Bug #6183


CNodeService API calls don't honor authoritative MN certificates

Added by Chris Jones almost 10 years ago. Updated almost 10 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


In working with Mark Reyes on calling CN.archive() and CN.setObsoletedBy() calls for the Merritt repository, he reported a NotAuthorized exception on updating system metadata fields for objects that are managed by Merritt. Using the CN certificate, I have successfully called these and other CN API calls to manipulate system metadata. Since this is more of an integration test, we don't have a unit test to ensure that MN certs are able to modify content on their system by calling the CN API.

In CNodeService, we use D1NodeService.isAdminAuthorized() to check for administrative authorization in calls like CNodeService.archive(). Within that call, we also check for MN-level node administrative authorization using isNodeAdmin(). However, isNodeAdmin() only checks to see if the cert subject is the subject of the local Member Node. It doesn't check to see if the cert subject matches the cert subject of the authoritativeMemberNode listed in the object's system metadata.

We need to add another method, something like D1NodeService.isAuthoritativeNodeAdmin(), and in calls to the CN API, check the cert subject by getting the Node entry from the NodeList in the given environment that corresponds to the authoritativeMemberNode listed in SystemMetadata, and comparing the Node Subject to the cert Subject.

This is a pretty critical bug fix since all CN calls using an MN Subject are likely going to fail. The Merritt ORE fixes are blocked by this issue.

Related issues

Related to Metacat - Bug #6315: Needs to work for DATA objects as wellClosedChris Jones12/18/2013

Blocks Metacat - Story #6296: authMN SM.accessPolicy out of synch with CN and replicaMNClosedPeter Slaughter12/12/2013

Actions #1

Updated by Jing Tao almost 10 years ago

This method will be applied to both the CN and MN methods.

Actions #2

Updated by Jing Tao almost 10 years ago

  • Status changed from New to Resolved

Implemented the D1NodeService.isAuthoritativeNodeAdmin() method and put them into the appropriate place. The both MN and CN APIs are applied this method. I installed the fixed code on the mn-demo-9 and test the archived method. It worked.

Rober installed the fixed code on the cns in dev env. I tested the archive and setObsoletedBy method through curl. It worked well.


Also available in: Atom PDF