[OPENAM-6739] Creating UMA policy as amadmin doesn't show in user's resources Created: 01/Sep/15  Updated: 15/Dec/15

Status: Open
Project: OpenAM
Component/s: UMA
Affects Version/s: 13.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jamie Cavanaugh [X] (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Centos 7
Java 8
Tomcat



 Description   

We are looking at the possibility of creating slighly more complicated policies for UMA shares (for example, time bound shares). We were told to try creating a policy using the base policy API, rather than using the UMA API.

However, when we create an UMA policy as amadmin the user can't see the delegation in the UI.

Here is what we did:

1. Create a policy:


curl -X POST -H "VAGRANT_SSO: AQIC5wM2LY4SfczTiAjzUCinJLvIO6P3hbaI-yLL0W713fs.*AAJTSQACMDIAAlNLABQtMjcyMDU2NDAyODE3OTkwNTIwNwACUzEAAjAx*" -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 0d094d0a-d9e2-804d-6b07-0a4edef61489" -d '{
      "name": "test",
      "active": true,
      "description": "",
      "applicationName": "testharness-oauth-agent",
      "actionValues": {
        "http://test-harness.delegations.org.nz/view": true
      },
      "resources": [
        "uma://15bf6280-e5a4-4272-a20d-e161bfc051313"
      ],
      "subject": {
        "type": "JwtClaim",
        "claimName": "sub",
        "claimValue": "id=demo,ou=user,dc=opensso,dc=java,dc=net"
      },
      "resourceTypeUuid": "15bf6280-e5a4-4272-a20d-e161bfc051313"
}' 'https://sso.vagrant.delegations.org.nz/sso/json/policies/?_action=create'

Then listing all the policies (as amadmin) I can see it:


curl ... https://sso.vagrant.delegations.org.nz/sso/json/policies?_queryId=all

    {
      "name": "Example - add62e65-f54c-43d9-b5af-234b7cb598ce - 99feb1c3-552a-472e-8d49-b96ee4bd95570--1592143489",
      "active": true,
      "description": "",
      "applicationName": "testharness-oauth-agent",
      "actionValues": {
        "http://test-harness.delegations.org.nz/view": true
      },
      "resources": [
        "uma://99feb1c3-552a-472e-8d49-b96ee4bd95570"
      ],
      "subject": {
        "type": "JwtClaim",
        "claimName": "sub",
        "claimValue": "id=demo,ou=user,dc=opensso,dc=java,dc=net"
      },
      "resourceTypeUuid": "99feb1c3-552a-472e-8d49-b96ee4bd95570",
      "lastModifiedBy": "id=amadmin,ou=user,dc=opensso,dc=java,dc=net",
      "lastModifiedDate": "2015-08-27T23:02:24.206Z",
      "createdBy": "id=add62e65-f54c-43d9-b5af-234b7cb598ce,ou=user,dc=opensso,dc=java,dc=net",
      "creationDate": "2015-08-27T22:53:52.523Z"
    }

I can check that the policy is working (the subject has access to the UMA resource)

But if I log in as the resource owner, I can't see the delegation in the dashboard.

(Looking briefly through the code it appears the UMA dashboard endpoints rely on the createdby attribute. As this policy has to be created by amadmin, the user cannot see it)


Generated at Mon Oct 26 19:13:10 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.