Issue Details (XML | Word | Printable)

Key: DIRSERVER-617
Type: Task Task
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alex Karasulu
Reporter: Alex Karasulu
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Directory ApacheDS

Add ACI for Administrators group if not already present

Created: 10/May/06 03:05 AM   Updated: 01/Sep/06 12:36 AM
Return to search
Component/s: ldap
Affects Version/s: 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
Fix Version/s: 1.5.0, 1.0-RC4

Time Tracking:
Not Specified

Issue Links:
Reference
 

Resolution Date: 01/Sep/06 12:36 AM


 Description  « Hide
Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Alex Karasulu added a comment - 10/May/06 03:07 AM
Making sure this is also available on the 1.1 branch.

We might also want to hardcode into the DefaultAuthorizationService a lookup to check this group specifically to see if the user is in it. If so then they should have superuser access (full access).

Alex Karasulu made changes - 10/May/06 03:07 AM
Field Original Value New Value
Fix Version/s 1.1.0 [ 12310790 ]
[ Permlink | « Hide ]
Ersin Er added a comment - 06/Aug/06 06:43 PM
Note that a DACD can span a naming context at most. So an access control subentry subordinate to ou=system naming context cannot control access to other naming contexts.

[ Permlink | « Hide ]
Ersin Er added a comment - 06/Aug/06 06:46 PM
A mutable root partition is needed to be able to control all the DIT via subentries whose effective domain can span multiple partitions.

Ersin Er made changes - 06/Aug/06 06:46 PM
Link This issue is related to DIRSERVER-465 [ DIRSERVER-465 ]
[ Permlink | « Hide ]
Ersin Er added a comment - 22/Aug/06 11:47 AM
I think we should have Administrators group for each partition and also for the whole system.

To have administrators for each partition we can create a container, ou=Administrators, with each partition created and we can arrange ACI accordingly that group for that partition.

To have system wide administrators there are two choices:
1. We will add some ACI to each creaed partition for ou=Administrators,ou=system group.
2. We will implement mutable RootDSE or hierarchical partitions in other words.

Alex Karasulu made changes - 30/Aug/06 05:22 AM
Assignee Alex Karasulu [ akarasulu ]
Alex Karasulu made changes - 30/Aug/06 05:22 AM
Status Open [ 1 ] In Progress [ 3 ]
Ersin Er made changes - 30/Aug/06 06:47 AM
Fix Version/s 1.0-RC4 [ 12311053 ]
Fix Version/s 1.0 [ 12312043 ]
Repository Revision Date User Message
ASF #439118 Fri Sep 01 00:29:40 UTC 2006 akarasulu Fix for DIRSERVER-617: Add ACI for Administrators group if not already present
Files Changed
MODIFY /directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
MODIFY /directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
ADD /directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupTest.java
MODIFY /directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
MODIFY /directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
MODIFY /directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
MODIFY /directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java

[ Permlink | « Hide ]
Alex Karasulu added a comment - 01/Sep/06 12:36 AM
Fixed in 1.0 branch:

  http://svn.apache.org/viewvc?view=rev&revision=439118

Fixed in 1.1 branch:

  http://svn.apache.org/viewvc?view=rev&revision=439119


Things were done a little differently here. I did not add an ACI but rather hardwired the Administrators group so this works with both the default authz service and the one that uses ACI. Basically all access control checks are bypassed for anyone in this very special admin group.

Alex Karasulu made changes - 01/Sep/06 12:36 AM
Status In Progress [ 3 ] Closed [ 6 ]
Fix Version/s 1.0 [ 12312043 ]
Resolution Fixed [ 1 ]
Fix Version/s 1.0-RC4 [ 12311053 ]
Repository Revision Date User Message
ASF #439119 Fri Sep 01 00:38:32 UTC 2006 akarasulu Fix for DIRSERVER-617: Add ACI for Administrators group if not already present
Files Changed
ADD /directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupTest.java (from /directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupTest.java)
MODIFY /directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
MODIFY /directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
MODIFY /directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
MODIFY /directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
MODIFY /directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
MODIFY /directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators