ACL允许管理员不被搜索

时间:2014-12-17 21:29:30

标签: acl loopbackjs strongloop

我试图将我从访问控制示例中学到的内容改编成一个非常简单的api,现在有一个管理员用户帐户可以登录并创建一个"发布"。我能够记录用户并获取访问令牌,但是,当我尝试发布到我的发布端点时,我不断收到401 Unauthorized错误。我整天都被困在这一天。我一直在寻找并且没有找到关于这个问题的任何信息。帮助将不胜感激。

以下是我跑步时的输出 DEBUG=loopback:security:* slc run

lopback:security:role isInRole(): admin +10s
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":1} +0ms
loopback:security:access-context modelName publication +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property create +0ms
loopback:security:access-context method create +0ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context   id "HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb" +0ms
loopback:security:access-context   ttl 1209600 +0ms
loopback:security:access-context getUserId() 1 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role isInRole(): $everyone +1ms
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":1} +0ms
loopback:security:access-context modelName publication +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property create +0ms
loopback:security:access-context method create +0ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context   id "HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb" +1ms
loopback:security:access-context   ttl 1209600 +0ms
loopback:security:access-context getUserId() 1 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $everyone +0ms
loopback:security:role Role found: {"id":1,"name":"admin","created":"2014-12-17T21:02:30.442Z","modified":"2014-12-17T21:02:30.442Z"} +0ms
loopback:security:role Role mapping found: null +2ms
loopback:security:role isInRole() returns: false +0ms
loopback:security:acl The following ACLs were searched:  +0ms
loopback:security:acl ---ACL--- +0ms
loopback:security:acl model publication +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +1ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---Resolved--- +0ms
loopback:security:access-context ---AccessRequest--- +0ms
loopback:security:access-context  model publication +0ms
loopback:security:access-context  property create +1ms
loopback:security:access-context  accessType WRITE +0ms
loopback:security:access-context  permission DENY +0ms
loopback:security:access-context  isWildcard() false +0ms
loopback:security:access-context  isAllowed() false +0ms

公共/模型/ publication.json

{
  "name": "publication",
  "base": "PersistedModel",
  "idInjection": true,
  "properties": {
    "name": {
      "type": "string",
      "required": true
    },
    "price": {
      "type": "number",
      "required": true
    }
  },
  "validations": [],
  "relations": {},
  "acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    },
    {
      "accessType": "WRITE",
      "principalType": "ROLE",
      "principalId": "admin",
      "permission": "ALLOW",
      "property": "create"
    }

  ],
  "methods": []
}

服务器/ database.json

{
  "ids": {
    "User": 1,
    "AccessToken": 2,
    "ACL": 1,
    "RoleMapping": 1,
    "Role": 1,
    "publication": 1,
    "account": 3
  },
  "models": {
    "User": {},
    "AccessToken": {
  "HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb": "{\"id\":\"HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb\",\"ttl\":1209600,\"created\":\"2014-12-17T21:02:48.103Z\",\"userId\":1}"
    },
    "ACL": {},
    "RoleMapping": {
      "1": "{\"id\":1,\"principalType\":\"USER\",\"roleId\":1}"
    },
    "Role": {
      "1": "{\"id\":1,\"name\":\"admin\",\"created\":\"2014-12-17T21:02:30.442Z\",\"modified\":\"2014-12-17T21:02:30.442Z\"}"
    },
    "publication": {},
    "account": {
      "1": "{\"fullname\":\"Jane Doe\",\"username\":\"janed\",\"password\":\"$2a$10$PWkG/Y.Jb9w25xtxZwUt/.WOQRZTVgIdKTalGVoCyBE3PoDqD9tK6\",\"email\":\"jane.doe@example.com\",\"id\":1}",
      "2": "{\"fullname\":\"John Doe\",\"username\":\"johnd\",\"password\":\"$2a$10$dD6r9NmV18R.epAg8.FuvuluQoJfIPMnUw9nGVFivu94PeKp0aKja\",\"email\":\"john.doe@example.com\",\"id\":2}"
    }
  }
}

修改

一些进展,我注意到在创建测试数据时没有设置角色映射的主要ID。我已经解决了,但是,角色映射仍然没有找到。

编辑2

实际上这确实是问题,我在修复principalId后测试了错误的终点。现在可以测试创建端点。

2 个答案:

答案 0 :(得分:1)

在设置测试数据时结果我没有正确设置主体ID。我正在使用

var accounts = [{ 
    username: 'janed',
    email: 'jane.doe@example.com',
    fullname: 'Jane Doe',
    password: 'secret'  
  }, {
    username: 'johnd',
    email: 'john.doe@example.com',
    fullname: 'John Doe',
    password: 'secret'  
  }];

accounts.forEach(function (account) {
  Account.create(account, function(err, result) {
    //...
        role.principals.create({
          principalType: RoleMapping.USER,
          principalId: account.id // <-- undefined! should use result.id
        });
    //...

一旦我将主要ID切换为使用result.id,ACL就开始工作了。

答案 1 :(得分:0)

我成功使用了过去4个月的环回和非常高流量的应用,即使我在启动时遇到了这个问题,如果你检查了你提到的日志,它清楚地表明不允许访问

loopback:security:acl permission DENY +0ms
loopback:security:access-context  permission DENY +0ms

你可以做很多事情来检查它,

  1. 首先给$ everyone创建访问并检查它是否正常工作,然后你可以改变对$ authenticated的访问权限,并检查,如果以后一个工作则意味着,ACL是好的,那里是角色或角色映射的一些问题。

  2. 尝试使用acl生成器首次创建一个acl: - slc loopback:acl 它将指导您自己创建acl。