topic Re: Permission to execute script in Alfresco Archive

Permission to execute script

msvoren — Tue, 27 May 2008 11:04:08 GMT

I have following situationerson has permission to read and write in Space A. He can NOT see Space B.There's a rule which executes script and moves inbound content from Space A to Space B.It goes like this: person uploads content to A, script moves it to B.How can this be done? For what I see now,

Re: Permission to execute script

pmonks — Tue, 27 May 2008 14:24:23 GMT

For this kind of use case you'll have to drop to Java. Within the Foundation Services API (http://wiki.alfresco.com/wiki/Java_API) there's a class / method called "AuthenticationUtil.runAs" (http://dev.alfresco.com/resource/docs/java/repository/org/alfresco/repo/security/authentication/AuthenticationUtil.html#runAs(org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork,%20java.lang.String)) that'll do what you're after.

We don't expose this kind of functionality to Javascript because it creates serious security holes (ie. a user could upload a script that runs as admin and then deletes all content in the repo).

Cheers,
Peter

Re: Permission to execute script

mabayona — Tue, 27 May 2008 14:56:27 GMT

An easy solution would be for Alfresco to implement/extend the <runas> functionality for actions associated to simple workflows (as now has been implemented for actions in advanced workflows). This would allow to safely implement this rather common scenario.

Alfresco?

Re: Permission to execute script

pmonks — Tue, 27 May 2008 15:24:39 GMT

Recall that end users can upload Javascript actions which is one of the way rules (whether related to simple workflow or not) can be implemented. Anything that end users can do script wise must be locked down from a security perspective (ie. the script must not be allowed to "run as" another user, amongst other things).

Scripts inside Advanced Workflows are different in that they can only be uploaded by developers or (via the Workflow Console) administrators - either of those types of users already have sufficient privileges that there's little we can do if they decided to do something malicious to Alfresco or the server it's running on. End users, on the other hand, do not typically have that level of access to the system and it would be a serious bug if we allowed (whether inadvertently or not) that level of access.

Cheers,
Peter

Re: Permission to execute script

mabayona — Tue, 27 May 2008 15:46:38 GMT

To mantain the security level, the <runas> can be restricted to the roles available to the person that created the rule/simple workflow. This way, it is possible to implement this common scenario and the implementor can only select the roles available to him/her.

This way, only an "admin" can create a <runas>admin</runas> while, say "approver" can only use his rights to define rule associated to an action and make it available to users with less privileges (e.g. to create a "inbox" space where users can put documents and to create a rule in this inbox space to allow the documents to be moved to another space where the document providers have either no access or read-only access.

The way to implement it would be by extending the UI and including an extra drop-menu with the available roles to the rule creator.

Re: Permission to execute script

pmonks — Tue, 27 May 2008 15:56:44 GMT

Roles are specific to spaces however, so how would this help with your original scenario (user A has R/W role in space A but has no R/W roles in space B, and they need to run a script that moves a document from space A to space B)?

Cheers,
Peter

Re: Permission to execute script

mabayona — Tue, 27 May 2008 16:16:31 GMT

It would help in the sense that it would allow the space owner to implement this scenario in its space. It would allow, for instance, to create e.g. a subspace "inbox" for role "providers" and R/W in "inbox", and to create a rule with <runas>approver</runas> permission in "inbox" to move the document to another sub-space e.g. "pending approval" where "providers" do not need to have write permission. This is the scenario which is very common, but that now is not possible to implement with simple workflow.

Of course, alternatives are to resort either to java or to advanced workflow (where <runas> is available).

Re: Permission to execute script

pmonks — Tue, 27 May 2008 16:34:58 GMT

Again that would be a security risk, since it would allow users who have a R/W role in one space (eg. their user home) to upload a script that effectively has R/W access to any other space in the system. In other words, roles always have to be applied in the context of a space.

That said, I understand the problem and can't help wondering if explicit identification of "developer scripts" and "end user scripts" might help. "Developer scripts" would only be able to be created by developers and would have the ability to "runas" etc., while "end user scripts" could be created by anyone but would remain locked down within the current scripting security sandbox.

Interestingly enough, in 2.1.3 this distinction has already started appearing - Javascript scripts loaded from the classpath are trusted (ie. are "developer scripts") and have full access (via Rhino's native Java integration) to Java APIs (including the Foundation Services API), while Javascript scripts loaded from the repository are not trusted (ie. are "end user scripts") and run within the scripting security sandbox. The only missing piece here would be to expose a "runas" Javascript API that's only available to "developer scripts" (Alfresco's existing Java "runas" API is not readily usable from Javascript due to the use of callbacks).

This would be a good enhancement request (http://issues.alfresco.com/)!

Cheers,
Peter

Re: Permission to execute script

mabayona — Tue, 27 May 2008 16:46:30 GMT

I understand your proposal to diferentiate between "developper scripts" and "end user scripts". It is probably a starting point to solve the missing functionality "runas" for simple workflow users.

What i do not quite understand is when you say that:

"Again that would be a security risk, since it would allow users who have a R/W role in one space (eg. their user home) to upload a script that effectively has R/W access to any other space in the system. In other words, roles always have to be applied in the context of a space."

since these actions/rules would be only executable in the space where they were created (i.e. uploaded document/script) and would have the permissions defined for them ONLY for the specific spaces where the rule (e.g. move to another space in simple workflow) and with the permissions allocated to them by the rule creator (i.e. its permissions and no others). Note that IÂ´m talking about rules associated to spaces and not "execute an action" in any space.

Anyway, something should be done to cover this missing "runas" functionality for simple workflow if we really want "normal-joe-user" to create and use simple workflows effectively in Alfresco.

Re: Permission to execute script

pmonks — Tue, 27 May 2008 17:15:04 GMT

How about you raise an enhancement request (at http://issues.alfresco.com/), and post a link to it back here? Things tend not to happen spontaneously. :wink:

Cheers,
Peter

Re: Permission to execute script

msvoren — Wed, 28 May 2008 13:25:28 GMT

Can I e.g. create a custom role, which would enable invited users to WRITE to space, but not to READ?

Can this be done?

Re: Permission to execute script

mabayona — Wed, 28 May 2008 14:23:45 GMT

I do no think it is possible to have write permission without read one (i.e. before writing the system has to verify that the space exists, that no other document with equal name exists, … -> Read permission.

That is again a reason why the runas functionality is needed for simple workflow: to implement this common pattern that you are looking for.

Re: Permission to execute script

msvoren — Tue, 10 Jun 2008 09:53:51 GMT

I can't believe something like this is not already implemented..
Shouldn't executing rules be "run as admin" as default ?

Re: Permission to execute script

mabayona — Tue, 10 Jun 2008 09:59:16 GMT

Nope, "run as admin" as default would be a HUGE security hole. It would defeat the permissions concept. However, what is needed is a controlled way to do it. ThatÂ´s why the "runas" would be a good solution.

Alfresco?

Re: Permission to execute script

msvoren — Tue, 10 Jun 2008 11:14:24 GMT

Thank you mabayona,

Any other way to implement this?
I'm intrested in hacks, what ever.. ?

Re: Permission to execute script

mabayona — Tue, 10 Jun 2008 11:35:46 GMT

There is a way. If you use 2.9, use an advanced workflow. With advanced workflow you got the <runas> option. The process would be something like:

=> Create an advance workflow that gets associated automatically to a entry ( using a rule):

http://wiki.alfresco.com/wiki/WorkflowAdministration#Step_7:_Integration_with_Rules_.28Optional.29

This workflow has an action can move the e.g. document entered in a space e.g."inbox" into another space not writable by the issuer since it can be run with the privileges defined in <runas>xxx</runas>.

Alternatively, you can do something similar (although more complex) in Java.

Re: Permission to execute script

msvoren — Thu, 12 Jun 2008 09:00:26 GMT

Thank you very much, will try that!

Re: Permission to execute script

sacco — Fri, 13 Jun 2008 13:50:27 GMT

Recall that end users can upload Javascript actions which is one of the way rules (whether related to simple workflow or not) can be implemented. Anything that end users can do script wise must be locked down from a security perspective (ie. the script must not be allowed to "run as" another user, amongst other things).

But this already is an enormous security hole. I simply set up a rule on my space to run
my script on all incoming items. As soon as anybody puts anything in my space the game is over:
my script is running as them!

Given that the Alfresco permissions model makes it impossible to run even a simple workflow
without giving, say, reviewers access to write the properties of the directory, it's absolutely
trivial to make sure that people will drop things in your trap. (I won't spell it out any further).

Frankly, I would avoid using Alfresco for anything where even simple security is relevant,
at least until they've rethought the security model entirely, especially given that almost
all of the parent permission checks are commented out in the normal distribution!

We really need basic functionality which works robustly and predictably rather than new features.

Re: Permission to execute script

mabayona — Fri, 13 Jun 2008 13:57:18 GMT

I do not quite understand what you mean. My experience using Alfresco and its security model is VERY GOOD and i find it robust and usable. Could you give an example of your claims?

Do not forget that the security model has a very fine granularity and it is PER SPACE and per item. The fact that someone has acces to a space does no implies that has acces to other spaces.

I would appreciate an elaborated sample of what you perceive as shortcomings of actual implementation to check it against my experience using alfresco.

Re: Permission to execute script

sacco — Fri, 13 Jun 2008 16:24:38 GMT

OK, but it'll have to be next week, as I'm already two hours late!