[MGNLSSO-93] URI permission conflict for anonymous role Created: 11/Jan/22  Updated: 03/Feb/22  Resolved: 03/Feb/22

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: 2.0.1
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Andrew Warinner Assignee: Evzen Fochr
Resolution: Obsolete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLSSO-92 Infinite redirection loop after "Conn... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: AdminX 1

 Description   

Steps to reproduce

  1. Installing Magnolia 6.2.14 + SSO 2.0.1 + PaaS instrumentation-cloud 2.4.1
  2. instrumentation-cloud module starts before SSO module. 
  3. Magnolia does not start because SSO module attempts to bootstraps URI permission with name "01" which already exists because instrumentation-cloud module has created a URI permission and assigned the name "01"

instrumentation-cloud creates URI permission in info.magnolia.services.setup.InstrumentationCloudVersionHandler#getExtraInstallTasks: 

// anonymous access to metrics endpoint
tasks.add(new AddURIPermissionTask("anonymous access", "anonymous permissions for metrics endpoint", "anonymous", "/.monitoring/*", AddURIPermissionTask.GET_POST));

SSO module bootstraps same named permission in userroles.anonymous.acl_uri.01.yaml: 

01:
  path: /.auth*
  permissions: 63

Expected results

PaaS customers should be able to use the SSO module in PaaS.

SSO module should not assume a specific name when adding URI permissions.

Actual results

Magnolia does not start.

Workaround

A practical workaround is critical for PaaS. Repairing the permissions involves manually starting Magnolia in rescue mode and deleting URI permissions and restarting. The problem also prevents content transfers between PaaS customer environments.

Adding a module dependency for the SSO module to the instrumentation-cloud module is not a solution: not all PaaS customers use the SSO module.

Development notes



 Comments   
Comment by Evzen Fochr [ 03/Feb/22 ]

Solved by MGNLSSO-92

Generated at Mon Feb 12 10:51:03 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.