You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@manifoldcf.apache.org by "Julien Massiera (JIRA)" <ji...@apache.org> on 2019/08/01 11:06:00 UTC
[jira] [Comment Edited] (CONNECTORS-1616) Confluence Authority does
not handle Confluence API errors
[ https://issues.apache.org/jira/browse/CONNECTORS-1616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16897978#comment-16897978 ]
Julien Massiera edited comment on CONNECTORS-1616 at 8/1/19 11:05 AM:
----------------------------------------------------------------------
I would agree with you but as I said in the comment it is IMPOSSIBLE to give a user to the authority that have sufficient rights to get individual permissions for all spaces.
It was the first thing I asked to the administrator of the target Confluence. He said that, at least for Confluence v6, it is impossible even for a Confluence admin to get permissions for all spaces and it is also impossible to manually force a user as admin to all spaces. It is a Confluence security restriction.
So what should we do ? Well to have a user that have sufficient permissions to all spaces you need to ask to each space owner to add in the space admin list the user configured in the authority (which is an admin user to be clear). It may be possible if you have a Confluence site with just few spaces and like 10 space owners but for a Confluence site with hundred/thousand of spaces and hundred of different space owners ? And even, what if some space owners simply do not want to add the user as an admin of their space(s) ?
So the use case here is : I have an authority user that will NEVER have rights to get permissions on all spaces but the authority connector should still work and provide permissions for at least the spaces on which the authority user is allowed to get them. And we spread the info to the space owners that if they want their data to be accessible, they have to add the authority user as an admin user of their space(s)
So without this patch and in the current state, this connector is utterly useless in a production environment as the authority will never return any permissions (cause at the fist space encountered on which the authority cannot get permissions, the exception is thrown and the response will be UNREACHABLE) and so it is not possible to display any Confluence data crawled by MCF if the security is activated...
was (Author: julienfl):
I would agree with you but as I said in the comment it is IMPOSSIBLE to give a user to the authority that have sufficient rights to get individual permissions for all spaces.
It was the first thing I asked to the administrator of the target Confluence. He said that, at least for Confluence v6, it is impossible even for a Confluence admin to get permissions for all spaces and it is also impossible to manually force a user as admin to all spaces. It is a Confluence security restriction.
So what should we do ? Well to have a user that have sufficient permissions to all spaces you need to ask to each space owner to add in the space admin list the user configured in the authority (which is an admin user to be clear). It is may be possible if you have a Confluence site with just few spaces and like 10 space owners but for a Confluence site with hundred/thousand of spaces and hundred of different space owners ? And even, what if some space owners simply do not want to add the user as an admin of their space(s) ?
So the use case here is : I have an authority user that will NEVER have rights to get permissions on all spaces but the authority connector should still work and provide permissions for at least the spaces on which the authority user is allowed to get them. And we spread the info to the space owners that if they want their data to be accessible, they have to add the authority user as an admin user of their space(s)
So without this patch and in the current state, this connector is utterly useless in a production environment as the authority will never return any permissions (cause at the fist space encountered on which the authority cannot get permissions, the exception is thrown and the response will be UNREACHABLE) and so it is not possible to display any Confluence data crawled by MCF if the security is activated...
> Confluence Authority does not handle Confluence API errors
> ----------------------------------------------------------
>
> Key: CONNECTORS-1616
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1616
> Project: ManifoldCF
> Issue Type: Bug
> Components: Confluence connector
> Affects Versions: ManifoldCF 2.12
> Reporter: Julien Massiera
> Priority: Critical
> Fix For: ManifoldCF 2.12
>
> Attachments: patch-CONNECTORS-1616.diff
>
>
> The Confluence Authority asks spaces permissions for each space returned by the getSpaces() method of the ConfluenceClient class.
> The concerned method getSpacePermissionsForUser(Space space, String username) sends a request to Confluence and triggers a ConfluenceException if the request response is different from 200, otherwise it parses the response as a JSONArray to get the permissions.
> The problem is that even with a 200 request response code, the content of the response may be a simple JSONObject that explains an internal Confluence error. It happens frequently when the username is not allowed to get permissions on certain spaces :
> {code:java}
> {
> "id": null,
> "error": {
> "code": 500,
> "message": "The application was unable to serve your request: com.atlassian.confluence.rpc.NotPermittedException: Only space administrators can view permissions for other users in the space.",
> "data": "com.atlassian.confluence.rpc.NotPermittedException: Only space administrators can view permissions for other users in the space.\ncom.atlassian.confluence.rpc.NotPermittedException: Only space administrators can view permissions for other users in the space.\n\tat com.atlassian.confluence.rpc.soap.services.SpacesSoapService.getPermissions(SpacesSoapService.java:188)\n\tat com.atlassian.confluence.rpc.soap.XhtmlSoapService.getPermissionsForUser(XhtmlSoapService.java:226)\n\tat sun.reflect.GeneratedMethodAccessor3812.invoke(Unknown Source)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat"
> }
> }
> {code}
> As a username will almost never have the rights to get permissions on ALL spaces, it is problematic because the response parsing process triggers an Exception and so the Confluence Authority response is UNREACHABLEAUTHORITY:confluence, instead of delivering permissions for allowed spaces.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)