Bug 1012592

Summary: RBAC: deployer role can't create new deployment
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Jakub Cechacek <jcechace>
Component: Web ConsoleAssignee: Heiko Braun <hbraun>
Status: CLOSED CURRENTRELEASE QA Contact: Jakub Cechacek <jcechace>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: brian.stansberry, dosoudil, hbraun, hpehl, jkudrnac, myarboro
Target Milestone: ER4   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:15:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1010473, 1014047    

Description Jakub Cechacek 2013-09-26 17:13:41 UTC 
The deployer role can't create (upload to content repository) new deployment. By the name of this role I would expect that at least global deployer is able to do so.
Comment 1 Brian Stansberry 2013-09-26 17:14:58 UTC 
If you have the low level op details, that would be helpful, as this sounds more like a server-side problem.
Comment 2 Jakub Cechacek 2013-09-26 17:48:26 UTC 
Brian: unfortunately that's all I've got. You will have to ask Heiko about what is going on under the hood
Comment 3 Brian Stansberry 2013-09-26 22:09:33 UTC 
WFLY-1916 seems to indicate the opposite problem from the description of this one.

No matter, though. I'm going to assume this is a server-side constraints issue and dig into it. I'd change the component to Domain Management but don't want to screw up the flags.
Comment 4 Heiko Braun 2013-09-27 05:23:05 UTC 
Why do you think it's the opposite of WFLY-1916?
Comment 6 Brian Stansberry 2013-09-27 12:53:00 UTC 
(In reply to Heiko Braun from comment #4)
> Why do you think it's the opposite of WFLY-1916?

The comment on WFLY-1916 implies the global deployment resources are OK but you had an issue with the server-group resources:

"the deplyer requires write access to:
a) /server-group=*
b) /deployment=*
But currently only the later seems to be given."

This description of this BZ discusses file uploads, which relates to the global level.

So not really the opposite, just different.

You assigned this to yourself but I'll look into it anyway. This general area could stand a bit more testing, so not a waste.
Comment 7 Brian Stansberry 2013-09-30 21:50:14 UTC 
I was looking into Deployer role perms a bit and I discovered that actually the upload ops were insufficiently restrictive, not overly restrictive. That is, any role could upload content to the deployment repo and get back a hash for that content. That is, use the upload-deployment-[bytes|stream|url] ops. That's different from being able to create a deployment=xxx resource referencing that content though.

https://github.com/bstansberry/wildfly/commits/WFLY-2179 has the fix (and test) for that. Before I send a PR for that though I'd like to know it doesn't break the console.
Comment 8 Heiko Braun 2013-10-01 11:25:06 UTC 
accidentally removed the blocker
Comment 10 Vladimir Dosoudil 2013-10-01 12:07:21 UTC 
Moving back to ASSIGNED (https://docspace.corp.redhat.com/docs/DOC-154626).
There's no PR to eap 6.x github repo https://github.com/jbossas/jboss-eap/
Comment 11 Vladimir Dosoudil 2013-10-01 12:49:03 UTC 
The umbrella issue 1014047 is available now.
Comment 12 Jakub Cechacek 2013-10-04 10:50:02 UTC 
Verified 6.2.0.ER3
Comment 17 Red Hat Bugzilla 2023-09-14 01:51:10 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days