• ldap and permissions oddities

  • We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #48092  by chrwei
 
I have openkm 6.3.7 configured with ldap to active directory, everything seem to work normally from the web interface, but in both the .NET and php SDKs the getContent() from a non-admin user calls result in and HTTP 500 error "AccessDeniedException: 093f27c1-d7b7-492b-ba05-6548dc59097f : df2f9151-ad58-4399-9a33-ece0f1eb332c". the first UUID is the file's and the 2nd is the folder it's in. the user is also the one that created the folder and the file via the .NET SDK. the security tab on the folder and file with list this user with full access.

if I add the user to ROLE_ADMIN in AD, the getContent() call works, removing it makes it not work again. I'm baffled what I should be doing different.

the logs only have this:
Code: Select all
==> /opt/openkm/tomcat-8.5.24/logs/catalina.out <==
2019-05-30 13:00:03,422 [http-nio-0.0.0.0-8080-exec-3] WARN  o.a.c.j.i.WebApplicationExceptionMapper - com.openkm.rest.GenericException: HTTP 500 Internal Server Error
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:163)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:201)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.openkm.core.AccessDeniedException: 093f27c1-d7b7-492b-ba05-6548dc59097f : df2f9151-ad58-4399-9a33-ece0f1eb332c
	at com.openkm.module.db.stuff.SecurityHelper.checkExtended(SecurityHelper.java:148)
	at com.openkm.dao.NodeDocumentVersionDAO.getCurrentContentByParent(NodeDocumentVersionDAO.java:289)
	at com.openkm.module.db.base.BaseDocumentModule.getContent(BaseDocumentModule.java:283)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:494)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:457)
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:150)
	... 66 more


==> /opt/openkm/tomcat-8.5.24/logs/openkm.log <==
2019-05-30 13:00:03,422 [http-nio-0.0.0.0-8080-exec-3] [] WARN  o.a.c.j.i.WebApplicationExceptionMapper - com.openkm.rest.GenericException: HTTP 500 Internal Server Error
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:163)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:201)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.openkm.core.AccessDeniedException: 093f27c1-d7b7-492b-ba05-6548dc59097f : df2f9151-ad58-4399-9a33-ece0f1eb332c
	at com.openkm.module.db.stuff.SecurityHelper.checkExtended(SecurityHelper.java:148)
	at com.openkm.dao.NodeDocumentVersionDAO.getCurrentContentByParent(NodeDocumentVersionDAO.java:289)
	at com.openkm.module.db.base.BaseDocumentModule.getContent(BaseDocumentModule.java:283)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:494)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:457)
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:150)
	... 66 more
 #48100  by jllort
 
getContent and getContentByVersion should working in both scenarios for the same document. If you get permissions denied means something is wrong the question is where:
* ensure from openkm UI you can download the document ( is case from there goes right I will ask for more things )
 #48102  by chrwei
 
I can download from the UI, though at one point at I had changed "default.user.role" and the download option was disabled, but I could still download from the History tab, which actually seems like a bug. changing it back to ROLE_USER brought it back and works, but getContent() still fails. I guess i could nuke the install and try again since this is all still in testing, but I'd prefer to fix it.

with that one UI bug, it seems there is some difference in how permissions are evaluated along that path. unfortunately my java is fairly weak, so I'm not even sure where to start looking or playing.

and scripts or sql I can run to verify what's up?
 #48132  by jllort
 
if you have changed ROLE_USER by other you should update all the entries in the table OKM_NODE_ROLE_PERMISSION
Code: Select all
update OKM_NODE_ROLE_PERMISSION set NRP_ROLE = 'newRoleName' where NRP_ROLE='ROLE_USER';
 #48141  by chrwei
 
everything in the table is already ROLE_USER or ROLE_ADMIN. I'm not actually trying to change it, just had a wrong ldap config item for a bit. ROLE_USER is what i want.
 #48151  by jllort
 
First must configure OpenKM configuration parameters for LDAP. When you succeed on it, from administration will be shown, users, roles and roles by users. At this point, you can start thinking in authentication but not before. I suggest reverting the changes to login from the database and work in the OpenKM configuration parameters.

Read with care what is explained here and try to follow
https://docs.openkm.com/kcenter/view/ok ... roles.html

Each time you go to users / roles view after you have applied a change is a good practice you refresh the OpenKM cache -> I think you have in the main administration menu or into tools > cache stats ( I do not remember exactly in community where is it )
 #48162  by chrwei
 
that is the guide I followed, and also what I used to verify my settings and how I found my one error that is now corrected.

I want to reiterate, the in the web interface everything works as expected, I can view any file as a ROLE_USER login as per the set permissions on the security tab. it is ONLY the SDK getContent() function that gives a permission denied and ONLY for ROLE_USER, no matter what permissions are set. getDocumentProperties() and getContentByVersion() does not give permission denied. there is very clearly some different code path in getContent().

cleared cache and the issue persists.
 #48163  by chrwei
 
fixed it.

I found the relevant source in src/main/java/com/openkm/dao/NodeDocumentVersionDAO.java.

the getContent() path has this additional code:
Code: Select all
			if (extendedSecurity) {
				if ((Config.SECURITY_EXTENDED_MASK & Permission.DOWNLOAD) == Permission.DOWNLOAD) {
					SecurityHelper.checkExtended(nDoc, Permission.DOWNLOAD);
				}
			}
which led me down some experimenting with permissions, ROLE_USER did not have download permission on /okm:root/ but did on everything else. adding it to root fixed the issue.

I didn't follow the regular web desktop paths in the code, but there is clearly a difference in how permissions are checked. the desktop does not require download permission on all parent folders including root, but API getContent() does.
 #48180  by jllort
 
I suggest downloading OpenKM personal development environment what comes as Virtual Machine ( in our download section you have a link and a video ). And try to debug the OpenKM source code ( If you have not enabled extended mask has no sense the error you are explaining and also has no sense you can download from web UI and not from API ).
 #48186  by chrwei
 
I have
Code: Select all
security.extended.mask	Integer	9216
I didn't intentionally enable it, but it is clearly checking it, as it shows in the logs I posted
 #48204  by jllort
 
This is the reason why is not downloading, it is evaluating extra security. If you are not interested in extra security, I suggest set to 0, refresh the user interface after the change and check again.
 #48222  by chrwei
 
I'm not sure weather I want it or not, I might actually.

my test shows that extended security with the API requires the specific permission to be on all parent folders of the item, including /root, and the web desktop does not require this. it's an odd difference.
 #48282  by jllort
 
Explain an specific case with detail. Anyway does not have any kind of relation with ldap, I suggest open a new topic for it

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.