Global authorization allows non-authenticated users on the process engine to read defintions

Hi,

I am using an identity plugin to add users dynamically to process engines in my system.

In my case I have two process engine instances: PE 1 and PE 2. When a process engine PE 1 authorizes process definitions for all users in the process engine using:

Authorization processDefinitionAuth
            = processEngine.getAuthorizationService()
            .createNewAuthorization(Authorization.AUTH_TYPE_GLOBAL);
auth.setResource(Resources.PROCESS_DEFINITION);
auth.setResourceId("*");
auth.addPermission(Permissions.ALL);
processEngine.getAuthorizationService().saveAuthorization(auth);

A user, who is authenticated on process engine PE 2 but not on PE 1, is authorized also to access definitions from PE 1 in Optimize.
Is there a way to allow only users authenticated on the process engine can read the definitions on that process engine?

Hi @Abdelrahman_Ibrahim,

This is unusual, I replicated this scenario and could not reproduce this behaviour. Usually, Optimize differentiates between different engine data sources when checking user authorizations, lets try to figure out why this is not happening correctly in your setup.

Can you confirm that the definition keys are unique, ie that the key of the definition the user is trying to access only exists on PE 1 and not on PE 2? Same question also for the user, lets confirm that this user definitely only exists on PE 2.

Also, can you give some more information about the setup itself: were both engines configured in Optimize from the first start? Or did Optimize start, import some data and then later on the second engine was added?

Hi @Helene ,

Thanks for replying.

Can you confirm that the definition keys are unique

Yes, I can confirm that they are different.

lets confirm that this user definitely only exists on PE 2

I debugged the identity plugin and the ReadOnlyIdentityProvider.checkPassword() method returns false for the user in PE 1 and also UserQueryImpl.executeList() method with the user Id returns an empty list in case of PE 1, while PE 2 the ReadOnlyIdentityProvider.checkPassword() method returns true and the UserQueryImpl.executeList() returns a list of length 1 as expected.

To double check, when querying the process engines’ API for user “userx”

For PE 1

{
    "authenticatedUser": "userx",
    "groups": null,
    "tenants": null,
    "authenticated": false
}

For PE 2

{
    "authenticatedUser": "userx",
    "groups": null,
    "tenants": null,
    "authenticated": true
}

The process engine end points return the following results when queried for the permissions for the user.
For PE 1

[
    {
        "id": "2301",
        "type": 0,
        "permissions": [
            "ALL"
        ],
        "userId": "*",
        "groupId": null,
        "resourceType": 6,
        "resourceId": "*",
        "removalTime": null,
        "rootProcessInstanceId": null
    },
    {
        "id": "2302",
        "type": 0,
        "permissions": [
            "ALL"
        ],
        "userId": "*",
        "groupId": null,
        "resourceType": 0,
        "resourceId": "optimize",
        "removalTime": null,
        "rootProcessInstanceId": null
    }
]

And for PE 2

[
    {
        "id": "2501",
        "type": 0,
        "permissions": [
            "ALL"
        ],
        "userId": "*",
        "groupId": null,
        "resourceType": 6,
        "resourceId": "*",
        "removalTime": null,
        "rootProcessInstanceId": null
    },
    {
        "id": "2502",
        "type": 0,
        "permissions": [
            "ALL"
        ],
        "userId": "*",
        "groupId": null,
        "resourceType": 0,
        "resourceId": "optimize",
        "removalTime": null,
        "rootProcessInstanceId": null
    }
]

were both engines configured in Optimize from the first start?

Yes, they were configured from the first start.

Hi @Abdelrahman_Ibrahim ,

So this looks like both PE 1 and PE 2 return a result which includes a global authorization for the definitions on each engine for this user (authorization with id 2301 for PE 1 and 2501 for PE 2), this is probably why the user can see definitions from both engines in Optimize.
Do both engines share the same Database or does each engine have its own Database?

Hi @Helene ,

They have different databases.

Hi again,

Hm that’s not it then. You wrote above that you are using an identity plugin, so it sounds like these users don’t exist on the engines but rather an external identity service.
What exactly is the identity service you’re using? And is the same service connected to both engines? If so then this could be the reason both engines return all permissions for this user. Also, could you tell me which endpoint you used above for querying the permissions of the user?

Hi @Helene ,

it sounds like these users don’t exist on the engines but rather an external identity service

Yes, that is correct.

What exactly is the identity service you’re using?

I implemented the ReadOnlyIdentityProvider interface using java code that returns results based on users in my system.

And is the same service connected to both engines?

I pass different ReadOnlyIdentityProvider objects with different states for each engine. This is why userx is authenticated on PE 2 and not PE 1 as shown in the JSON responses of my reply

this is using the following endPoints

for authentication a POST request to

https://[processEngineRestUrl]/engine/[Process engine name]/identity/verify

with body

{
    "username": "userx",
    "password": "[userxpassword]"
}

for authorization

GET
https://[processEngineRestUrl]/engine/[Process engine name]/authorization?userIdIn=userx%2C%2A&firstResult=0