Update AzureIstioSecurityFilter to exclude roles when setting authentication
Describe your changes
Change details:
AzureIstioSecurityFilter sets roles when setting authentication. Passing roles are redundant as the Partition service does not perform role checks on the SA token. If a user accidentally assigns the roles then AzureIstioSecurityFilter throws the following error. The issue itself is caused due to spring-boot upgrade as mentioned in this post:
final JSONArray roles = Optional.ofNullable((JSONArray) claimsSet.getClaims().get("roles"))
.filter(r -> !r.isEmpty())
.orElse(DEFAULT_ROLE_CLAIM);java.lang.ClassCastException
com.nimbusds.jose.shaded.json.JSONArray cannot be cast to net.minidev.json.JSONArrayWhat is the new/expected behavior? AzureIstioSecurityFilter doesn't set roles when setting authentication. This will not impact as the schema service does not perform role checks on the SA token. schema service only authorizes token of a type service principal and issuer with v1 or v2 aad url.
PR Checklist
-
I have parameterized Cosmos DB queries in my code(if any) and confirm adherence to the guidelines.
One of the two following selections must be made. If the change is not merged back to OSDU Master, valid justification must be provided
-
I have created a MR into OSDU Master branch with my changes. Link to MR: -
Change is not able to be merged to OSDU Master. I have documented in PR code and description why it is not able to be merged back into OSDU Master:
Useful Links
AI description (iteration 1)
PR Classification
Bug fix
PR Summary
This pull request updates the AzureIstioSecurityFilter to exclude roles when setting authentication, addressing a 403 error on the Schema GET endpoint with Service Principal AAD Token.
-
AzureIstioSecurityFilter.java: Removed role handling logic and related constants. -
AzureIstioSecurityFilterTest.java: Added new test cases to validate the updated behavior ofAzureIstioSecurityFilter.