On 17/01/2020 23:32, ilies bogdan via Lists.Automotivelinux.Org wrote:
Hi Janaki,
While I was doing some experiments in order to better understand how the framework works I have found the following:By default there is no authentication enabled in agl-service-helloworld, see: https://gerrit.automotivelinux.org/gerrit/gitweb?p=apps%2Fagl-service-helloworld.git;hb=refs%2Fchanges%2F97%2F22597%2F1;f=helloworld-subscribe-event%2Fhelloworld-event-service-binding.c lines 93-103
Hi Janaki, Hi Bogdan,
Yes it seems that line 98 is commented and active by line 95 that
removes the check of client's permission.
On the other hand it also depends on how you configure the client and I noticed the following (check: iotbzh/helloworld-native-application
(snip)
1. If you declare a dependency to a service, but the service is not present then the framework will not be able to start the client. If you don't declare the dependency and the service does not exist then you will see and error at runtime when you make the request.This is how you required a service in client config:
<feature name="urn:AGL:widget:required-api"> <param name="helloworld" value="ws" /></feature>
2. If the service exists and requires authentication for e.g urn:AGL:permission:monitor:public:set and urn:AGL:permission:monitor:public:get, but the client does not require it then at runtime you will get a response with "insufficient rights"This is how you require a permission in client:
<feature name="urn:AGL:widget:required-permission">
<param name="urn:AGL:permission:monitor:public:get" value="required" /></feature>
In this example by client I am referring to helloworld-native-application and by service to agl-service-helloworld.I did not make any manual changes to cynara so I cannot give you to many information on that but I hope that my findings will help you.
I agree on the 2 points.
(snip)
2. Now I am trying to alter the cynara database permissions purposefully to see if the security authentication be refused. But I do not see any difference.
Cyanara DB - / Removed User::App::helloworld-native-application;*:urn:AGL:permission:monitor:public:get;0xFFFF; from var/cynara/db/_MANIFEST file.
The file /var/cynara/db/_MANIFEST must never be edited. It breaks the
checksums. You should use cyad command tool. This tool is hard to use.
Fortunately, since November, cynara is replaced by cynagora on master
branch and cyad is replaced by the tool cynagora-admin that is simpler
to use.
Best regards
José
I am assuming I should expect the log file file will be like below. But I do not see any change.
qemux86-64:/tmp# tail -f helloworld.log
{
"jtype":"afb-reply",
"request":{
"status":"denied",
"info":"authorisation refused",
"uuid":"01c4dbf1-021e-4a90- 9190-99b0be8e20d2"
}
}{
"jtype":"afb-reply",
"request":{
"status":"denied",
"info":"authorisation refused"
}
Please help me understand. Thanks in advance.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#8015): https://lists.automotivelinux.org/g/agl-dev-community/message/8015
Mute This Topic: https://lists.automotivelinux.org/mt/69755751/2167316
Group Owner: agl-dev-community+owner@xxxxxxxxxxxxxxxxxxxxxxxxx
Unsubscribe: https://lists.automotivelinux.org/g/agl-dev-community/leave/4543822/883735764/xyzzy [list-automotive-discussions82@xxxxxxxxxxx]
-=-=-=-=-=-=-=-=-=-=-=-