Bug 1012571
| Summary: | RBAC: Missing server controls in topology view for Host scoped roles | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Jakub Cechacek <jcechace> |
| Component: | Web Console | Assignee: | Harald Pehl <hpehl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jakub Cechacek <jcechace> |
| Severity: | urgent | Docs Contact: | Russell Dickenson <rdickens> |
| Priority: | unspecified | ||
| Version: | 6.2.0 | CC: | brian.stansberry, emuckenh, hbraun, jdoyle, jkudrnac, lthon, myarboro |
| Target Milestone: | CR1 | ||
| Target Release: | EAP 6.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
Cause:
Consequence:
Workaround (if any):
Results:
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-15 16:18:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1024560 | ||
|
Description
Jakub Cechacek
2013-09-26 16:27:06 UTC
Heiko Braun <ike.braun> made a comment on jira HAL-221 [~bstansberry] Can you comment on this? The permission metadata is incorrect, although the op (restart at least) works:
[domain@localhost:9999 /] /host=master/server-config=server-one:read-resource-description(operations=true,access-control=trim-descriptions){roles=test}
{
"outcome" => "success",
"result" => {
"description" => undefined,
"attributes" => undefined,
"operations" => undefined,
"children" => {
"system-property" => {"model-description" => undefined},
"interface" => {"model-description" => undefined},
"jvm" => {"model-description" => undefined},
"path" => {"model-description" => undefined}
},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
....
},
"operations" => {
"read-children-names" => {"execute" => true},
"stop" => {"execute" => false},
"read-operation-description" => {"execute" => true},
"restart" => {"execute" => false},
"remove" => {"execute" => false},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"read-attribute" => {"execute" => true},
"whoami" => {"execute" => true},
"read-children-types" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-resources" => {"execute" => true},
"start" => {"execute" => false},
"write-attribute" => {"execute" => true}
}
},
"exceptions" => {}
}
}
}
[domain@localhost:9999 /] /host=master/server-config=server-one:restart{roles=test}
{
"outcome" => "success",
"result" => "STARTING"
}
The "test" role was a server-group-scoped-role based on "Operator."
Looks like it's not fixed. I'll therefore reset it to "assigned" Heiko Braun <ike.braun> made a comment on jira HAL-221 [~bstansberry] I was looking at the PR again. It5 sesm you've fixed the server-config:<start|stop> permissions, but not server-group:<start-servers|stop-servers> one. Hence this issue still exists. Heiko Braun <ike.braun> made a comment on jira HAL-221 [~bstansberry] I was looking at the PR again. It seems you've fixed the server-config:<start|stop> permissions, but not server-group:<start-servers|stop-servers> one. Hence this issue still exists. Weird. The update I did to the metadata covered the server-group ones as well. And the handlers for the ops already had the appropriate calls to trigger an authz check. Links are still missing when logged in as Host Scoped role Heiko Braun <ike.braun> updated the status of jira HAL-221 to Resolved This may not be an RBAC bug per se or about host scoped roles. There's a flaw in how operation description metadata was created that resulted in the flag that states these are RUNTIME_ONLY getting dropped: https://issues.jboss.org/browse/WFLY-2390 The effect of that is no Operator role (base or scoped) would be shown as having permissions for these ops. https://github.com/jbossas/jboss-eap/pull/639 addresses the WFLY-2390 issue and allows the Operator role to be able to start/stop, etc. There's some test issue we're sorting on that PR this morning, but it basically works. However, for host scoped roles, the console still doesn't show the UI elements needed. When I test via the CLI I see "execute" => "true" for all of these in the r-r-d response for /host=xxx/server-config=yyy. So, I'm assigning this back to the console team. If there's something not correct in the r-r-d response that I missed, please let me know. Harald Pehl <hpehl> updated the status of jira HAL-221 to Reopened Harald Pehl <hpehl> made a comment on jira HAL-221 Reopened as https://github.com/jbossas/jboss-eap/pull/639 is merged. Harald Pehl <hpehl> updated the status of jira HAL-221 to Coding In Progress Harald Pehl <hpehl> updated the status of jira HAL-221 to Resolved Harald Pehl <hpehl> made a comment on jira HAL-221 Host and server group scoped roles show the right lifecycle links now. However if a principle is assigned to several scoped roles it might be that links are visible, but the user does not have the right for the underlying operation. In that case clicking on the link will result in an error message (which is still better than not seeing the link at all). A real solution is targeted with HAL-290. Moving to CR1 as ER7 was already tagged. Verified with 6.2.0.CR1 preview |