Hi, On Wed, May 18, 2011 at 9:36 AM, Dimuthu Leelarathne <dimut...@wso2.com>wrote:
> Hi > > On Tue, May 17, 2011 at 5:35 PM, Amila Suriarachchi <am...@wso2.com>wrote: > >> >> without making assumptions please try yourself with a clean build. In the >> registry permissions section I can only see the admin role (not the >> adminRole I set) >> >> > Sorry about this. Created an L1 issue for this. We'll fix it soon. > > https://wso2.org/jira/browse/CARBON-10045 > I had a look into this issue. This is an issue related to a behavior of default user - which is embedded-ldap, and it is not an issue of user-core. I have added a comment to the issue. Let me explain it here as well. When starting embedded-ldap, a default partition (dc=wso2,dc=org) is created with an admin user and admin role according to the names provided in embedded-ldap.xml which is in repository/conf. The default values given there, are : admin user name= admin, admin role name= admin. And this is why you see a role named : admin even after changing the admin role name in user-mgt.xml. If you change the admin role name in both user-mgt.xml and embedded-ldap.xml, this issue will not occur. But I know it is not a good idea to change the same configuration in two files. So IMO, we need to override admin-role mentioned in embedded-ldap.xml by the one mentioned in user-mgt.xml. In order to do that, we need to get realm configuration from realm service. But user core is not started at the time ldap-server component is started. Therefore we need to separately read user-mgt.xml in ldap-server component when creating admin role at ldap server start up. Please let me know whether there is a better way to fix this issue of having to set admin role name in two config files.. Thanks, Hasini. > > > tx, > dimuthu > > > >> thanks, >> Amila. >> >>> >>> tx, >>> dimuthul >>> >>> >>> >>>> Please see the attachments. >>>> >>>> thanks, >>>> Amila, >>>> >>>>> >>>>> tx, >>>>> dimuthul >>>>> >>>>> >>>>>> And also, >>>>>> >>>>>> userRealm.getAuthorizationManager().isUserAuthorized( >>>>>> loggedInUser, topicResourcePath, >>>>>> >>>>>> EventBrokerConstants.EB_PERMISSION_CHANGE_PERMISSION) >>>>>> >>>>>> returns false if user is not explicitly given the permission to that >>>>>> resource. But in carbon there is a convention to >>>>>> allow any user in admin role to do any activity. Then why don't we add >>>>>> that rule too to the user manager. >>>>>> >>>>>> Then everyone does not have to repeat admin role check every where. >>>>>> >>>>>> thanks, >>>>>> Amila. >>>>>> >>>>>> >>>>>> [1] https://wso2.org/jira/browse/CARBON-9959 >>>>>> >>>>>> _______________________________________________ >>>>>> Carbon-dev mailing list >>>>>> Carbon-dev@wso2.org >>>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Carbon-dev mailing list >>>>> Carbon-dev@wso2.org >>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> Carbon-dev@wso2.org >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> _______________________________________________ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > _______________________________________________ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >
_______________________________________________ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
