You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Shawn McKinney (JIRA)" <ji...@apache.org> on 2015/03/01 14:00:07 UTC

[jira] [Commented] (FC-74) DSD checking on hierarchical relationships incorrect

    [ https://issues.apache.org/jira/browse/FC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14342213#comment-14342213 ] 

Shawn McKinney commented on FC-74:
----------------------------------

incits 359 says this about when to apply dsd checks:

"The semantics of creating an instance of DSD relation are identical to that of an SSD
relation. While constraints associated with an SSD relation are enforced during user assignments (as well as while creating role hierarchies), the constraints associated with DSD are enforced only at the time of role activation within a user session."

which clearly states that dsd checks are applied only when role is activated in session.  This brings a problem where a role hierarchy is created that contains roles that have mutual exclusive dsd constraints.  What is the reasonable way to handle this... should we display a warning when such a conflict is detected?

In any case, the system should be doing this:

"However, the additional functionality required of these functions in the DSD RBAC model context is that they should enforce the DSD constraints. For example, during the invocation of the CreateSession function, the default active role set that is made available to the user should not violate any of the DSD constraints. Similarly, the AddActiveRole function shall check and prevent the addition of any active role to the session’s active role set that violates any of the DSD constraints."



> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>
>                 Key: FC-74
>                 URL: https://issues.apache.org/jira/browse/FC-74
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0-RC40
>
>
> Manually testing of fortress detected that did constraints between roles can be bypassed via inheritance.  
> For example this constraint:
>   sdset name="Demo2DSD" 
>   description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
>   setType="DYNAMIC"
>   setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
>                          PAGE2_123,PAGE2_456,PAGE2_789,
>                          PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
>                 <relationship child="PERSON1" parent="ROLE_PAGE1"/>
>                 <relationship child="PERSON1" parent="PAGE1_123"/>
>                 <relationship child="PERSON1" parent="PAGE1_456"/>
>                 <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and  activate person1 role, which bypasses the constraint checks for dad on the roles person1 inherits.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)