Displaying #apache-syncope/2017-06-28.log:

Wed Jun 28 06:53:35 2017  ilgrosso:Joined the channel
Wed Jun 28 06:55:05 2017  fmartelli:Joined the channel
Wed Jun 28 06:57:59 2017  ilgrosso:Joined the channel
Wed Jun 28 06:59:27 2017  svizzero81:Joined the channel
Wed Jun 28 07:11:20 2017  andreapatricelli:Joined the channel
Wed Jun 28 07:17:15 2017  jbonofre:Joined the channel
Wed Jun 28 08:04:41 2017  fmartelli:Joined the channel
Wed Jun 28 08:27:23 2017  coheigea:Joined the channel
Wed Jun 28 08:31:14 2017  sberyozkin:Joined the channel
Wed Jun 28 10:31:04 2017  ilgrosso:syncope-bot: force build syncope-master-docs
Wed Jun 28 10:31:05 2017  syncope-bot:build forced [ETA 3m01s]
Wed Jun 28 10:31:05 2017  syncope-bot:I'll give a shout when the build finishes
Wed Jun 28 10:31:10 2017  ilgrosso:syncope-bot: force build syncope-2_0_X-docs
Wed Jun 28 10:31:10 2017  syncope-bot:build forced [ETA 2m51s]
Wed Jun 28 10:31:10 2017  syncope-bot:I'll give a shout when the build finishes
Wed Jun 28 10:34:48 2017  syncope-bot:Hey! build syncope-master-docs #407 is complete: Success [build successful]
Wed Jun 28 10:34:48 2017  syncope-bot:Build details are at https://ci.apache.org/builders/syncope-master-docs/builds/407
Wed Jun 28 10:34:49 2017  syncope-bot:Hey! build syncope-2_0_X-docs #117 is complete: Success [build successful]
Wed Jun 28 10:34:49 2017  syncope-bot:Build details are at https://ci.apache.org/builders/syncope-2_0_X-docs/builds/117
Wed Jun 28 11:38:49 2017  jbonofre:Joined the channel
Wed Jun 28 11:46:47 2017  coheigea:ilgrosso: Re anonymous authentication, is GET the only HTTP method supported for this?
Wed Jun 28 11:47:18 2017  ilgrosso:coheigea: I believe so (haven't checked in detail lately)
Wed Jun 28 11:47:33 2017  coheigea:OK let me experiment
Wed Jun 28 12:02:20 2017  coheigea:ilgrosso: In terms of the documentation update, we can't get access to the roles as an anonymous user, so that part could be removed "endpoints disclosing information about the given Syncope deployment (available schema, configured extensions, Groups, Roles, …​)"
Wed Jun 28 12:03:00 2017  ilgrosso:well, not completely
Wed Jun 28 12:03:05 2017  ilgrosso:only Roles should be removed
Wed Jun 28 12:03:15 2017  coheigea:Sorry that's what I meant
Wed Jun 28 12:03:55 2017  coheigea:Just wondering what the use-case is here really for anonymousUsers. Couldn't we just use instead a user with the correct entitlements to access the REST API for whatever thing we are interested in?
Wed Jun 28 12:06:26 2017  ilgrosso:think to self-registration
Wed Jun 28 12:06:48 2017  ilgrosso:no authentication by end-user, but still the need to enlist available groups
Wed Jun 28 12:07:07 2017  svizzero81:Joined the channel
Wed Jun 28 12:07:26 2017  ilgrosso:so the Endser UI app will do anonymous auth on behalf of the self-registering user
Wed Jun 28 12:07:52 2017  coheigea:ah I see.
Wed Jun 28 12:07:57 2017  ilgrosso:but this is like this since long time, 1.1 at least
Wed Jun 28 12:10:07 2017  coheigea:Is this the only use-case or are there others?
Wed Jun 28 12:10:29 2017  ilgrosso:well, mostly (for groups and schema)
Wed Jun 28 12:10:45 2017  ilgrosso:other use case is for platform information: which implementations are available, current load etc
Wed Jun 28 12:10:59 2017  ilgrosso:such info are currently used by Admin Console
Wed Jun 28 12:11:03 2017  ilgrosso:(dashboard)
Wed Jun 28 12:12:47 2017  coheigea:Just looking at an example...for resources we need the RESOURCE_READ permission to read a given resource, but the anonymous user can list the resources. Is this not a bit inconsistent?
Wed Jun 28 12:14:08 2017  ilgrosso:yeah, it is
Wed Jun 28 12:14:47 2017  ilgrosso:but again, it's there since 1.0 - https://github.com/apache/syncope/blob/1_0_X/core/src/main/java/org/apache/syncope/core/rest/controller/ResourceController.java#L155
Wed Jun 28 12:16:27 2017  ilgrosso:well, way before, it seems.. https://github.com/apache/syncope/blob/0_7_X/core/src/main/java/org/syncope/core/rest/controller/ResourceController.java#L159
Wed Jun 28 12:16:29 2017  coheigea:What do you think about for 2.1.0 looking at minimising what the anonymousUser is allowed to do - e.g. only the essential things for the endUser + admin consoles?
Wed Jun 28 12:16:50 2017  ilgrosso:what would be the difference with current impl?
Wed Jun 28 12:17:08 2017  ilgrosso:I would have said that it is already like this
Wed Jun 28 12:17:43 2017  ilgrosso:I mean, what is something that currently the anonymousUser is allowed to do, and should not instead?
Wed Jun 28 12:18:05 2017  coheigea:Well for example, does the admin console need to be able to get the list of resources as the admin user? (If so, why does it not need to get the list of roles?)
Wed Jun 28 12:18:16 2017  coheigea:Sorry as the anonymous user
Wed Jun 28 12:19:02 2017  ilgrosso:the admin console does not get the list of resources as the anonymousUser
Wed Jun 28 12:19:12 2017  ilgrosso:it gets it as the currently logged user
Wed Jun 28 12:19:35 2017  coheigea:ok so that's an example of something we could change right?
Wed Jun 28 12:19:46 2017  ilgrosso:why?
Wed Jun 28 12:19:49 2017  ilgrosso:I don't get the point
Wed Jun 28 12:19:50 2017  ilgrosso:https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/ResourceLogic.java#L235
Wed Jun 28 12:19:59 2017  ilgrosso:e.g. resource list simply requires an authenticated user
Wed Jun 28 12:20:08 2017  ilgrosso:e.g. anonymousUser or any other authentication
Wed Jun 28 12:20:15 2017  ilgrosso:what would you change?
Wed Jun 28 12:22:26 2017  coheigea:Well the question I have is more why do we want to support it at all when it's not required? Why not just require the user to have the entitlement to access it?
Wed Jun 28 12:23:12 2017  coheigea:My motivation is to reduce the potential attack surface if say the anonymousKey was compromised (e.g. not changed from the default)
Wed Jun 28 12:24:16 2017  ilgrosso:the reason why we need to allow the anonymousUser to get the list of resources is for self-registration
Wed Jun 28 12:24:23 2017  ilgrosso:so it is required
Wed Jun 28 12:24:38 2017  ilgrosso:I don't think there is any method, open to the anonymousUser, without a motivation
Wed Jun 28 12:25:08 2017  coheigea:ok well that answers my question then :-)
Wed Jun 28 12:25:57 2017  coheigea:Maybe we should add a log warning for the default anonymousKey value as well?
Wed Jun 28 12:25:59 2017  ilgrosso:but you're of course welcome to check if there is anything open that should not be like that (I don't believe so, as said, but if you are keen to double-check, why nbot?)
Wed Jun 28 12:26:02 2017  ilgrosso:*not
Wed Jun 28 12:26:40 2017  ilgrosso:about warning for default anonymousKey, it makes sense to me: maybe you can just add that to the existing (and resolved) issue
Wed Jun 28 12:27:39 2017  coheigea:yep will do
Wed Jun 28 12:28:06 2017  coheigea:I'll update the docs as well to remove the "Roles" part
Wed Jun 28 12:29:13 2017  ilgrosso:great, thx
Wed Jun 28 12:29:31 2017  ilgrosso:feel free to fix any grammar bug you might find ;-)
Wed Jun 28 12:50:21 2017  fmartelli:Joined the channel
Wed Jun 28 14:01:53 2017  syncope-bot:Joined the channel
Wed Jun 28 14:07:46 2017  syncope-bot:Joined the channel
Wed Jun 28 14:18:47 2017  syncope-bot:Joined the channel
Wed Jun 28 14:24:08 2017  syncope-bot:Joined the channel
Wed Jun 28 14:27:46 2017  ilgrosso:syncope-bot: force build syncope-master-docs
Wed Jun 28 14:27:53 2017  ilgrosso:syncope-bot: force build syncope-2_0_X-docs
Wed Jun 28 14:28:05 2017  syncope-bot:The build has been queued, I'll give a shout when it starts
Wed Jun 28 14:28:05 2017  syncope-bot:The build has been queued, I'll give a shout when it starts
Wed Jun 28 14:28:12 2017  syncope-bot:Joined the channel
Wed Jun 28 14:28:36 2017  syncope-bot:Joined the channel
Wed Jun 28 14:33:50 2017  ilgrosso:syncope-bot: force build syncope-2_0_X-docs
Wed Jun 28 14:33:51 2017  syncope-bot:build forced [ETA 3m47s]
Wed Jun 28 14:33:51 2017  syncope-bot:I'll give a shout when the build finishes
Wed Jun 28 14:33:55 2017  ilgrosso:syncope-bot: force build syncope-master-docs
Wed Jun 28 14:33:56 2017  syncope-bot:build forced [ETA 3m48s]
Wed Jun 28 14:33:56 2017  syncope-bot:I'll give a shout when the build finishes
Wed Jun 28 14:38:28 2017  syncope-bot:Hey! build syncope-2_0_X-docs #120 is complete: Success [build successful]
Wed Jun 28 14:38:28 2017  syncope-bot:Build details are at https://ci.apache.org/builders/syncope-2_0_X-docs/builds/120
Wed Jun 28 14:38:35 2017  syncope-bot:Hey! build syncope-master-docs #410 is complete: Success [build successful]
Wed Jun 28 14:38:35 2017  syncope-bot:Build details are at https://ci.apache.org/builders/syncope-master-docs/builds/410
Wed Jun 28 14:54:52 2017  jbonofre:Joined the channel
Wed Jun 28 14:59:05 2017  fmartelli:Joined the channel
Wed Jun 28 15:12:10 2017  fmartelli:Joined the channel
Wed Jun 28 15:41:44 2017  fmartelli:Joined the channel
Wed Jun 28 15:43:17 2017  syncope-bot:Joined the channel
Wed Jun 28 17:24:31 2017  coheigea:Left the channel
Wed Jun 28 19:02:12 2017  jbonofre:Joined the channel

Comments