Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add PoC of "run as task template owner" feature
When a task template is instantiated, the identify of the currently logged-in user is used as the task owner for newly created task. This is clearly the most safe approach. However, there can be situations where this restriction is too strong. One of those is described in MID-6913. Unfortunately, lifting this restriction in a secure way is not a simple thing, as it requires deep consideration of the effects on midPoint security model. This commit provides a proof of concept for the idea of running tasks created from templates under the identity of the task template owner. To enable this feature the following must be done: 1) The feature must be enabled in system configuration by setting internals/enableRunAsTaskTemplateOwnerAuthorization to true. 2) Any user that need to run tasks under templates owners must have #runAsTaskTemplateOwner authorization granted. 3) Any task template that allows running under its owner must have mext:useTaskTemplateOwner extension property set to true. After these conditions are met, the newly instantiated task is created with the ownerRef pointing to the template owner. The original user identity is preserved in mext:taskTemplateExecutionInitiatorRef extension item. It is the responsibility of the deployer to set up e.g. custom auditing properties to properly audit this information. Final note: All of the code is EXPERIMENTAL and, at the same time, deprecated since its inception. Do not consider any of the code as something more than a PoC that will disappear sooner or later from midPoint. I assume it will be replaced by serious approach in the future. Unrelated change: - The custom code execution in execute-script action as well as in notify action with custom notifier required #all authorization. This was changed to #executeCustomCode. Actually this is not needed for the new feature; it is used for testing it. But it looks like a good idea.
- Loading branch information
Showing
13 changed files
with
250 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.