Skip to main content

ACL System User Authentication Fix

Problem

The ValkyrAI system was encountering ACL (Access Control List) errors during workflow initialization when the workflow-scheduler-initializer background thread attempted to create and save workflow objects. The error manifested as:

No authenticated user found; cannot add ACL permissions for object: valkyr-assistant
No authenticated user found; cannot set ownerId on object: valkyr-system

Root Cause Analysis

The issue occurred because:

  1. SecurityContext Mismatch: The WorkflowController.onApplicationReady() method was setting up a TestingAuthenticationToken with a String principal ("system"), but the ACL system's ValkyrACLBase.getThorUser() method expected a ThorUser object as the principal.

  2. Thread Context Issue: The ACL system was designed for web request contexts, but the workflow initialization runs in a background thread (workflow-scheduler-initializer) without proper web request context.

  3. Authentication Type Incompatibility: The ACL aspects (ValkyrACLCreateAspect) intercept save operations and attempt to set ownership properties and permissions, but couldn't find a proper ThorUser in the SecurityContext.

Solution Implementation

1. SystemUserService Creation

Created a new SystemUserService that handles the creation and management of system users for background operations:

Key Features:

  • Creates or retrieves proper ThorUser objects for system operations
  • Manages system and assistant user contexts
  • Maintains ACL integrity while supporting system operations
  • Provides clean SecurityContext setup and teardown

System Users:

  • valkyr-system: Full privileges (ROLE_SYSTEM, ROLE_ADMIN, ROLE_WORKFLOW, ROLE_EVERYONE)
  • valkyr-assistant: Limited privileges (ROLE_ASSISTANT, ROLE_WORKFLOW, ROLE_EVERYONE)

2. WorkflowController Update

Updated the WorkflowController.onApplicationReady() method to use the new SystemUserService:

@EventListener(ApplicationReadyEvent.class)
public void onApplicationReady() {
    new Thread(() -> {
        try {
            // Set up proper system SecurityContext with ThorUser for ACL compatibility
            systemUserService.setupSystemContext();

            logger.info("Loading workflow schedules after ApplicationReadyEvent");
            valkyrWorkflowService.loadWorkflowSchedules();
            logger.info("Workflow schedules loaded successfully");
        } catch (Exception e) {
            logger.error("Failed to load workflow schedules on ApplicationReadyEvent", e);
        } finally {
            systemUserService.clearContext();
        }
    }, "workflow-scheduler-initializer").start();
}

3. Comprehensive Testing

Created SystemUserServiceTest with complete unit test coverage:

  • System user creation (existing and new users)
  • Assistant user creation
  • SecurityContext setup and teardown
  • Authority verification
  • Error handling scenarios

Technical Benefits

  1. ACL Compatibility: The ACL system now receives proper ThorUser objects and can successfully create ownership records and permissions.

  2. Security Integrity: System operations maintain proper authentication context while preserving ACL security model.

  3. Separation of Concerns: Clear distinction between system, assistant, and user privilege levels.

  4. Testability: Fully unit tested with comprehensive coverage of edge cases.

  5. Maintainability: Clean, documented service that can be reused for other system operations.

Usage Pattern

For any background operation that needs system privileges:

@Autowired
private SystemUserService systemUserService;

// For system-level operations
systemUserService.setupSystemContext();
try {
    // Perform system operations that require ACL
    service.saveSystemObject(object);
} finally {
    systemUserService.clearContext();
}

// For assistant-level operations  
systemUserService.setupAssistantContext();
try {
    // Perform assistant operations
    workflowService.executeWorkflow(workflow);
} finally {
    systemUserService.clearContext();
}

Files Modified

  • New: valkyrai/src/main/java/com/valkyrlabs/valkyrai/service/SystemUserService.java
  • New: valkyrai/src/test/java/com/valkyrlabs/valkyrai/service/SystemUserServiceTest.java
  • Modified: valkyrai/src/main/java/com/valkyrlabs/workflow/controller/WorkflowController.java

Testing

Run the new unit tests to verify the fix:

mvn test -Dtest=SystemUserServiceTest

Deployment Notes

  • The fix is backward compatible and doesn't require database schema changes
  • System users (valkyr-system and valkyr-assistant) will be created automatically on first use
  • Existing ACL data remains unaffected
  • No configuration changes required

Monitoring

After deployment, monitor for:

  • Absence of "No authenticated user found" ACL errors in workflow initialization logs
  • Successful creation of system user principals in the database
  • Normal workflow scheduling and execution without ACL-related failures

This fix ensures that ValkyrAI system operations can successfully integrate with the ACL security model while maintaining proper authentication context for all background operations.