On Wed, May 18, 2011 at 10:51 AM, Hasini Gunasinghe <has...@wso2.com> wrote:
> Hi, > > On Wed, May 18, 2011 at 9:36 AM, Dimuthu Leelarathne <dimut...@wso2.com>wrote: > >> Hi >> >> On Tue, May 17, 2011 at 5:35 PM, Amila Suriarachchi <am...@wso2.com>wrote: >> >>> >>> without making assumptions please try yourself with a clean build. In the >>> registry permissions section I can only see the admin role (not the >>> adminRole I set) >>> >>> >> Sorry about this. Created an L1 issue for this. We'll fix it soon. >> >> https://wso2.org/jira/browse/CARBON-10045 >> > > I had a look into this issue. This is an issue related to a behavior of > default user - which is embedded-ldap, and it is not an issue of user-core. > > I have added a comment to the issue. Let me explain it here as well. > > When starting embedded-ldap, a default partition (dc=wso2,dc=org) is > created with an admin user and admin role according to the names provided in > embedded-ldap.xml which is in repository/conf. > > The default values given there, are : admin user name= admin, admin role > name= admin. > > And this is why you see a role named : admin even after changing the admin > role name in user-mgt.xml. If you change the admin role name in both > user-mgt.xml and embedded-ldap.xml, this issue will not occur. > > But I know it is not a good idea to change the same configuration in two > files. So IMO, we need to override admin-role mentioned in embedded-ldap.xml > by the one mentioned in user-mgt.xml. > > In order to do that, we need to get realm configuration from realm service. > But user core is not started at the time ldap-server component is started. > Therefore we need to separately read user-mgt.xml in ldap-server component > when creating admin role at ldap server start up. > > Please let me know whether there is a better way to fix this issue of > having to set admin role name in two config files.. > hi Hasini, Thanks for the explanation. If you look at the first mail of this thread, there are two questions. For #1 we need to remove the ADMIN_ROLE from the ServerConstants please do that as well. For #2 userRealm.getAuthorizationManager().isUserAuthorized( loggedInUser, topicResourcePath, EventBrokerConstants.EB_PERMISSION_CHANGE_PERMISSION) if the loggedInUser is in Admin Role (as define in the user-manager.xml) shouldn't this method return true? thanks, Amila. > Thanks, > Hasini. > >> >> >> tx, >> dimuthu >> >> >> >>> thanks, >>> Amila. >>> >>>> >>>> tx, >>>> dimuthul >>>> >>>> >>>> >>>>> Please see the attachments. >>>>> >>>>> thanks, >>>>> Amila, >>>>> >>>>>> >>>>>> tx, >>>>>> dimuthul >>>>>> >>>>>> >>>>>>> And also, >>>>>>> >>>>>>> userRealm.getAuthorizationManager().isUserAuthorized( >>>>>>> loggedInUser, topicResourcePath, >>>>>>> >>>>>>> EventBrokerConstants.EB_PERMISSION_CHANGE_PERMISSION) >>>>>>> >>>>>>> returns false if user is not explicitly given the permission to that >>>>>>> resource. But in carbon there is a convention to >>>>>>> allow any user in admin role to do any activity. Then why don't we >>>>>>> add that rule too to the user manager. >>>>>>> >>>>>>> Then everyone does not have to repeat admin role check every where. >>>>>>> >>>>>>> thanks, >>>>>>> Amila. >>>>>>> >>>>>>> >>>>>>> [1] https://wso2.org/jira/browse/CARBON-9959 >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Carbon-dev mailing list >>>>>>> Carbon-dev@wso2.org >>>>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Carbon-dev mailing list >>>>>> Carbon-dev@wso2.org >>>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Carbon-dev mailing list >>>>> Carbon-dev@wso2.org >>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> Carbon-dev@wso2.org >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> _______________________________________________ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > _______________________________________________ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >
_______________________________________________ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
