-
Defect
-
Resolution: Done
-
Critical
-
1.2.0
-
None
Many users have been allocated institution-specific roles at PCMDI. For instance an IPSL publisher have the following in their certificates:
X509v3 extensions:
1.2.3.4.4.3.2.1.7.8:
...esg.vo.group.roles=group_CMIP5 Research_role_default;group_IPSL_role_default;group_IPSL_role_publisher;group_User_role_default:esg.vo.openid=https://pcmdi3.llnl.gov/esgcet/myopenid/abhipsl
This breaks the AuthorizationService in the BADC gateway because the IPSL role is not defined at that Gateway. I see this in the logs:
sgf.gateway.exceptions.UnhandledException: sgf.gateway.service.security.impl.spring.AuthorizationException: Invalid Access Control Attribute: group_IPSL_role_default
at sgf.gateway.web.exception.resolvers.ReportingExceptionResolver.resolveException(ReportingExceptionResolver.java:38)
at org.springframework.web.servlet.DispatcherServlet.processHandlerException(DispatcherServlet.java:1122)
...
This bug is affecting multiple users at BADC and needs fixing fast. Presumably a work-around is to create the right Group entries in the database.
X509v3 extensions:
1.2.3.4.4.3.2.1.7.8:
...esg.vo.group.roles=group_CMIP5 Research_role_default;group_IPSL_role_default;group_IPSL_role_publisher;group_User_role_default:esg.vo.openid=https://pcmdi3.llnl.gov/esgcet/myopenid/abhipsl
This breaks the AuthorizationService in the BADC gateway because the IPSL role is not defined at that Gateway. I see this in the logs:
sgf.gateway.exceptions.UnhandledException: sgf.gateway.service.security.impl.spring.AuthorizationException: Invalid Access Control Attribute: group_IPSL_role_default
at sgf.gateway.web.exception.resolvers.ReportingExceptionResolver.resolveException(ReportingExceptionResolver.java:38)
at org.springframework.web.servlet.DispatcherServlet.processHandlerException(DispatcherServlet.java:1122)
...
This bug is affecting multiple users at BADC and needs fixing fast. Presumably a work-around is to create the right Group entries in the database.