argus-authz / argus-pap Goto Github PK
View Code? Open in Web Editor NEWArgus PAP server
Home Page: http://argus-authz.github.com/argus-pap
Argus PAP server
Home Page: http://argus-authz.github.com/argus-pap
Recent JREs disable SSLv3 due to the poddle vulnerability.
pap-admin forces SSLv3 for the SSL protocol used by the pap-admin client, so it stopped working with recent JREs.
The current code logs things like this:
2014-01-22 23:04:20.467Z - INFO [InitSecurityContext] - Connection from .....
2014-01-22 23:04:20.475Z - INFO [BasePAPOperation] - Insufficient privileges to perform operation 'GetPoliciesForPAPOperation'
2014-01-22 23:04:20.475Z - ERROR [ProvisioningService] - Insufficient privileges to perform operation 'GetPoliciesForPAPOperation'.
When more than one user is connected, there is no way to know which one is denied. Looking in the code, the function that should be modified is in src/main/java/org/glite/authz/pap/authz/BasePAPOperation.java:
public final T execute() {
logOperation();
if ( !isAllowed() ) {
log.info( "Insufficient privileges to perform operation '"
+ getName() + "'" );
throw new PAPAuthzException(
"Insufficient privileges to perform operation '"
+ getName() + "'." );
}
return doExecute();
}
As far as I understand the code (not really ...), the current logged user could be obtained via 'CurrentAdmin admin = CurrentAdmin.instance();' or directly something like what is in CurrentAdmin (SecurityContext theContext = SecurityContext.getCurrentContext(); String adminDN = theContext.getClientName();)'. I don't know how to format correctly the output...
To allow policies that take into account authn profiles (whose implementation is tracked in argus-authz/argus-pep-server#21), introduce support for the x509-authn-profile attribute
It seems recent JRE (Java 1.8.0-292 on CENTOS 7) disable TLSv1 support, which is the hardcoded default for the pap-admin client.
See also #4
Rules with empty subject raise the following error during evaluation process:
ERROR [AuthorizationRequestServlet] - Error evaluating policy
Prevent the creation of rules with empty subject in ban and add-policy commands.
In support of argus-authz/argus-pep-server#22
When a permission rule has a principal that contains a colon character, the
PAP service restart fails.
More details can be found in the following GGUS ticket: https://ggus.eu/index.php?mode=ticket_info&ticket_id=128993.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.