-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
139 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
= Privilege Elevation (runAsRef, runPrivileged) | ||
:page-since: 4.8 | ||
:page-toc: top | ||
|
||
== Introduction | ||
Sometimes we need a given expression (e.g., in mappings) to run under elevated privileges and/or a specific principal. | ||
|
||
== Implementation | ||
|
||
.Listing 1: Example use | ||
[source,xml] | ||
---- | ||
<expression> | ||
<privileges> | ||
<runAsRef oid="..." type="UserType"/> <!--1--> | ||
<runPrivileged>true</runPrivileged> <!--2--> | ||
</privileges> | ||
<script> | ||
<code> | ||
// here we could execute actions that require elevated privileges | ||
... midpoint.getObject(...) ... | ||
... midpoint.searchObjects(...) ... | ||
</code> | ||
</script> | ||
</expression> | ||
---- | ||
<1> Switches the identity of the principal | ||
<2> Keeps the identity, elevates only the privileges | ||
|
||
The `<runAsRef>` directive has been present since 3.6. | ||
It works well but takes some time as it requires the login of the specified principal. | ||
The new `<runPrivileged>` property is much faster: it simply adds `#all` authorization to the current principal. | ||
|
||
Usually, either one of these should be used. | ||
However, it is possible to use both: first, a specified principal is logged in, and then their privileges are elevated. | ||
|
||
== Auditing | ||
|
||
The audit event record was enhanced by the following information: | ||
|
||
.New items in the audit event record | ||
[%autowidth] | ||
|=== | ||
| Item | Meaning | ||
|
||
| `effectivePrincipalRef` | ||
| The effective principal that was used to execute the action. | ||
This is the subject whose authorizations were evaluated to determine whether the action is allowed or not. | ||
Usually, it is the same as the initiator. | ||
But, e.g., when `runAsRef` is used, the effective principal is the one specified by that directive. | ||
| `effectivePrivilegesModification` | ||
| Present if the effective privileges used to execute the operation differ or may differ from the regular (declared) privileges of the "effectivePrincipalRef". | ||
This is usually the case, e.g., when "runPrivileged" mechanism is used for expression evaluation. | ||
|=== | ||
|
||
.Values for `effectivePrivilegesModification` property | ||
[%autowidth] | ||
|=== | ||
| Value | Meaning | ||
|
||
| `elevation` | ||
| Privileges were elevated to some degree. | ||
It may or may not be the maximum degree (full authorization). | ||
Only if we are really sure, the "fullElevation" value is set. | ||
|
||
| `fullElevation` | ||
| Privileges were elevated to the maximum degree, i.e. to full authorization. | ||
|
||
| `reduction` | ||
| Privileges were reduced to some degree. | ||
|
||
| `other` | ||
| Privileges were changed in a different way (maybe some reduced, others elevated). | ||
|=== | ||
|
||
== See Also | ||
|
||
- xref:/midpoint/reference/expressions/expressions/index.adoc#_privilege_elevation[] | ||
- commits https://github.com/Evolveum/midpoint/commit/aab21f14d2da4798d21ec5af5f82e992aaafac2f[aab21f], https://github.com/Evolveum/midpoint/commit/ce357da80a1765eb64b23479470045dad53d0bef[ce357d], and https://github.com/Evolveum/midpoint/commit/a512e69f48467c389766c0f30ec06e790b787cbc[a512e6] |