Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9483

Delegated realm admin cannot edit realm property using REST API

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: rest
    • Labels:
    • Environment:
      Both OpenAM 13.0.0 and 13.5.0
    • Sprint:
      AM Sustaining Sprint 32
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      A delegated admin at the top realm with full privilege assigned cannot view or perform any realms REST API and gets Forbidden.

      Current behaviour

      HTTP GET http://openam.example.com:8080/openam/json/realms/<realm>
      using the delegated admin SSO token
      
      {
        "code": 403,
        "reason": "Forbidden",
        "message": "Access Denied"
      }
      
      CoreSystems logs show
      
      Creating SSOToken for ID: AQIC5wM2LY4SfcyQfQ07HjSmT-ouzv6Z0F75ezK886yFLyI.*AAJTSQACMDEAAlNLABQtMjgwMDAzNTA2NjMyMjA0OTQ1MwACUzEAAA..*
      frRest:07/25/2016 03:15:00:025 PM UTC: Thread[http-nio-8080-exec-8,5,main]: TransactionId[ac69ead0-51d9-4e29-a1b7-04b90b08a694-570]
      subrealm :: READ attempted by id=admin,ou=user,dc=openam,dc=forgerock,dc=org
      frRest:07/25/2016 03:15:00:034 PM UTC: Thread[http-nio-8080-exec-8,5,main]: TransactionId[ac69ead0-51d9-4e29-a1b7-04b90b08a694-570]
      ERROR: Unauthorized user.
      frRest:07/25/2016 03:15:00:034 PM UTC: Thread[http-nio-8080-exec-8,5,main]: TransactionId[ac69ead0-51d9-4e29-a1b7-04b90b08a694-570]
      ERROR: RealmResource.readInstance() : Cannot READ subrealm:org.forgerock.json.resource.ForbiddenException: Access Denied
      
      
      • This issues exists in 13.0.0 and 13.5.0.
      • amadmin works without problem

      Expected

      Realm admin (or full delegated admin) should be able to do the JSON REST json/realms API.

      Investigation
      This look similar to OPENAM-8884 but the issue is in RealmResource which calls hasPermission() that requires superadmin privilege. It
      was mentioned that RealmResource is deprecate and SmsRealmProvider
      is the replacement.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: