You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Jiantao Pan <ji...@labbook.com> on 2001/10/02 22:09:21 UTC
Inserted entry in permissons table when startup
I am using recent ( yesterday) build of slide and using
JDBCDescriptorsStore and mysql. The attached is my Domain.xml.
Everytime I startup the server, A new entry get inserted into the
permissions table with object ='/', subject = '/' and action = '/'.
Which means everybody can do any action on anything.
I think this probably happens on other database also. Any suggestions on
why this happens?
Thanks.
Jiantao
<?xml version="1.0"?>
<slide logger="org.apache.slide.util.logger.SimpleLogger"
logger-level="6" default="slide">
<!--
logger
~~~~~~
org.apache.slide.util.logger.SimpleLogger
default logger with 1 log level
log4j.Log4jLogger
logger with fine granularity
see http://jakarta.apache.org/log4j/
logger-level
~~~~~~~~~~~~
0 EMERGENCY
1 CRITICAL
2 ERROR
4 WARNING
6 INFO
7 DEBUG
-->
<namespace name="slide">
<!-- ### Memory Configuration ###
The following memory configuration uses the MemoryDescriptorsStore
for node,security,locks and revisions. For content the
FileContentStore
is used. Content is reset before start.
-->
<definition>
<store name="jdbc">
<nodestore
classname="slidestore.reference.JDBCDescriptorsStore">
<parameter name="driver">org.gjt.mm.mysql.Driver</parameter>
<parameter name="url">mysql://test01:3306/slide</parameter>
<parameter name="user">username</parameter>
<parameter name="password">password</parameter>
</nodestore>
<securitystore>
<reference store="nodestore" />
</securitystore>
<lockstore>
<reference store="nodestore" />
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore" />
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore" />
</revisiondescriptorstore>
<!--contentstore
classname="slidestore.reference.JDBCContentStore">
<parameter name="driver">org.hsql.jdbcDriver</parameter>
<parameter name="url">HypersonicSQL:slidecontent</parameter>
<parameter name="user">sa</parameter>
<parameter name="password"></parameter>
</contentstore-->
<contentstore classname="slidestore.reference.FileContentStore">
<parameter name="rootpath">files</parameter>
</contentstore>
</store>
<scope match="/" store="jdbc" />
</definition>
<!-- ### JDBC Configuration ###
The following jdbc sample configuration uses the hsql Database
Engine
a relational database engine written in Java, for more info:
http://hsqldb.sourceforge.net/
-->
<!--
<definition>
<store name="jdbc">
<nodestore
classname="slidestore.reference.JDBCDescriptorsStore">
<parameter name="driver">org.hsqldb.jdbcDriver</parameter>
<parameter name="url">jdbc:hsqldb:slidestructure</parameter>
<parameter name="user">sa</parameter>
<parameter name="password"></parameter>
</nodestore>
<securitystore>
<reference store="nodestore" />
</securitystore>
<lockstore>
<reference store="nodestore" />
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore" />
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore" />
</revisiondescriptorstore>
<contentstore classname="slidestore.reference.JDBCContentStore">
<parameter name="driver">org.hsqldb.jdbcDriver</parameter>
<parameter name="url">jdbc:hsqldb:slidecontent</parameter>
<parameter name="user">sa</parameter>
<parameter name="password"></parameter>
</contentstore>
</store>
<scope match="/" store="jdbc" />
</definition>
-->
<configuration>
<!-- Actions mapping -->
<default-action>/actions</default-action>
<read-object>/actions/read</read-object>
<create-object>/actions/write</create-object>
<remove-object>/actions/write</remove-object>
<grant-permission>/actions/manage</grant-permission>
<revoke-permission>/actions/manage</revoke-permission>
<read-permissions>/actions/manage</read-permissions>
<lock-object>/actions/write</lock-object>
<kill-lock>/actions/manage</kill-lock>
<read-locks>/actions/read</read-locks>
<read-revision-metadata>/actions/read</read-revision-metadata>
<create-revision-metadata>/actions/write</create-revision-metadata>
<modify-revision-metadata>/actions/write</modify-revision-metadata>
<remove-revision-metadata>/actions/write</remove-revision-metadata>
<read-revision-content>/actions/read</read-revision-content>
<create-revision-content>/actions/write</create-revision-content>
<modify-revision-content>/actions/write</modify-revision-content>
<remove-revision-content>/actions/write</remove-revision-content>
<!-- Paths configuration -->
<userspath>/users</userspath>
<guestpath>guest</guestpath>
<filespath>/files</filespath>
<parameter name="dav">true</parameter>
<parameter name="standalone">true</parameter>
<!-- Roles definition -->
<role name="root">slideroles.basic.RootRole</role>
<role name="user">slideroles.basic.UserRole</role>
<role name="guest">slideroles.basic.GuestRole</role>
<!-- Users management -->
<auto-create-users>true</auto-create-users>
<!-- Default properties mapping -->
<default-property name="foo" namespace="nsfoo/" value="bar"
role="user"/>
<default-property name="password" namespace="slide/" value=""
role="user"/>
</configuration>
<data>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/">
<permission action="/actions" subject="root"/>
<permission action="/actions/read" subject="user"
inheritable="false"/>
<permission action="/actions/read" subject="nobody"
inheritable="false"/>
<!-- /users represents the unauthenticated user -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users">
<permission action="/actions" subject="~"/>
<permission action="/actions" subject="guest"
inheritable="true" negative="true"/>
<permission action="/actions/read" subject="user"
inheritable="false"/>
<!-- Permission group example -->
<objectnode classname="org.apache.slide.structure.GroupNode"
uri="/users/groupA">
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/john" linkedUri="/users/john" />
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/root" linkedUri="/users/root" />
<objectnode
classname="org.apache.slide.structure.SubjectNode"
uri="/users/groupA/singleGroupMember" />
</objectnode>
<!-- /users/root represents the administrator -->
<objectnode classname="slideroles.basic.RootRoleImpl"
uri="/users/root">
<revision>
<property name="password">root</property>
</revision>
</objectnode>
<!-- /users/john represents an authenticated user -->
<objectnode classname="slideroles.basic.UserRoleImpl"
uri="/users/john">
<revision>
<property name="password">john</property>
</revision>
</objectnode>
<!-- /users/guest represents an authenticated or
unauthenticated
guest user -->
<objectnode classname="slideroles.basic.GuestRoleImpl"
uri="/users/guest">
<revision>
<property name="password"></property>
</revision>
</objectnode>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions">
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/read"/>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/write"/>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/manage"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/files">
<!-- ### Give read/write/manage permission to guest ###
Uncomment the following line to give permission to do
all actions on /files to guest (unauthenticated users)
-->
<!-- <permission action="/actions" subject="/users/guest"/>
-->
<permission action="/actions/manage" subject="/users/john"/>
<permission action="/actions/write" subject="+/users/groupA"/>
<permission action="/actions/read" subject="nobody"/>
</objectnode>
</objectnode>
</data>
</namespace>
</slide>
Re: Inserted entry in permissons table when startup
Posted by Remy Maucherat <rm...@home.com>.
> Dirk Verbeeck wrote:
> >
> > Jiantao Pan wrote:
> >
> > > I am using recent ( yesterday) build of slide and using
> > > JDBCDescriptorsStore and mysql. The attached is my Domain.xml.
> > > Everytime I startup the server, A new entry get inserted into the
> > > permissions table with object ='/', subject = '/' and action = '/'.
> > > Which means everybody can do any action on anything.
> > > I think this probably happens on other database also. Any suggestions
on
> > > why this happens?
> > > Thanks.
> > > Jiantao
> >
> > There was already a report on this issue, but maybe we can now use
bugzilla
> > to log everything.
> > http://nagoya.apache.org/bugzilla/
> >
> > Can you help us debug the problem ?
> > We think it's a problem with mysql not having transaction support.
> > First of all you should use slidestore.mysql.MySQLDescriptorsStore
> > this store doesn't need transaction support.
>
>
> The problem here is exactly what I reported a few days ago: when
> populating the stores from Domain.xml, slide inserts these temporary
> permissions (which isn't a problem by itself). However, due to changes
> in this code, they are _only_ removed by rolling back a transaction.
>
> Please, don't suggest using MySQLDescriptorsStore. Slide itself
> _requires_ transactions to work with any degree of correctness or
> reliability (that decision has been clearly made, and is reasonable,
> it'd be a LOT of work to do things differently). Merely turning off
> transactions so that it looks like you don't need them doesn't actually
> fix the problem at all.
I agree that corectness and reliability will require transaction support,
and we should encourage people to use transactional backends. I don't see
the problem with giving some support for other popular solutions, however
(like mySQL, here). And here, I consider the issue to be a bug (it's just
too risky to rely on the rollback to remove the permission, since if it
somehow doesn't work, it leaves a huge security hole).
Remy
Re: Inserted entry in permissons table when startup
Posted by Michael Smith <ms...@speedlegal.com>.
Dirk Verbeeck wrote:
>
> Jiantao Pan wrote:
>
> > I am using recent ( yesterday) build of slide and using
> > JDBCDescriptorsStore and mysql. The attached is my Domain.xml.
> > Everytime I startup the server, A new entry get inserted into the
> > permissions table with object ='/', subject = '/' and action = '/'.
> > Which means everybody can do any action on anything.
> > I think this probably happens on other database also. Any suggestions on
> > why this happens?
> > Thanks.
> > Jiantao
>
> There was already a report on this issue, but maybe we can now use bugzilla
> to log everything.
> http://nagoya.apache.org/bugzilla/
>
> Can you help us debug the problem ?
> We think it's a problem with mysql not having transaction support.
> First of all you should use slidestore.mysql.MySQLDescriptorsStore
> this store doesn't need transaction support.
The problem here is exactly what I reported a few days ago: when
populating the stores from Domain.xml, slide inserts these temporary
permissions (which isn't a problem by itself). However, due to changes
in this code, they are _only_ removed by rolling back a transaction.
Please, don't suggest using MySQLDescriptorsStore. Slide itself
_requires_ transactions to work with any degree of correctness or
reliability (that decision has been clearly made, and is reasonable,
it'd be a LOT of work to do things differently). Merely turning off
transactions so that it looks like you don't need them doesn't actually
fix the problem at all.
Michael
Re: Inserted entry in permissons table when startup
Posted by Dirk Verbeeck <di...@pandora.be>.
Jiantao Pan wrote:
> I am using recent ( yesterday) build of slide and using
> JDBCDescriptorsStore and mysql. The attached is my Domain.xml.
> Everytime I startup the server, A new entry get inserted into the
> permissions table with object ='/', subject = '/' and action = '/'.
> Which means everybody can do any action on anything.
> I think this probably happens on other database also. Any suggestions on
> why this happens?
> Thanks.
> Jiantao
There was already a report on this issue, but maybe we can now use bugzilla
to log everything.
http://nagoya.apache.org/bugzilla/
Can you help us debug the problem ?
We think it's a problem with mysql not having transaction support.
First of all you should use slidestore.mysql.MySQLDescriptorsStore
this store doesn't need transaction support.
Next, look at the log and try to find "Namespace base configuration was
already done before"
or "Could not rollback namespace base configuration: "
(Send me the logfile anyway, or attach it to the bug report)
If you can build from source put
"getLogger().log(ex,LOG_CHANNEL,Logger.INFO);"
at Namespace.java:767
(I can send you a debug version if you want)
This permission object ='/', subject = '/' and action = '/' is used when
uploading the base configuration in domain.xml.
After initialization it should be deleted or rolled back in case of an
error.
I don't have mysql installed so I need somebody to do some tests...
Dirk