Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions lost when doing something transactional in the afterCommit handler of a Job #6124

Closed
fdlk opened this issue Apr 26, 2017 · 2 comments
Closed

Permissions lost when doing something transactional in the afterCommit handler of a Job #6124

fdlk opened this issue Apr 26, 2017 · 2 comments
Labels
bug mod:core
Milestone
Sprint 102 Platform

Comments

@fdlk
Copy link
Contributor

fdlk commented Apr 26, 2017
edited

How to Reproduce

This only happens in a weird constellation of circumstances. Unfortunately it happens when we run the mapping service as a job.
Check out the code for #6123, create a mapping project, with target TypeTestRef, sources TypeTestRef and ScriptType. Fill in the missing values and start a mapping job mapping the data to a non-existing entity.

Expected behavior

It works.

Observed behavior

The mapping job fails, stating that you have no read permissions on EntityType.

15:33:15.840 - Mapping source TypeTestRef
15:33:15.884 - Mapping source Script type
15:33:16.082 - Failed. No [READ] permission on entity type [Entity type] with id [sys_md_EntityType]
@fdlk
Copy link
Contributor Author

fdlk commented Apr 26, 2017
edited

@tommydeboer and I ran into this working on the mapping service jobs. We're not yet completely sure what exactly is wrong but here's the best we got so far.

When you run the mapping service, the job runs in a transaction with a manually created TransactionTemplate that references the MolgenisPlatformManager.

  1. The entities get mapped correctly. Yay!
  2. The transaction is committed.
  3. afterCommitTransaction is called on the L2Cache
  4. L2Cache calls TransactionInformation.getDirtyEntities() which is implemented in IndexActionRegisterServiceImpl.
  5. IndexActionRegisterService has the list of dirty entities. It has to return a Set<EntityKey> as a result and so calls createEntityKey for each of the mapped rows.
  6. EntityKeys needs to contain ID values in their proper data type. But the stored values are IndexActions and contain a String. So IndexActionRegisterService needs to figure out the type of the ID attribute of the entity and asks the dataService for the EntityType by ID.
  7. This is a request on the EntityType repository and the TransactionDecorator starts a new readonly transaction with it's own TransactionTemplate.
  8. Somehow suddenly the security context is completely empty, with a null authorization.
  9. The security decorator does its job and throws an exception.

@fdlk fdlk mentioned this issue Apr 26, 2017
Merged
19 tasks
@fdlk fdlk changed the title Permissions lost when doing something transactional in a commit handler Permissions lost when doing something transactional in the afterCommit handler Apr 26, 2017
@fdlk
Copy link
Contributor Author

fdlk commented Apr 26, 2017 

15:33:16.079 [molgenis-job-1] ERROR org.molgenis.data.jobs.Job - Error logging job success
org.molgenis.data.MolgenisDataAccessException: No [READ] permission on entity type [Entity type] with id [sys_md_EntityType]
	at org.molgenis.util.SecurityDecoratorUtils.validatePermission(SecurityDecoratorUtils.java:20) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.RepositorySecurityDecorator.findOneById(RepositorySecurityDecorator.java:95) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.transaction.TransactionalRepositoryDecorator.lambda$findOneById$7(TransactionalRepositoryDecorator.java:94) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.transaction.TransactionalRepositoryDecorator.findOneById(TransactionalRepositoryDecorator.java:94) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.AbstractRepositoryDecorator.findOneById(AbstractRepositoryDecorator.java:101) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl.findOneById(DataServiceImpl.java:237) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl$$FastClassBySpringCGLIB$$2e5f77dc.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:652) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.support.DataServiceImpl$$EnhancerBySpringCGLIB$$583c55b8.findOneById(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.meta.MetaDataServiceImpl.getEntityType(MetaDataServiceImpl.java:400) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.meta.MetaDataServiceImpl$$FastClassBySpringCGLIB$$7c65c46d.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:652) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.meta.MetaDataServiceImpl$$EnhancerBySpringCGLIB$$7db71e0b.getEntityType(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl.getEntityType(DataServiceImpl.java:38) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl$$FastClassBySpringCGLIB$$2e5f77dc.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:652) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.support.DataServiceImpl$$EnhancerBySpringCGLIB$$583c55b8.getEntityType(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl.createEntityKey(IndexActionRegisterServiceImpl.java:249) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_112]
	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[na:1.8.0_112]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) ~[na:1.8.0_112]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[na:1.8.0_112]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[na:1.8.0_112]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_112]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_112]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[na:1.8.0_112]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl.getDirtyEntities(IndexActionRegisterServiceImpl.java:223) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl$$FastClassBySpringCGLIB$$501b3016.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:721) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.security.core.runas.RunAsSystemProxy.invoke(RunAsSystemProxy.java:36) ~[molgenis-security-core-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:656) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl$$EnhancerBySpringCGLIB$$65bf72a6.getDirtyEntities(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.cache.l2.L2Cache.afterCommitTransaction(L2Cache.java:68) ~[molgenis-data-cache-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.transaction.MolgenisTransactionManager.lambda$doCommit$2(MolgenisTransactionManager.java:119) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at java.util.ArrayList.forEach(ArrayList.java:1249) ~[na:1.8.0_112]
	at org.molgenis.data.transaction.MolgenisTransactionManager.doCommit(MolgenisTransactionManager.java:119) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:761) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:730) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:150) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.jobs.Job.call(Job.java:40) ~[molgenis-jobs-4.1.0-SNAPSHOT.jar:na]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_112]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_112]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_112]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_112]
15:33:16.082 [molgenis-job-1] ERROR o.m.data.jobs.model.JobExecution - Failed. No [READ] permission on entity type [Entity type] with id [sys_md_EntityType]
org.molgenis.data.MolgenisDataAccessException: No [READ] permission on entity type [Entity type] with id [sys_md_EntityType]
	at org.molgenis.util.SecurityDecoratorUtils.validatePermission(SecurityDecoratorUtils.java:20) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.RepositorySecurityDecorator.findOneById(RepositorySecurityDecorator.java:95) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.transaction.TransactionalRepositoryDecorator.lambda$findOneById$7(TransactionalRepositoryDecorator.java:94) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.transaction.TransactionalRepositoryDecorator.findOneById(TransactionalRepositoryDecorator.java:94) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.AbstractRepositoryDecorator.findOneById(AbstractRepositoryDecorator.java:101) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl.findOneById(DataServiceImpl.java:237) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl$$FastClassBySpringCGLIB$$2e5f77dc.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:652) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.support.DataServiceImpl$$EnhancerBySpringCGLIB$$583c55b8.findOneById(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.meta.MetaDataServiceImpl.getEntityType(MetaDataServiceImpl.java:400) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.meta.MetaDataServiceImpl$$FastClassBySpringCGLIB$$7c65c46d.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:652) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.meta.MetaDataServiceImpl$$EnhancerBySpringCGLIB$$7db71e0b.getEntityType(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl.getEntityType(DataServiceImpl.java:38) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.support.DataServiceImpl$$FastClassBySpringCGLIB$$2e5f77dc.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:652) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.support.DataServiceImpl$$EnhancerBySpringCGLIB$$583c55b8.getEntityType(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl.createEntityKey(IndexActionRegisterServiceImpl.java:249) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_112]
	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[na:1.8.0_112]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) ~[na:1.8.0_112]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[na:1.8.0_112]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[na:1.8.0_112]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_112]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_112]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[na:1.8.0_112]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl.getDirtyEntities(IndexActionRegisterServiceImpl.java:223) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl$$FastClassBySpringCGLIB$$501b3016.invoke(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:721) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.security.core.runas.RunAsSystemProxy.invoke(RunAsSystemProxy.java:36) ~[molgenis-security-core-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:656) ~[spring-aop-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.index.IndexActionRegisterServiceImpl$$EnhancerBySpringCGLIB$$65bf72a6.getDirtyEntities(<generated>) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.cache.l2.L2Cache.afterCommitTransaction(L2Cache.java:68) ~[molgenis-data-cache-4.1.0-SNAPSHOT.jar:na]
	at org.molgenis.data.transaction.MolgenisTransactionManager.lambda$doCommit$2(MolgenisTransactionManager.java:119) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at java.util.ArrayList.forEach(ArrayList.java:1249) ~[na:1.8.0_112]
	at org.molgenis.data.transaction.MolgenisTransactionManager.doCommit(MolgenisTransactionManager.java:119) ~[molgenis-data-4.1.0-SNAPSHOT.jar:na]
	at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:761) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:730) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:150) ~[spring-tx-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.molgenis.data.jobs.Job.call(Job.java:40) ~[molgenis-jobs-4.1.0-SNAPSHOT.jar:na]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_112]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_112]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_112]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_112]

@fdlk fdlk added 4.0 4.1.0 and removed 4.0 labels Apr 26, 2017
@fdlk fdlk changed the title Permissions lost when doing something transactional in the afterCommit handler Permissions lost when doing something transactional in the afterCommit handler of a Job Apr 26, 2017
tommydeboer added a commit that referenced this issue May 2, 2017
@tommydeboer
Merge pull request #6127 from fdlk/fix/6124
2f8dfb1 
Fix #6124 Permissions lost when doing something transactional in the …
@tommydeboer tommydeboer added this to the Sprint 102 Platform milestone May 9, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug mod:core
Projects
None yet
Milestone
Sprint 102 Platform
Development

No branches or pull requests
2 participants
@fdlk @tommydeboer