Upgrade to Cuba 7.2 from 7.1.4 admin access denied

Hi Team ,

before i mentioned on previous post regarding the upgrade , and how i make it work as per documentation Legacy Roles and Permissions

But now as per requirements we need to use new role - permission implementation , and when we remove the mentioned app.properties attributes we are getting

 Attempt of login to WEB for user 'RememberMeCredentials{login='admin'}' without cuba.gui.loginToClient permission
22:33:39.163 INFO  c.h.c.s.a.AuthenticationServiceBean     - Login failed: com.haulmont.cuba.security.global.LoginException: Unknown login name or bad password 'admin'

Although as per new roles documentation System roles

system-full-accessrole gives all permissions and can be used for creating administrators having all rights to the application. The built-inadminuser has this role by default.

How can we make it work

Thanks

Hi,

just to confirm: your case is the following:

  1. You had a project on CUBA 7.1
  2. You’ve migrated it to CUBA 7.2 . Application properties that enable old (v1) security policy were added to the project
  3. Then in the migrated project you’ve decided to change the roles policy to the new version (v2)

Right?

If so, then you need to do the following:

  1. Remove application properties from the app.properties file:
cuba.security.rolesPolicyVersion=1
cuba.security.defaultPermissionValuesConfigEnabled=true
cuba.security.minimalRoleIsDefault=false
  1. Remove this property from web-app.properties:
cuba.rest.securityScope=GENERIC_UI
  1. And the last step: insert a SEC_USER_ROLE that assigns the system-full-access role to admin user:
insert into SEC_USER_ROLE (ID, CREATE_TS, VERSION, USER_ID, ROLE_NAME)
values ('6736effb-9dfc-4430-973a-69868606b09c', current_timestamp, 0, '60885987-1b61-4247-94c7-dff348347f93', 'system-full-access');

After that you will be able to login as admin and to rework your roles.

As for this:

system-full-access role gives all permissions and can be used for creating administrators having all rights to the application. The built-in admin user has this role by default.

That is true for projects created on CUBA 7.2. If they were migrated from 7.1 then admin doesn’t have the system-full-access role. This role must be explicitly assigned to him.

1 Like

Hi
I followed all the steps but couldn’t log-in. I tried both user: admin and pass: admin as well as user: admin and my password.

Where is the log:

22:47:13.432 [http-nio-8080-exec-31] WARN com.haulmont.cuba.security.auth.checks.ClientTypeUserAccessChecker - Attempt of login to WEB for user 'LoginPasswordCredentials{login='admin'}' without cuba.gui.loginToClient permission

This probably means that you didn’t assign a system-full-access role to the admin. Check it again. Maybe your admin user has a different id.

Hi Max
I have run the sql to update that you have provided. Note that I have multi tenants Add-on used in the project, is there anything Related to that may require additional update?