Bug #6183

CNodeService API calls don't honor authoritative MN certificates

Added by Chris Jones about 7 years ago. Updated almost 7 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


In working with Mark Reyes on calling CN.archive() and CN.setObsoletedBy() calls for the Merritt repository, he reported a NotAuthorized exception on updating system metadata fields for objects that are managed by Merritt. Using the CN certificate, I have successfully called these and other CN API calls to manipulate system metadata. Since this is more of an integration test, we don't have a unit test to ensure that MN certs are able to modify content on their system by calling the CN API.

In CNodeService, we use D1NodeService.isAdminAuthorized() to check for administrative authorization in calls like CNodeService.archive(). Within that call, we also check for MN-level node administrative authorization using isNodeAdmin(). However, isNodeAdmin() only checks to see if the cert subject is the subject of the local Member Node. It doesn't check to see if the cert subject matches the cert subject of the authoritativeMemberNode listed in the object's system metadata.

We need to add another method, something like D1NodeService.isAuthoritativeNodeAdmin(), and in calls to the CN API, check the cert subject by getting the Node entry from the NodeList in the given environment that corresponds to the authoritativeMemberNode listed in SystemMetadata, and comparing the Node Subject to the cert Subject.

This is a pretty critical bug fix since all CN calls using an MN Subject are likely going to fail. The Merritt ORE fixes are blocked by this issue.

Related issues

Related to Metacat - Bug #6315: Needs to work for DATA objects as wellClosed12/18/2013

Blocks Metacat - Story #6296: authMN SM.accessPolicy out of synch with CN and replicaMNClosed12/12/2013


#1 Updated by Jing Tao about 7 years ago

This method will be applied to both the CN and MN methods.

#2 Updated by Jing Tao about 7 years ago

  • Status changed from New to Resolved

Implemented the D1NodeService.isAuthoritativeNodeAdmin() method and put them into the appropriate place. The both MN and CN APIs are applied this method. I installed the fixed code on the mn-demo-9 and test the archived method. It worked.

Rober installed the fixed code on the cns in dev env. I tested the archive and setObsoletedBy method through curl. It worked well.

Also available in: Atom PDF