Bug 1014271
Summary: | RBAC: Removing role with "include-all" | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Jakub Cechacek <jcechace> |
Component: | Web Console | Assignee: | Harald Pehl <hpehl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jakub Cechacek <jcechace> |
Severity: | urgent | Docs Contact: | Russell Dickenson <rdickens> |
Priority: | unspecified | ||
Version: | 6.2.0 | CC: | brian.stansberry, hpehl, jcechace, jkudrnac, lthon |
Target Milestone: | ER7 | ||
Target Release: | EAP 6.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
Cause:
Consequence:
Workaround (if any):
Results:
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-15 16:18:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jakub Cechacek
2013-10-01 15:18:30 UTC
Cannot reproduce with "jboss-eap-6.2.0-ER3.1". If you try to delete a scoped role (include-all flag does not matter) which is used in a role maping there is an error saying "cannot delete role because it's used in n role mapping(s)". If the scoped role is not used in any role mappings, it is successfully deleted. We decided to not automatically delete role mappings containing a scoped role the user is about to delete. As the role mappings might also contain other (scoped) roles, it's better to bring up an error IMHO. That's exactly a problem that the "include-all" attribute doesn't matter. The role itself is deleted (even though the error is indeed there). However it will be kept in <role-mapping/> section. I've observed that role mappings done through "include-all" attribute seem to require server restart. Consequently after you delete the role with "include-add" and restart EAP there will be errors due to invalid role mapping (as the role doesn't exist, however the mapping element is still present in configuration) Harald Pehl <hpehl> made a comment on jira HAL-239 Can confirm the error now. Will provide a fix ASAP Harald Pehl <hpehl> updated the status of jira HAL-239 to Coding In Progress Harald Pehl <hpehl> made a comment on jira HAL-239 Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270 Harald Pehl <hpehl> made a comment on jira HAL-239 Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270. That is if you want to delete a scoped role, make sure it does not have the include-all flag set. Otherwise the console runs into the error described at WFLY-2270. Harald Pehl <hpehl> made a comment on jira HAL-239 Added workaround to the console: Whenever one deletes a scoped role which has include-all=true, the include-all flag is set to false in an extra DMR operation, before the actual scoped role is removed. Harald Pehl <hpehl> updated the status of jira HAL-239 to Resolved Harald Pehl <hpehl> made a comment on jira HAL-239 Resolved with workaround (see last comment) Fixed in HAL 2.0.5.Final Verified 6.2.0.ER7 |