L3 - Default Steps to reproduce:
- configure a process engine to use the ldap plugin
- configure a administratorGroupName
- login to cockpit (the user must be a member of the admin group provided by administratorGroupName)
- try to trigger history cleanup
Observed Behavior:
The following exception is thrown:
INFO | jvm 1 | 2018/04/12 08:32:53 | 12-Apr-2018 08:32:53.275 SEVERE [ajp-nio-9009-exec-3] org.camunda.commons.logging.BaseLogger.logError ENGINE-16004 Exception while closing command context: ENGINE-03029 Required authenticated group 'camunda-admin'. INFO | jvm 1 | 2018/04/12 08:32:53 | org.camunda.bpm.engine.AuthorizationException: ENGINE-03029 Required authenticated group 'camunda-admin'. INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.db.EnginePersistenceLogger.requiredCamundaAdminException(EnginePersistenceLogger.java:312) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkCamundaAdmin(AuthorizationManager.java:483) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.cmd.HistoryCleanupCmd.execute(HistoryCleanupCmd.java:47) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.cmd.HistoryCleanupCmd.execute(HistoryCleanupCmd.java:33) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.JtaTransactionInterceptor.execute(JtaTransactionInterceptor.java:58) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.HistoryServiceImpl.cleanUpHistoryAsync(HistoryServiceImpl.java:148) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.rest.impl.history.HistoryCleanupRestServiceImpl.cleanupAsync(HistoryCleanupRestServiceImpl.java:31) INFO | jvm 1 | 2018/04/12 08:32:53 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) INFO | jvm 1 | 2018/04/12 08:32:53 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) INFO | jvm 1 | 2018/04/12 08:32:53 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.lang.reflect.Method.invoke(Method.java:498) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) INFO | jvm 1 | 2018/04/12 08:32:53 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.lang.Thread.run(Thread.java:745) INFO | jvm 1 | 2018/04/12 08:32:53 | INFO | jvm 1 | 2018/04/12 08:32:53 | Apr 12, 2018 8:32:53 AM org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler toResponse INFO | jvm 1 | 2018/04/12 08:32:53 | WARNING: org.camunda.bpm.engine.AuthorizationException: ENGINE-03029 Required authenticated group 'camunda-admin'. INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.db.EnginePersistenceLogger.requiredCamundaAdminException(EnginePersistenceLogger.java:312) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkCamundaAdmin(AuthorizationManager.java:483) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.cmd.HistoryCleanupCmd.execute(HistoryCleanupCmd.java:47) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.cmd.HistoryCleanupCmd.execute(HistoryCleanupCmd.java:33) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.JtaTransactionInterceptor.execute(JtaTransactionInterceptor.java:58) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.impl.HistoryServiceImpl.cleanUpHistoryAsync(HistoryServiceImpl.java:148) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.rest.impl.history.HistoryCleanupRestServiceImpl.cleanupAsync(HistoryCleanupRestServiceImpl.java:31) INFO | jvm 1 | 2018/04/12 08:32:53 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) INFO | jvm 1 | 2018/04/12 08:32:53 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) INFO | jvm 1 | 2018/04/12 08:32:53 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.lang.reflect.Method.invoke(Method.java:498) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) INFO | jvm 1 | 2018/04/12 08:32:53 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) INFO | jvm 1 | 2018/04/12 08:32:53 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) INFO | jvm 1 | 2018/04/12 08:32:53 | at java.lang.Thread.run(Thread.java:745)
Expected Behavior:
- The exception is not thrown
- As a member of an admin group, the user should be able to trigger the history cleanup manually
Hint:
- In AuthorizationManager#isCamundaAdmin() (see [2]) it is only check whether the authenticated user is a member of the group "camunda-admin".
- An additional check should be done that take any other admin group into account (it should remain backward compatible).
[1]: https://docs.camunda.org/manual/7.8/user-guide/process-engine/authorization-service/#the-administrator-authorization-plugin
[2]: https://github.com/camunda/camunda-bpm-platform/blob/a7ab0b71e5039fc69baef5b946ec12ff5483781e/engine/src/main/java/org/camunda/bpm/engine/impl/persistence/entity/AuthorizationManager.java#L493-L500