Friday, 7 December 2012

com.lombardisoftware.client.security.AuthorizationDeniedException: You are not authorized to make changes to items in this context

This one drove me to distraction for most of this week.

Whilst trying to populate my BPM databases using the bootstrap process: -

$ /opt/IBM/WebSphere80/AppServer/BPM/Lombardi/tools/bootstrapProcessServerData.sh -clusterName  E1PCSR01.AppTarget

but it kept failing with: -

...
TWImportAndActivate:
    [mkdir] Created dir: /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/temp/saved-search-admin.twx
    [unzip] Expanding: /opt/IBM/WebSphere80/AppServer/BPM/Lombardi/imports/saved-search-admin.twx into /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/temp/saved-search-admin.twx
   [delete] Deleting directory /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/temp/saved-search-admin.twx

TWActivateWrapper:

importRBGs:
     [echo] bootstrapData: Importing Resource Bundle Groups...

BUILD FAILED
/opt/IBM/WebSphere80/AppServer/BPM/base/profile/actions/bootstrapData.ant:46: The following error occurred while executing this line:
/opt/IBM/WebSphere80/AppServer/BPM/base/profile/actions/bootstrapData.ant:53: The following error occurred while executing this line:
/opt/IBM/WebSphere80/AppServer/BPM/base/profile/actions/tw_init_bootstrap.ant:347: Java returned: 1

Total time: 1 minute 50 seconds

Bootstrap failed


and: -

...
INFO: Client code attempting to load security configuration
06-Dec-2012 13:40:49 com.ibm.ffdc.util.provider.FfdcOnDirProvider logIncident
INFO: FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/logs/ffdc/ffdc.6400587257559169791.txt com.ibm.ws.orbimpl.transport.WSTransport.getConnection 448
06-Dec-2012 13:40:49 com.ibm.ffdc.util.provider.FfdcOnDirProvider logIncident
INFO: FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/logs/ffdc/ffdc.8213873865726580924.txt com.ibm.ws.naming.util.WsnInitCtxFactory.mergeWsnNSProperties 1551
06-Dec-2012 13:40:49 com.ibm.ffdc.util.provider.FfdcOnDirProvider logIncident
INFO: FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/logs/ffdc/ffdc.296063757638535691.txt com.ibm.ws.naming.util.WsnInitCtxFactory.getRootJndiContext 965
06-Dec-2012 13:40:49 com.ibm.ffdc.util.provider.FfdcOnDirProvider logIncident
INFO: FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/logs/ffdc/ffdc.2968224156869316365.txt com.ibm.ws.naming.util.WsnInitCtxFactory.getRootJndiContext 886
06-Dec-2012 13:40:49 com.lombardisoftware.utility.db.QueryUtil findDatabaseType
WARNING: Could not find database from JNDI lookup in server. Defaulting to configuration file
06-Dec-2012 13:40:49 com.lombardisoftware.core.cache.LocalCache initializeSettingsFile
INFO: CWLLG2155I:  Cache settings read have been from file file:/opt/IBM/WebSphere80/AppServer/BPM/Lombardi/process-server/twinit/lib/basic_resources.jar!/LombardiTeamWorksCache.xml.
Exception in thread "P=248348:O=0:CT" com.lombardisoftware.client.security.AuthorizationDeniedException: You are not authorized to make changes to items in this context
at com.lombardisoftware.client.security.AuthorizationUtils.deny(AuthorizationUtils.java:120)
at com.lombardisoftware.client.security.PersistenceAuthorizationImpl.assertWrite(PersistenceAuthorizationImpl.java:25)
at com.lombardisoftware.server.ejb.persistence.PSDefaultHandler.save(PSDefaultHandler.java:80)
at com.lombardisoftware.server.ejb.persistence.PersistenceServicesCore.saveInternal(PersistenceServicesCore.java:306)
...

As per usual, I spent some time looking for the answer in a variety of places, including Google.

Eventually, I found this developerWorks forum post: -


which suggested that the problem really was one of authorization.

I checked my database: -

$ db2 connect to BPMDB
db2 "select propkey,propvalue from lsw_system where propvalue like '53c5c0a3-0d2b-4822-b94c-5722a59d5227'"

PROPKEY PROPVALUE
InstallationGUID 53c5c0a3-0d2b-4822-b94c-5722a59d5227                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

  1 record(s) selected.


Following Andrew Paier's response to the forum post, I then checked the LSW_ACL_ENTRY table: -

db2 "select * from DB2INST1.LSW_ACL_ENTRY"

ACL_ENTRY_ID   USER_ID        GROUP_ID       PO_TYPE    PO_ID                                MASK                 
-------------- -------------- -------------- ---------- ------------------------------------ ---------------------
            1.              -             3.      5000. d106db6a-393e-49b2-8ec9-3fd149438343                  127.
            2.              -             4.      5000. d106db6a-393e-49b2-8ec9-3fd149438343                   63.
            3.              -             3.      2066. 1b351583-e5cb-43b7-baee-340a63130ea7                   63.
            4.              -             4.      2066. 1b351583-e5cb-43b7-baee-340a63130ea7                   63.
            5.              -             3.      2066. bdf91468-0d01-4ae2-bb53-054b3b591f94                  127.
            6.              -             4.      2066. bdf91468-0d01-4ae2-bb53-054b3b591f94                  127.
            7.              -             3.      2066. dbecd816-afed-47b0-ba92-c13256fcb566                  127.
            8.              -             3.      2066. b691179d-e7a4-4a27-b89b-f2263d0280e7                   63.
            9.              -             4.      2066. b691179d-e7a4-4a27-b89b-f2263d0280e7                   63.
           10.              -             3.      2066. 4b3882d9-e886-4f08-9d0c-078ebda719b9                   63.
           11.              -             4.      2066. 4b3882d9-e886-4f08-9d0c-078ebda719b9                   63.
         1002.             9.              -      2066. 23d3ecec-6fdb-4033-9c57-e931aa13761f                  127.
         1052.             9.              -      2066. c8cc5ba4-0c95-41bd-8aac-8136bc86ae85                  127.
         1102.             9.              -      2066. 9ab0d0c6-d92c-4355-9ed5-d8a05acdc4b0                  127.

  15 record(s) selected.

As Andrew rightly said, I did not have the InstallationGUID propvalue - 53c5c0a3-0d2b-4822-b94c-5722a59d5227 - in the table.

I inserted the value: -

$ db2 "insert into db2inst1.lsw_acl_entry (acl_entry_id, po_id, mask, po_type, group_id) values (1404, '53c5c0a3-0d2b-4822-b94c-5722a59d5227', 127, 5000, 3)"

and validated the changed: -

$ db2 "select * from DB2INST1.LSW_ACL_ENTRY"

ACL_ENTRY_ID   USER_ID        GROUP_ID       PO_TYPE    PO_ID                                MASK                 
-------------- -------------- -------------- ---------- ------------------------------------ ---------------------
            1.              -             3.      5000. d106db6a-393e-49b2-8ec9-3fd149438343                  127.
            2.              -             4.      5000. d106db6a-393e-49b2-8ec9-3fd149438343                   63.
            3.              -             3.      2066. 1b351583-e5cb-43b7-baee-340a63130ea7                   63.
            4.              -             4.      2066. 1b351583-e5cb-43b7-baee-340a63130ea7                   63.
            5.              -             3.      2066. bdf91468-0d01-4ae2-bb53-054b3b591f94                  127.
            6.              -             4.      2066. bdf91468-0d01-4ae2-bb53-054b3b591f94                  127.
            7.              -             3.      2066. dbecd816-afed-47b0-ba92-c13256fcb566                  127.
            8.              -             3.      2066. b691179d-e7a4-4a27-b89b-f2263d0280e7                   63.
            9.              -             4.      2066. b691179d-e7a4-4a27-b89b-f2263d0280e7                   63.
           10.              -             3.      2066. 4b3882d9-e886-4f08-9d0c-078ebda719b9                   63.
           11.              -             4.      2066. 4b3882d9-e886-4f08-9d0c-078ebda719b9                   63.
         1002.             9.              -      2066. 23d3ecec-6fdb-4033-9c57-e931aa13761f                  127.
         1052.             9.              -      2066. c8cc5ba4-0c95-41bd-8aac-8136bc86ae85                  127.
         1404.              -             3.      5000. 53c5c0a3-0d2b-4822-b94c-5722a59d5227                  127.
         1102.             9.              -      2066. 9ab0d0c6-d92c-4355-9ed5-d8a05acdc4b0                  127.

  15 record(s) selected.



And then re-ran the bootstrap process: -

/opt/IBM/WebSphere80/AppServer/BPM/Lombardi/tools/bootstrapProcessServerData.sh -clusterName  E1PCSR01.AppTarget

and, this time around, it worked perfectly: -

...
amples:
   [delete] Deleting: /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/config/cells/E1PCCELL/nodes/E1PCNODE1/servers/E1PCSR011.AppTarget/process-center/config/100Bootstrap.xml
   [delete] Deleting: /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/config/cells/E1PCCELL/nodes/E1PCNODE1/servers/E1PCSR011.AppTarget/process-center/TeamWorksConfiguration.running.xml

BUILD SUCCESSFUL
Total time: 2 minutes 24 seconds

...

As they say, easy when you know how.

Now can I explain what went wrong ? Er, no ......

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...