Thank you Robert for your help. For those following the thread, some of the below details might help you :-
Issue: 1. Missing permission for any API is throwing 404 not found, instead of 403 forbidden. 2. New end points permissions are not added automatically to operator / tenant admin / superadmin roles ( in case there are expectations that these are superuser roles) 3. There could be a bug when using an existing permittable group with new Endpoints. Fix: 1. Use a new permittable group for new endpoints 2. Once the permission table (in Cassandra) is populated with new permittable groups endpoints, call the PUT /Identity/roles/administrator API and add new permittable groups with access permissions to the role administrator. 3. Re login again with an administrator user (operator) and check whether the JWT access token is updated with new end points. The table name is isis_permitable_groups. P.S. - Links from API documentation related discourse thread <https://discourse.mifos.org/t/regarding-fineract-cn-apis-and-demo-server/6851> https://ebenezergraham.github.io/fineract-cn-api-docs-site/ 7 <https://ebenezergraham.github.io/fineract-cn-api-docs-site/> https://github.com/Izakey/fineract-cn-api-docs-site 6 <https://github.com/Izakey/fineract-cn-api-docs-site> With best regards, Avik Ganguly. On Tue, May 11, 2021 at 11:43 PM Ed Cable <[email protected]> wrote: > Thanks Robert for your help. > > On Tue, May 11, 2021, 08:51 Manoj VM <[email protected]> wrote: > >> Dear Robert, >> >> Thank you very much for the API details. >> >> With this API we are able to update roles with new permissions. >> Now the new endpoints are populated properly in the JWT token. >> >> New endpoints are working fine now. >> >> Thanks again. >> >> Thanks and Regards, >> Manoj >> fynarfin.io >> >> >> On Mon, May 10, 2021 at 7:37 PM Robert Elles <[email protected]> >> wrote: >> >>> Hi Manoj, >>> >>> Yes, that sounds like some progress, good! >>> >>> You need to send a put request with the updated administrator role >>> containing your new permission group id in the permission list as payload >>> to the /identity/v1/roles/administrator endpoint. See >>> the RoleRestController in the identity project. >>> >>> Best, >>> Robert Elles >>> >>> Head of Global Product Development >>> >>> Kuelap, Inc. >>> +4915788460030 >>> [email protected] >>> www.kuelap.io >>> Pappelallee 78-79, 10437 Berlin, Germany >>> [image: linkedin] <https://www.linkedin.com/in/robertelles/> >>> >>> Kuelap GmbH - Geschäftsführer: Craig Chelius | Registergericht: >>> Amtsgericht Charlottenburg (Berlin) | HBR 201125 B >>> >>> >>> On Mon, May 10, 2021 at 12:20 PM Manoj VM <[email protected]> wrote: >>> >>>> Dear Robert, >>>> >>>> Thanks a lot for your help >>>> >>>> First we were trying with an existing group Id in @Permitable >>>> annotation, after your suggestions we tried creating new group ids for our >>>> new endpoints. >>>> >>>> Now, the new group Ids are populated in isis_permitable_groups table in >>>> Cassandra. Yet we are not getting them in the permission list for >>>> administrator(operator). Also the new end points are not present in the JWT >>>> token created while logingin as administrator (operator). >>>> >>>> Could you please tell us how to assain these permissions to the role? >>>> >>>> I have a feel that we are in right direction, but still miles to go. >>>> >>>> Thanks, >>>> Manoj >>>> >>>> On Mon, 10 May, 2021, 14:10 Robert Elles, <[email protected]> >>>> wrote: >>>> >>>>> Hello Avik, >>>>> >>>>> the gradle task publishApiToMavenLocal if for publishing the api >>>>> artefact of the current projekt to the local maven repository but does not >>>>> relate to permissions. >>>>> >>>>> In your cassandra instance you can also check the >>>>> isis_permittable_groups table. If you see your new endpoints under the >>>>> permittable group id then you know that the assign application worked. In >>>>> the @Permittable did you set a new group id or did you use an existing >>>>> one? >>>>> With a new one you also need to assign the new permission to the user's >>>>> role with whom you call the endpoint. With an existing group id there >>>>> might be still a bug that you can not create new endpoints under an >>>>> existing permittable group id. >>>>> >>>>> Best regards, >>>>> Robert >>>>> >>>>> On Sat, May 8, 2021 at 8:40 AM Avik Ganguly <[email protected]> wrote: >>>>> >>>>>> Hi Robert, Community, >>>>>> >>>>>> Description : The APIs auto register only on a completely fresh new >>>>>> database. >>>>>> >>>>>> Thank you for the quick response on this issue. >>>>>> >>>>>> I suspect the issue you see is due to permissions not updated. After >>>>>>> you add a new API endpoint to a micro service you need to call the >>>>>>> assign >>>>>>> application endpoint of provisioner so that the auth-system is made >>>>>>> aware >>>>>>> of the new endpoint. Your rest controller endpoints must be annotated >>>>>>> with >>>>>>> @Permittable with the proper parameters. >>>>>> >>>>>> >>>>>> The end points we have created are already annotated with >>>>>> @Permittable, however we tried changing the group name to test whether >>>>>> the >>>>>> new group name will force the permission creation, but it doesn't. >>>>>> >>>>>> And yes, every time we deploy a new end point, we call the >>>>>> provisioner Assign api , which runs migration scripts, but doesn't add >>>>>> new >>>>>> permissions. >>>>>> >>>>>> What can we be missing out on? >>>>>> >>>>>> Perhaps there is a need for one more API in the initial API >>>>>> collection which does permission creation, as we could see APIs in >>>>>> identity >>>>>> service for creating permissions. >>>>>> Also we found a gradle task for publishApiToMavenLocal, but running >>>>>> the task did not change anything. >>>>>> >>>>>> With best regards, >>>>>> Avik. >>>>>> >>>>>> Disclaimer: >>>>>> >>>>>> Privileged & confidential information is contained in this message >>>>>> (including all attachments). If you are not an intended recipient of this >>>>>> message, please destroy this message immediately and kindly notify >>>>>> the sender by reply e-mail. Any unauthorised use or dissemination of >>>>>> this message in any manner whatsoever, in whole or in part, is strictly >>>>>> prohibited. This e-mail, including all attachments hereto, (i) is for >>>>>> discussion purposes only and shall not be deemed or construed to be a >>>>>> professional opinion unless expressly stated otherwise, and (ii) is not >>>>>> intended, written or sent to be used, and cannot and shall not be used, >>>>>> for >>>>>> any unlawful purpose. This communication, including any attachments, may >>>>>> not be free of viruses, interceptions or interference, and may not be >>>>>> compatible with your systems. You should carry out your own virus checks >>>>>> before opening any attachment to this e-mail. The sender of this e-mail >>>>>> and >>>>>> *Fynarfin Tech Private Limited* shall not be liable for any damage >>>>>> that you may sustain as a result of viruses, incompleteness of this >>>>>> message, a delay in receipt of this message or computer problems >>>>>> experienced. >>>>>> >>>>> >>>> Disclaimer: >>>> >>>> Privileged & confidential information is contained in this message >>>> (including all attachments). If you are not an intended recipient of this >>>> message, please destroy this message immediately and kindly notify >>>> the sender by reply e-mail. Any unauthorised use or dissemination of >>>> this message in any manner whatsoever, in whole or in part, is strictly >>>> prohibited. This e-mail, including all attachments hereto, (i) is for >>>> discussion purposes only and shall not be deemed or construed to be a >>>> professional opinion unless expressly stated otherwise, and (ii) is not >>>> intended, written or sent to be used, and cannot and shall not be used, for >>>> any unlawful purpose. This communication, including any attachments, may >>>> not be free of viruses, interceptions or interference, and may not be >>>> compatible with your systems. You should carry out your own virus checks >>>> before opening any attachment to this e-mail. The sender of this e-mail and >>>> *Fynarfin Tech Private Limited* shall not be liable for any damage >>>> that you may sustain as a result of viruses, incompleteness of this >>>> message, a delay in receipt of this message or computer problems >>>> experienced. >>>> >>> >> Disclaimer: >> >> Privileged & confidential information is contained in this message >> (including all attachments). If you are not an intended recipient of this >> message, please destroy this message immediately and kindly notify >> the sender by reply e-mail. Any unauthorised use or dissemination of this >> message in any manner whatsoever, in whole or in part, is strictly >> prohibited. This e-mail, including all attachments hereto, (i) is for >> discussion purposes only and shall not be deemed or construed to be a >> professional opinion unless expressly stated otherwise, and (ii) is not >> intended, written or sent to be used, and cannot and shall not be used, for >> any unlawful purpose. This communication, including any attachments, may >> not be free of viruses, interceptions or interference, and may not be >> compatible with your systems. You should carry out your own virus checks >> before opening any attachment to this e-mail. The sender of this e-mail and >> *Fynarfin Tech Private Limited* shall not be liable for any damage that >> you may sustain as a result of viruses, incompleteness of this message, a >> delay in receipt of this message or computer problems experienced. >> > -- Disclaimer: Privileged & confidential information is contained in this message (including all attachments). If you are not an intended recipient of this message, please destroy this message immediately and kindly notify the sender by reply e-mail. Any unauthorised use or dissemination of this message in any manner whatsoever, in whole or in part, is strictly prohibited. This e-mail, including all attachments hereto, (i) is for discussion purposes only and shall not be deemed or construed to be a professional opinion unless expressly stated otherwise, and (ii) is not intended, written or sent to be used, and cannot and shall not be used, for any unlawful purpose. This communication, including any attachments, may not be free of viruses, interceptions or interference, and may not be compatible with your systems. You should carry out your own virus checks before opening any attachment to this e-mail. The sender of this e-mail and *Fynarfin Tech Private Limited* shall not be liable for any damage that you may sustain as a result of viruses, incompleteness of this message, a delay in receipt of this message or computer problems experienced.
