KMC and KMCng do not support KalturaAccessControlProfile instance?

t-saito · February 9, 2019, 6:59am

Hello.

accessControl service included in Kaltura Client Libraries is deprecated.
Therefore, we tried to adopt accessControlProfile service in our Moodle plugins.
As a result, the plugins worked normally, and the plugins could create new AccessControlProfile instance in our Kaltura server.
The plugins can read/write the instance of KalturaAccessControlProfile class, and access restrictions included in the profile were successfully applied to our media.

However, in the KMC and the KMCng, the access restriction of the KalturaAccessControlProfile instance is not displayed.
It looks like a profile with no restrictions.
And, we cannot edit / delete the instance through the KMC and the KMCng.

The KMC and the KMCng do not support the instance of KalturaAccessControlProfile class yet?

jess · February 11, 2019, 12:10pm

Hi @t-saito,

Both KMC and KMCng support the access control mechanism.
In order to help, I’ll need more info:

Please provide the code you’ve used to create the profile[s] and the response you got [you can call accesscontrolprofile->list() on the profiles in question if you haven’t saved the original response when calling add()]
Please provide a more detailed description of what you see [or don’t see] in KMC[ng]

Thanks,

t-saito · February 11, 2019, 1:24pm

Hello, @jess,

Thank you for your reply.

I have uninstalled the plugins from our moodle server for testing.
It takes days to re-install the plug-in and reproduce the problem.

I seem that the Kaltura CE sure support the “KalturaAccessControl” and the “KalturaAccessControlProfile” object.
And the KMC and KMCng support the access control mechanism which uses the “KalturaAccessControl” class.
When we created new access control profile through the KMC and the KMCng, the created profile is an instance of the “KalturaAccessControl” class.
So, we cannot create an instance of the “KalturaAccessCtonrolProfile” class through the KMC and the KMCng.

Also, the KMC and KMCng can edit/delete instances of the “KalturaAccessControl” class, but these cannot edit/delete instances of the “KalturaAccessControlProfile” class.
Because, the format of the constraint is different between the “KalturaAccessControl” class and the “KalturaAccessControlProfile” class.
The “KalturaAccessControl” class handles restrictions by using an array of the instance of “KalturaBaseRestriction” class.
On the other hand, the “KalturaAccessControlProfile” class handles restrictions by using an array of the instance of “KalturaRule” class.
Therefore, in these two class instances, the format of the data recorded in the database is also different.

The KMC and the KMCng can handle instances of the “KalturaRule” and “KalturaBaseRestriction” at the same time?
When users create new access control profile through the KMC or the KMCng, how can users choose between using the “KalturaRule” or “KalturaBaseRestriction”?

Regarads,

t-saito · February 12, 2019, 1:14pm

Hello, @jess,

I created a PHP script which adds new access control profile by using the accessControlProfile service and the KalturaAccessControlProfile class.

<?php

require_once("API/KalturaClient.php");

// Your Kaltura account Id (aka partnerId), taken from KMC>Settings>Integration Settings.
// define("KALTURA_PARTNER_ID", 000);
define("KALTURA_PARTNER_ID", "101");

// Make sure to replace "myUploaderUser@domain.com" with your system user id.
// When allowing anonymous uploads, make sure to create a new user in the Kaltura system that has only upload permissions, then set partnerUserID to the that user.
// define("KALTURA_PARTNER_USER_ID", 'myUploaderUser@domain.com');
define("KALTURA_PARTNER_USER_ID", "username@mykalturaserver.com");

// Taken from KMC>Settings>Integration Settings.
// define("KALTURA_PARTNER_WEB_SERVICE_SECRET", '');
define("KALTURA_PARTNER_WEB_SERVICE_SECRET", "mysecret0123456789abcdef");

// Kaltura service URL (can be changed to work with on-prem deployments).
//define("KALTURA_SERVICE_URL", 'https://corp.kaltura.com/');
define("KALTURA_SERVICE_URL", "https://mykaltuarserver.com");

// Session length (seconds)
define("SESSION_LENGTH", 86400);

// Maximum number of entries per page.
define("MAX_PAGE_SIZE", 500);

// Root category name
define("ROOT_CATEGORY_NAME", "Moodle");

$kalturahost = KALTURA_SERVICE_URL;

while (substr($kalturahost, -1) == "/") {
    $kalturahost = substr($kalturahost, 0, strlen($kalturahost) - 1);
}

try {
    // Construction of Kaltura object.
    $config = new KalturaConfiguration(KALTURA_PARTNER_ID);
    $config->serviceUrl = KALTURA_SERVICE_URL;
    // Construction of Kaltura Client object.
    $client = new KalturaClient($config);

    if (empty($client)) {
       echo 'Cannot connect to ' . $kalturahost . PHP_EOL;
    } else {
        // Start kaltura session.
        $ks = $client->session->start(KALTURA_PARTNER_WEB_SERVICE_SECRET,
                                      KALTURA_PARTNER_USER_ID,
                                      KalturaSessionType::ADMIN,
                                      KALTURA_PARTNER_ID,
                                      SESSION_LENGTH);

        if (!$ks) {
            echo 'Cannot start a session' . PHP_EOL;
        } else {  // When connection started.
            $client->setKs($ks);

            $control = new KalturaAccessControlProfile();

            try {
                $control->name = 'Internal Access 2';
                $control->systemName = 'moodleprofile 2';
                $control->description = 'Access conrtorl for internal only';
                $control->isDefault = KalturaNullableBoolean::NULL_VALUE;
                $control->relatedObjects = null;

                $rule = new KalturaRule();
                $rule->description = null;
                $rule->ruleData = null;
                $rule->message = null;
                $rule->code = null;

                $action = new KalturaAccessControlBlockAction;
                $action->type = KalturaRuleActionType::BLOCK;
                $action->relatedObjects = null;
                $rule->actions = array($action);

                $conditionarray = array();
                $condition = new KalturaIpAddressCondition();


                $value = new KalturaStringValue();
                $value->value = '133.62.0.0/16';
                $value->description = null;
                $value->relatedObjects = null;
                $condition->values[] = $value;

                $value = new KalturaStringValue();
                $value->value = '10.0.0.0/8';
                $value->description = null;
                $value->relatedObjects = null;
                $condition->values[] = $value;

                $value = new KalturaStringValue();
                $value->value = '172.16.0.0/12';
                $value->description = null;
                $value->relatedObjects = null;
                $condition->values[] = $value;

                $value = new KalturaStringValue();
                $value->value = '192.168.0.0/16';
                $value->description = null;
                $value->relatedObjects = null;
                $condition->values[] = $value;

                $condition->httpHeader = null;
                $condition->acceptInternalIps = null;
                $condition->matchType = KalturaMatchConditionType::MATCH_ALL;
                $condition->type = KalturaConditionType::IP_ADDRESS;
                $condition->description = null;
                $condition->not = true;
                $condition->relatedObjects = null;
                $conditionarray[] = $condition;

                $rule->conditions = $conditionarray;

                $contextarray = array();

                $context = new KalturaContextTypeHolder();
                $context->type = KalturaContextType::PLAY;
                $context->relatedObjects = null;
                $contextarray[] = $context;

                $context = new KalturaContextTypeHolder();
                $context->type = KalturaContextType::DOWNLOAD;
                $context->relatedObjects = null;
                $contextarray[] = $context;

                $rule->contexts = $contextarray;

                $rule->stopProcessing = null;
                $rule->forceAdminValidation = null;
                $rule->relatedObjects = null;

                $control->rules = array($rule);

                $control = $client->accessControlProfile->add($control);
            } catch (Exception $ex) {
                echo $ex->getMessage();
            }

            $result = $client->accessControlProfile->listAction();
            print_r($result);

            $client->session->end();
        }
    }
} catch(Exception $ex) {
    echo $ex->getMessage();
}

Then, I executed this script.
“accessControlProfile->listAction()” displayed the following results.

In the results, the profile (id=8) is added by using the accessControl service and the KalturaAccessControl class.
And, the profile (id=10) is added by using the PHP script described above.
I wrote this script so that the similar content as the profile (id=8) is displayed.

When I log-in to the KMCng, the list of the access control profiles was displayed as follows.

So, the profile (id=10, named “Internal Access 2”) seems to have no IP address restrictions.
Then, I opend an edit dialog.
Like the list screen, the profile (id=10, named “Internal Access 2”) seems to have no IP address restrictions.

kmcng02

So that, I added IP address restrictions and tried to save the profile.
Then, the following error message wad displayed.

And, I tried to delete the profile (id=10).
Then, the following error message wad displayed.

When the profile (id=10) wad generated by the PHP script, the IP address restrictions of the profile were safely stored in access_control table.

MariaDB [kaltura]> select * from access_control where id=10 \G
*************************** 1. row ***************************
                    id: 10
            partner_id: 101
                  name: Internal Access 2
           system_name: moodleprofile 2
           description: Access conrtorl for internal only
            created_at: 2019-02-12 21:09:50
            updated_at: 2019-02-12 21:09:50
            deleted_at: NULL
    site_restrict_type: NULL
    site_restrict_list: NULL
 country_restrict_type: NULL
 country_restrict_list: NULL
 ks_restrict_privilege: NULL
prv_restrict_privilege: NULL
   prv_restrict_length: NULL
    kdir_restrict_type: NULL
           custom_data: a:3:{s:22:"rules_array_compressed";b:0;s:18:"special_properties";a:1:{s:27:"SERVE_FROM_SERVER_NODE_RULE";b:0;}s:7:"ip_tree";N;}
                 rules: a:1:{i:0;O:5:"kRule":9:{s:11:"description";N;s:8:"ruleData";N;s:13:" * conditions";a:1:{i:0;O:19:"kIpAddressCondition":9:{s:20:" * acceptInternalIps";N;s:13:" * httpHeader";N;s:9:" * values";a:4:{i:0;O:12:"kStringValue":2:{s:8:" * value";s:13:"133.62.0.0/16";s:14:" * description";N;}i:1;O:12:"kStringValue":2:{s:8:" * value";s:10:"10.0.0.0/8";s:14:" * description";N;}i:2;O:12:"kStringValue":2:{s:8:" * value";s:13:"172.16.0.0/12";s:14:" * description";N;}i:3;O:12:"kStringValue":2:{s:8:" * value";s:14:"192.168.0.0/16";s:14:" * description";N;}}s:12:" * matchType";s:1:"2";s:16:" * dynamicValues";N;s:7:" * type";i:3;s:14:" * description";N;s:6:" * not";b:1;s:18:" * extraProperties";a:0:{}}}s:10:" * message";N;s:7:" * code";N;s:10:" * actions";a:1:{i:0;O:11:"kRuleAction":1:{s:7:" * type";i:1;}}s:11:" * contexts";a:2:{i:0;s:1:"1";i:1;s:1:"2";}s:17:" * stopProcessing";N;s:23:" * forceAdminValidation";N;}}

For reference, I also post the record of the profile (id=8).

MariaDB [kaltura]> select * from access_control where id=8 \G
*************************** 1. row ***************************
                    id: 8
            partner_id: 101
                  name: Internal Access
           system_name: moodleprofile
           description: Access conrtorl for internal only
            created_at: 2019-01-05 20:57:23
            updated_at: 2019-01-05 22:02:41
            deleted_at: NULL
    site_restrict_type: NULL
    site_restrict_list: NULL
 country_restrict_type: NULL
 country_restrict_list: NULL
 ks_restrict_privilege: NULL
prv_restrict_privilege: NULL
   prv_restrict_length: NULL
    kdir_restrict_type: NULL
           custom_data: a:3:{s:22:"rules_array_compressed";b:0;s:18:"special_properties";a:1:{s:27:"SERVE_FROM_SERVER_NODE_RULE";b:0;}s:7:"ip_tree";N;}
                 rules: a:1:{i:0;O:34:"kAccessControlIpAddressRestriction":10:{s:11:"description";N;s:8:"ruleData";N;s:13:" * conditions";a:1:{i:0;O:19:"kIpAddressCondition":9:{s:20:" * acceptInternalIps";N;s:13:" * httpHeader";N;s:9:" * values";a:4:{i:0;O:12:"kStringValue":2:{s:8:" * value";s:13:"133.62.0.0/16";s:14:" * description";N;}i:1;O:12:"kStringValue":2:{s:8:" * value";s:10:"10.0.0.0/8";s:14:" * description";N;}i:2;O:12:"kStringValue":2:{s:8:" * value";s:13:"172.16.0.0/12";s:14:" * description";N;}i:3;O:12:"kStringValue":2:{s:8:" * value";s:14:"192.168.0.0/16";s:14:" * description";N;}}s:12:" * matchType";i:2;s:16:" * dynamicValues";N;s:7:" * type";i:3;s:14:" * description";N;s:6:" * not";b:1;s:18:" * extraProperties";a:0:{}}}s:10:" * message";N;s:7:" * code";N;s:10:" * actions";a:1:{i:0;O:20:"kAccessControlAction":1:{s:7:" * type";i:1;}}s:11:" * contexts";a:2:{i:0;i:1;i:1;i:2;}s:17:" * stopProcessing";N;s:23:" * forceAdminValidation";N;s:8:" * scope";N;}}

And, the profile (id=10) can work correctly and we can edit/delete the profile through PHP scripts.
We use the Kaltura CE 14.8.0 (cluster) and 14.10.0 (single server).
Both servers encounter this problem.

On the other hand, after I created the profile which has no restrictions thorugh a PHP script, I can edit the profile through the KMCng and the KMC.

Best regards