Dears,
I am currently using the 8.0.2 release.
As regards the Security Levels Rules, it would be very powerful using the wildcards for the mapping definition, for example:
Is ti already feasible or is there any roadmap for this feature?
Thanks a lot.
Andrea
You could try something like {idp-attributes} like '%_RMM_%' I think.
I tried, unfortunately I received the same result, i.e. the security level is not mapped.
*ExpressionSecurityLevelPolicy: Unexpected problem executing the security level policy expression. Evaluating policy to false.*
> com.inductiveautomation.ignition.common.expressions.ExpressionException: Value is not a Collection
>
> at com.inductiveautomation.ignition.gateway.auth.expr.WebAuthFunctionFactory$ContainsFunction.execute(WebAuthFunctionFactory.java:45)
>
> at com.inductiveautomation.ignition.common.expressions.FunctionExpression.execute(FunctionExpression.java:66)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.expr.DerivedSecurityLevelPolicyExpression.execute(DerivedSecurityLevelPolicyExpression.java:69)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.expr.ExpressionSecurityLevelPolicy.test(ExpressionSecurityLevelPolicy.java:30)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.expr.ExpressionSecurityLevelPolicy.test(ExpressionSecurityLevelPolicy.java:16)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.evaluate(DerivedSecurityLevelPolicyNode.java:39)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.lambda$evaluate$1(DerivedSecurityLevelPolicyNode.java:66)
>
> at java.base/java.util.Optional.map(Unknown Source)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.evaluate(DerivedSecurityLevelPolicyNode.java:66)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.lambda$evaluate$0(DerivedSecurityLevelPolicyNode.java:59)
>
> at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
>
> at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
>
> at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
>
> at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.evaluate(DerivedSecurityLevelPolicyNode.java:62)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.lambda$evaluate$0(DerivedSecurityLevelPolicyNode.java:59)
>
> at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
>
> at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
>
> at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
>
> at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.DerivedSecurityLevelPolicyNode.evaluate(DerivedSecurityLevelPolicyNode.java:62)
>
> at com.inductiveautomation.ignition.gateway.auth.security.level.policy.AuthenticatedDerivedSecurityLevelPolicyNode.evaluate(AuthenticatedDerivedSecurityLevelPolicyNode.java:36)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.lambda$grantSecurityLevelsInternal$0(IdpAdapter.java:168)
>
> at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
>
> at java.base/java.util.Iterator.forEachRemaining(Unknown Source)
>
> at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
>
> at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
>
> at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
>
> at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.grantSecurityLevelsInternal(IdpAdapter.java:171)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.grantSecurityLevels(IdpAdapter.java:231)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.refreshWebAuthSessionContext(WebAuthSessionImpl.java:160)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponseInternal(WebAuthSessionImpl.java:182)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.lambda$onLoginResponse$1(WebAuthSessionImpl.java:191)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.mdc(WebAuthSessionImpl.java:93)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponse(WebAuthSessionImpl.java:191)
>
> at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestLoginWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:297)
>
> at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:135)
>
> at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:247)
>
> at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:49)
>
> at com.inductiveautomation.ignition.gateway.dataroutes.DataServlet.service(DataServlet.java:87)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:852)
>
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
>
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
>
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
>
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
>
> at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
>
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
>
> at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
>
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
>
> at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
>
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
>
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
>
> at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
>
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
>
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
>
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
>
> at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)
>
> at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
>
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
>
> at org.eclipse.jetty.server.Server.handle(Server.java:530)
>
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)
>
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)
>
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
>
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
>
> at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
>
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
>
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
>
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
>
> at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)
>
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)
>
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)
>
> at java.base/java.lang.Thread.run(Unknown Source)
Hi @andrea.morando -
This worked for me:
{idp-attributes:roles} like '%_RMM_%'
You don’t need the containsAny or containsAll functions in this case. The above will turn the collection of roles into a string and fuzzy match against the argument.
It works, great!
Thank you so much.