>>> provide the stack/cause of the exception?
>>>>
>>>> Probably, if this is the case, at this point of the code of the model
>>>> manager the role, group and user are already checked, but what might
>>>> have caused the exception is a failing cast to
>>>>
>>>> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
>>>> user object or
>>>> -
>>>>
>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>> of any of the objects, which may be the reason, if in your schema the
>>>> baseclass attribute is not set to
>>>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
>>>> (XXX = User|Role|Group) class (or another class implementing the
>>>> required interface, cft. the example torque-security-schem.xml in the
>>>> Turbine webapp archetype)...
>>>>
>>>> And thanks for your efforts to migrate / use the flux library!
>>>>
>>>> Best regards, Georg
>>>>
>>>> -----Jeffery Painter <je...@jivecast.com> schrieb: -----
>>>> An: user@turbine.apache.org
>>>> Von: Jeffery Painter <je...@jivecast.com>
>>>> Datum: 16.11.2017 23:29
>>>> Betreff: Re: Problem with grant and revoke user roles in turbine-4
>>>>
>>>> I looked a little more at the test cases, and got my code setup enough
>>>> to try and call the fulcrum security service directly...
>>>>
>>>> // try using fulcrum service
>>>>
>> ((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
>>
>>
>>>> group, role);
>>>>
>>>> The error logs are still reporting problems:
>>>>
>>>> I verified that this loaded the user "dean" from the database as a
>>>> fulcrumUser and it came through with a class type of
>>>> com.jivecast.smartorder.om.TurbineUser rather than the wrapper that
>>>> the
>>>> turbine security service provided. and now I get a
>>>> DataBackendException
>>>> error on the grant call...
>>>>
>>>> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>> container
>>>> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction -
>>>> fulcrumUser:
>>>> com.jivecast.smartorder.om.TurbineUser
>>>> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>>> role to user: inventory
>>>> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.ModelManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>>> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
>>>> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>> container
>>>> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
>>>> avalon.peerManager
>>>> - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>>> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>> setting
>>>> roles: org.apache.fulcrum.security.util.DataBackendException:
>>>> grant('dean', 'global', 'inventory') failed
>>>>
>>>>
>>>> any ideas?
>>>>
>>>> --
>>>> Jeff
>>>>
>>>>
>>>>
>>>> On 11/16/2017 05:00 PM, Jeffery Painter wrote:
>>>>> Hi Georg,
>>>>>
>>>>> I am making some good progress. I don't know if you remember the old
>>>>> flux library for user management, but I have started to re-write that
>>>>> to work with Turbine 4.0. I am having some troubles however with the
>>>>> grant/revoke roles with casting the user object incorrectly from the
>>>>> TurbineWrapper class. Can you help me with the issue I am having
>>>>> below? I looked at the unit tests in the Turbine source for
>>>>> inspiration on migrating, but it isn't recognizing the user class
>>>>> properly. I even tried to manually downcast (see my code below), and
>>>>> still cannot make it work.
>>>>>
>>>>> If I can get this all working, I thought it might be useful to
>>>>> publish
>>>>> a new flux library compatible with Turbine-4.0 for user management as
>>>>> a guide to others on how to get started.
>>>>>
>>>>>
>>>>> My logs show the following error when calling the grant/revoke method
>>>>> on the security service when trying to add the "inventory" role to a
>>>>> user:
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>>>> role to user: inventory
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>> Located
>>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>>> container
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> avalon.peerManager - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b
>>>>>
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>> Located
>>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>>> container
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> avalon.peerManager - get cached
>>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624
>>>>>
>>>>>
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
>>>>> Located
>>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>>> container
>>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>>> avalon.peerManager - get cached
>>>>>
>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d
>>>>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
>>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>>>>> setting roles: java.lang.ClassCastException:
>>>>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
>>>>>
>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>>>
>>>>>
>>>>> Here is the relevant code in my doRoles() method to make the new
>>>>> assignment... it is modeled after the old flux methods:
>>>>>
>>>>> I have the following import:
>>>>>
>>>>> import org.apache.turbine.services.security.SecurityService;
>>>>>
>>>>> and in the body of the class, I use the injection to get the instance
>>>>> mapped
>>>>>
>>>>> /** Injected service instance */
>>>>> @TurbineService
>>>>> private SecurityService security;
>>>>>
>>>>> .... then my action class method is called doRoles() which does the
>>>>> role assignment and fails
>>>>>
>>>>> /**
>>>>> * Update the roles that are to assigned to a user for a
>>>>> project.
>>>>> */
>>>>> public void doRoles(PipelineData pipelineData, Context context)
>>>>> throws Exception {
>>>>>
>>>>> try {
>>>>>
>>>>> RunData data = getRunData(pipelineData);
>>>>>
>>>>> // Get the Turbine ACL implementation for our current
>>>>> user, only admin can update user roles
>>>>> TurbineAccessControlList adminAcl =
>>>>> getRunData(data).getACL();
>>>>> if (adminAcl.hasRole("administrator")) {
>>>>>
>>>>> // Username of the account we are updating
>>>>> String username =
>>>>> data.getParameters().getString("username");
>>>>> if (security.accountExists(username)) {
>>>>>
>>>>> // Try to downcast for the security grant
>> function
>>>>> org.apache.turbine.om.security.User user =
>>>>> (org.apache.turbine.om.security.User) security.getUser(username);
>>>>>
>>>>> // Get the Turbine ACL implementation
>>>>> TurbineAccessControlList acl =
>>>>> security.getACL(user);
>>>>>
>>>>> /*
>>>>> * Grab all the Groups and Roles in the system.
>>>>> */
>>>>> GroupSet groups = security.getAllGroups();
>>>>> RoleSet roles = security.getAllRoles();
>>>>>
>>>>> for (Group group : groups) {
>>>>> String groupName = group.getName();
>>>>> for (Role role : roles) {
>>>>> String roleName = role.getName();
>>>>>
>>>>> /*
>>>>> * In the UserRoleForm.vm we made a
>>>>> checkbox for every possible Group/Role
>>>>> * combination so we will compare every
>>>>> possible combination with the values
>>>>> * that were checked off in the
>>>>> form. If
>>>>> we have a match then we will grant the
>>>>> * user the role in the group.
>>>>> */
>>>>> String groupRole = groupName +
>>>>> roleName;
>>>>> String formGroupRole =
>>>>> data.getParameters().getString(groupRole);
>>>>>
>>>>> if (formGroupRole != null &&
>>>>> !acl.hasRole(role, group)) {
>>>>> // add the role for this user
>>>>> if (acl.hasRole(role) == false) {
>>>>> log.debug("Adding new role to
>>>>> user: " + role.getName());
>>>>> security.grant(user, group,
>> role);
>>>>> }
>>>>> } else if (formGroupRole == null &&
>>>>> acl.hasRole(role, group)) {
>>>>> // revoke the role for this user
>>>>> log.debug("Revoke role: " +
>>>>> role.getName());
>>>>> security.revoke(user, group, role);
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> } else {
>>>>> log.error("User does not exist!");
>>>>> }
>>>>> } else {
>>>>> data.setMessage("You do not have access to perform
>>>>> this action.");
>>>>> }
>>>>> } catch (Exception e) {
>>>>> log.error("Error setting roles: " + e.toString());
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>>
>
--
Jeff Painter
CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com
301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: Problem with grant and revoke user roles in turbine-4
Posted by Jeffery Painter <je...@jivecast.com>.
Hi Georg,
That helped a lot with the grant/revoke of roles. I updated the code
for revoking as well to match. I have flux tool now managing the
add/removal/update for both groups and roles. Permissions was still
giving me some issues and I need to look into that more when I have
time. I don't use permission level security (just groups and roles) but
to call the tool complete, I should get it working as well.
I pushed my last updates here:
https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
The one main issue I see now is that I cannot add/update/delete a user.
I am getting the same cryptic DataBackendException error and can't seem
to get past it. It looks like it is most likely related to the issue you
have already identified below.
Let me know where I can help with this.
Thanks,
Jeff
On 11/24/2017 09:59 AM, Georg Kallidis wrote:
> Hi Jeffery,
>
> that´s in any case very cool to do this fluxTooling! ;-)
>
> I checked out your GitHub project fluxtest and I may have found the bug
> (in Turbine).
>
> The issue is that the Turbine service class
> org.apache.turbine.services.security.DefaultSecurityService implementing
> org.apache.turbine.services.security.SecurityService requires as user
> model org.apache.turbine.om.security.User (=User).
> On the other side the Fulcrum implementation of the grant method uses a
> method (update) (defined in
> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
> seems to expect as contract fulcrum user object, but also
> TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
> class by extending the appropriate baseClass
> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
> the schema (= TurbineUser).
> How to match this? It WOULD be possible to retrieve the backing
> TurbineUser object from the User with the getUserDelegate() method.
> But the interface TurbineUserDelegate is not part of the contract of
> turbine.om.security.User (though DefaultUserImpl DOES implement
> TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
> cast would be required later on).
> The easiest and most transparent solution would be (in my view), that
> org.apache.turbine.om.security.User interface extends TurbineUserDelegate
> and that at one point the delegate is called (as the TurbineUser OM class
> does implement Fulcrum TurbineUser, which implements Fulcrum User this
> would be no problem. We have to call getUserDelegate before the
> modelManager grant method is called, i.e. in DefaultSecurityService). No
> other changes seem to be needed .. I'll create an issue in TRB JIRA as
> soon as possible..
>
> As a result you may have to use the Torque mapper for now, cft. your
> action FluxUserAction, cft. the github patch
> (https://github.com/jlpainter/turbine-flux/pull/1, you might just review
> the changes).
>
> I posted a copy to the dev list, where the discussion might continue ...
>
> Best regards, Georg
>
>
>
> Von: Jeffery Painter <je...@jivecast.com>
> An: user@turbine.apache.org
> Datum: 18.11.2017 00:43
> Betreff: Re: Problem with grant and revoke user roles in turbine-4
>
>
>
>
> I gave it one last shot, but I am still having trouble with casting the
> user object. The security service seems to only want to give me the
> wrapper version and I cannot cast it to anything that the removeUser()
> method likes....
>
> maybe you can take a look at the following method.
>
>
> Here is my logging output.
>
> 2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
> org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
> type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>
> 2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
> o.a.t.o.s.User type:
> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>
> 2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
> org.apache.turbine.flux.modules.actions.user.FluxUserAction -
> o.a.f.s.m.t.e.TurbineUser type:
> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
>
> 2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
> org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
> remove user: org.apache.fulcrum.security.util.UnknownEntityException:
> Could not find User/Group/Role
>
> and the method call I am trying to use to delete the user...
>
>
> /**
> * ActionEvent responsible for removing a user from the Tambora
> system.
> */
> public void doDelete(PipelineData pipelineData, Context context)
> throws Exception {
>
> try {
> RunData data = getRunData(pipelineData);
> String username = data.getParameters().getString("username");
> if (!StringUtils.isEmpty(username)) {
> if (security.accountExists(username)) {
>
> // this is always returning the wrapper version of
> our user
> User user1 = security.getUser(username);
> log.debug("getUser() type: " +
> user1.getClass().getTypeName().toString() );
>
> // same and does not work
> User user2 = (org.apache.turbine.om.security.User)
> security.getUser(username);
> log.debug("o.a.t.o.s.User type: " +
> user2.getClass().getTypeName().toString() );
>
> // no change - and you cannot use the interface
> class as a parameter to the removeUser method
> org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
> (org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
> security.getUser(username);
> log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
> user3.getClass().getTypeName().toString() );
>
> // Tried using reflection to cast and still doesn't
> work
> org.apache.turbine.om.security.User forceUser =
> org.apache.turbine.om.security.User.class.cast(
> security.getUser(username) );
> log.debug("o.a.t.o.s.User type: " +
> forceUser.getClass().getTypeName().toString() );
>
> //security.revokeAll(user);
> // remove user does the revokeAll above...
> security.removeUser(forceUser);
>
> } else {
> log.error("User does not exist!");
> }
> }
> } catch (Exception e) {
> log.error("Could not remove user: " + e);
> }
> }
>
>
> On 11/17/2017 06:03 PM, Jeffery Painter wrote:
>> Hi Georg,
>>
>> I did a quick test on the remove role method with the following change
>> and it works. My problem with role removal was that in my test case,
>> the role was associated with users and could not be removed. Maybe a
>> better error message would help? :-) The user management needs a bit
>> more work as well to make it comply with the SecurityService. I will
>> work on that. The old flux tool also had some weirdness in the way it
>> handled the getRole() getGroup() getUser() method where it was caching
>> the last loaded entry... I am fixing that as well.
>>
>> I inserted a few new roles and was able to remove them. I am working
>> on updating the rest of the FluxTool methods so they behave
>> appropriately. When I get it into decent shape, I will push updates
>> to my github project for you to test out if you like before we make a
>> space to put it into the apache source control.
>>
>> That will most likely be after Nov 25th when I get back into town. Who
>> knows - if I get bored, I may open up some code on my laptop, but not
>> likely as we are going on a cruise where it will be nice and warm!
>>
>> Thanks,
>> Jeff
>>
>>
>>
>> On 11/17/2017 05:17 PM, Georg Kallidis wrote:
>>> Hi Jeff,
>>>
>>> as far as I can see, I assume the implementation class might be
>>> TorqueTurbineModelManagerImpl? Could you check this? Your second
>>> attempt may be indeed close, but the reason is missing. Could you
>>> provide the stack/cause of the exception?
>>>
>>> Probably, if this is the case, at this point of the code of the model
>>> manager the role, group and user are already checked, but what might
>>> have caused the exception is a failing cast to
>>>
>>> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
>>> user object or
>>> -
>>>
> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>> of any of the objects, which may be the reason, if in your schema the
>>> baseclass attribute is not set to
>>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
>>> (XXX = User|Role|Group) class (or another class implementing the
>>> required interface, cft. the example torque-security-schem.xml in the
>>> Turbine webapp archetype)...
>>>
>>> And thanks for your efforts to migrate / use the flux library!
>>>
>>> Best regards, Georg
>>>
>>> -----Jeffery Painter <je...@jivecast.com> schrieb: -----
>>> An: user@turbine.apache.org
>>> Von: Jeffery Painter <je...@jivecast.com>
>>> Datum: 16.11.2017 23:29
>>> Betreff: Re: Problem with grant and revoke user roles in turbine-4
>>>
>>> I looked a little more at the test cases, and got my code setup enough
>>> to try and call the fulcrum security service directly...
>>>
>>> // try using fulcrum service
>>>
> ((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
>
>>> group, role);
>>>
>>> The error logs are still reporting problems:
>>>
>>> I verified that this loaded the user "dean" from the database as a
>>> fulcrumUser and it came through with a class type of
>>> com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
>>> turbine security service provided. and now I get a DataBackendException
>>> error on the grant call...
>>>
>>> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>> container
>>> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
>>> com.jivecast.smartorder.modules.actions.admin.UserAction - fulcrumUser:
>>> com.jivecast.smartorder.om.TurbineUser
>>> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>> role to user: inventory
>>> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.ModelManager' in the local
>>> container
>>> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>> container
>>> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
>>> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>> container
>>> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
>>> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>> container
>>> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
>>> - get cached
>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
>>> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
> setting
>>> roles: org.apache.fulcrum.security.util.DataBackendException:
>>> grant('dean', 'global', 'inventory') failed
>>>
>>>
>>> any ideas?
>>>
>>> --
>>> Jeff
>>>
>>>
>>>
>>> On 11/16/2017 05:00 PM, Jeffery Painter wrote:
>>>> Hi Georg,
>>>>
>>>> I am making some good progress. I don't know if you remember the old
>>>> flux library for user management, but I have started to re-write that
>>>> to work with Turbine 4.0. I am having some troubles however with the
>>>> grant/revoke roles with casting the user object incorrectly from the
>>>> TurbineWrapper class. Can you help me with the issue I am having
>>>> below? I looked at the unit tests in the Turbine source for
>>>> inspiration on migrating, but it isn't recognizing the user class
>>>> properly. I even tried to manually downcast (see my code below), and
>>>> still cannot make it work.
>>>>
>>>> If I can get this all working, I thought it might be useful to publish
>>>> a new flux library compatible with Turbine-4.0 for user management as
>>>> a guide to others on how to get started.
>>>>
>>>>
>>>> My logs show the following error when calling the grant/revoke method
>>>> on the security service when trying to add the "inventory" role to a
>>>> user:
>>>>
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
>>>> role to user: inventory
>>>>
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local
>>>> container
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>> avalon.peerManager - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b
>>>>
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.UserManager' in the local
>>>> container
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>> avalon.peerManager - get cached
>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624
>>>>
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local
>>>> container
>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
>>>> avalon.peerManager - get cached
>>>>
> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d
>>>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error
>>>> setting roles: java.lang.ClassCastException:
>>>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
>>>>
> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
>>>>
>>>>
>>>> Here is the relevant code in my doRoles() method to make the new
>>>> assignment... it is modeled after the old flux methods:
>>>>
>>>> I have the following import:
>>>>
>>>> import org.apache.turbine.services.security.SecurityService;
>>>>
>>>> and in the body of the class, I use the injection to get the instance
>>>> mapped
>>>>
>>>> /** Injected service instance */
>>>> @TurbineService
>>>> private SecurityService security;
>>>>
>>>> .... then my action class method is called doRoles() which does the
>>>> role assignment and fails
>>>>
>>>> /**
>>>> * Update the roles that are to assigned to a user for a project.
>>>> */
>>>> public void doRoles(PipelineData pipelineData, Context context)
>>>> throws Exception {
>>>>
>>>> try {
>>>>
>>>> RunData data = getRunData(pipelineData);
>>>>
>>>> // Get the Turbine ACL implementation for our current
>>>> user, only admin can update user roles
>>>> TurbineAccessControlList adminAcl =
>>>> getRunData(data).getACL();
>>>> if (adminAcl.hasRole("administrator")) {
>>>>
>>>> // Username of the account we are updating
>>>> String username =
>>>> data.getParameters().getString("username");
>>>> if (security.accountExists(username)) {
>>>>
>>>> // Try to downcast for the security grant
> function
>>>> org.apache.turbine.om.security.User user =
>>>> (org.apache.turbine.om.security.User) security.getUser(username);
>>>>
>>>> // Get the Turbine ACL implementation
>>>> TurbineAccessControlList acl =
>>>> security.getACL(user);
>>>>
>>>> /*
>>>> * Grab all the Groups and Roles in the system.
>>>> */
>>>> GroupSet groups = security.getAllGroups();
>>>> RoleSet roles = security.getAllRoles();
>>>>
>>>> for (Group group : groups) {
>>>> String groupName = group.getName();
>>>> for (Role role : roles) {
>>>> String roleName = role.getName();
>>>>
>>>> /*
>>>> * In the UserRoleForm.vm we made a
>>>> checkbox for every possible Group/Role
>>>> * combination so we will compare every
>>>> possible combination with the values
>>>> * that were checked off in the form. If
>>>> we have a match then we will grant the
>>>> * user the role in the group.
>>>> */
>>>> String groupRole = groupName + roleName;
>>>> String formGroupRole =
>>>> data.getParameters().getString(groupRole);
>>>>
>>>> if (formGroupRole != null &&
>>>> !acl.hasRole(role, group)) {
>>>> // add the role for this user
>>>> if (acl.hasRole(role) == false) {
>>>> log.debug("Adding new role to
>>>> user: " + role.getName());
>>>> security.grant(user, group,
> role);
>>>> }
>>>> } else if (formGroupRole == null &&
>>>> acl.hasRole(role, group)) {
>>>> // revoke the role for this user
>>>> log.debug("Revoke role: " +
>>>> role.getName());
>>>> security.revoke(user, group, role);
>>>> }
>>>> }
>>>> }
>>>>
>>>> } else {
>>>> log.error("User does not exist!");
>>>> }
>>>> } else {
>>>> data.setMessage("You do not have access to perform
>>>> this action.");
>>>> }
>>>> } catch (Exception e) {
>>>> log.error("Error setting roles: " + e.toString());
>>>> }
>>>>
>>>> }
>>>>
>>>>
--
Jeff Painter
CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com
301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org