search

zowe / sample-spring-boot-api-service

Zowe REST API service SDK and sample API service that integrates with Zowe API Mediation Layer
Other
26 stars 18 forks source link

Improved security requirements diagnostics and documentation #88

Closed plavjanik closed 4 years ago

plavjanik commented 4 years ago

This PR improves diagnostics information when createSecurityEnvironmentByDaemon method fails. The errno2 is collected from the native code and translated into a readable message. In case of JRNoChangeIdentity, a message that that explains security requirements has been added.

Documentation and security command examples were updated to describe the required access to BPX.SERVER and BPX.DEAMON for security functions in the SDK.

The /resourceAccess endpoint has been added for testing purposed to check the access.

Testing:

For example, in case a missing authority to change user ID, you will get following message:

2019-11-20 02:34:30.105 <ZWEASA1:https-jsse-nio-0.0.0.0-20081-exec-9:33621086> SDKBLD1 (org.zowe.commons.zos.security.service.Z
PlatformSecurityService:62) ERROR Platform security action to create thread-level security environment without password has fai
EPERM The calling address space is not authorized to use this service or a load from a not program-controlled library was done
e address space. JRNoChangeIdentity The invoker is not authorized to change MVS userids; errno=139; errno2=x'0be803d1
2019-11-20 02:34:30.163 <ZWEASA1:https-jsse-nio-0.0.0.0-20081-exec-9:33621086> SDKBLD1 (org.zowe.commons.zos.security.service.Z
PlatformSecurityService:65) ERROR The server user ID does not have authority to change the thread-level security. UPDATE access
PX.SERVER in the facility resource class is required, or READ access if the user ID is superuser