Bug 1014271

Summary: RBAC: Removing role with "include-all"
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Jakub Cechacek <jcechace>
Component: Web ConsoleAssignee: Harald Pehl <hpehl>
Status: CLOSED CURRENTRELEASE QA Contact: Jakub Cechacek <jcechace>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: brian.stansberry, hpehl, jcechace, jkudrnac, lthon
Target Milestone: ER7   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: Consequence: Workaround (if any): Results:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:18:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Cechacek 2013-10-01 15:18:30 UTC 
Description of problem:
When trying to remove scoped role with active "include-all" option an "Failed to remove TestRole" error is thrown even though role is deleted. This might be a consequence of unsuccessful attempt to remove role mapping

Following error can be seen in console 
http://pastebin.test.redhat.com/167346

Steps to Reproduce:
1. Create new scoped role with active "include-all" 
2. Try to remove the role previously created  

Actual results:
Inconsistent access control configuration -- role-mapping is left in configuration 

Expected results:
Both role and it's mapping are removed
Comment 1 Harald Pehl 2013-10-02 09:43:45 UTC 
Cannot reproduce with "jboss-eap-6.2.0-ER3.1". If you try to delete a scoped role (include-all flag does not matter) which is used in a role maping there is an error saying "cannot delete role because it's used in n role mapping(s)". If the scoped role is not used in any role mappings, it is successfully deleted. 

We decided to not automatically delete role mappings containing a scoped role the user is about to delete. As the role mappings might also contain other (scoped) roles, it's better to bring up an error IMHO.
Comment 2 Jakub Cechacek 2013-10-03 08:13:26 UTC 
That's exactly a problem that the "include-all" attribute doesn't matter. The role itself is deleted (even though the error is indeed there). However it will be kept in <role-mapping/> section. 

I've observed that role mappings done through "include-all" attribute seem to require server restart. Consequently after you delete the role with "include-add" and restart EAP there will be errors due to invalid role mapping (as the role doesn't exist, however the mapping element is still present in configuration)
Comment 3 JBoss JIRA Server 2013-10-04 10:29:05 UTC 
Harald Pehl <hpehl> made a comment on jira HAL-239

Can confirm the error now. Will provide a fix ASAP
Comment 4 JBoss JIRA Server 2013-10-08 08:52:44 UTC 
Harald Pehl <hpehl> updated the status of jira HAL-239 to Coding In Progress
Comment 5 JBoss JIRA Server 2013-10-09 13:56:58 UTC 
Harald Pehl <hpehl> made a comment on jira HAL-239

Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270
Comment 6 JBoss JIRA Server 2013-10-09 13:58:40 UTC 
Harald Pehl <hpehl> made a comment on jira HAL-239

Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270. That is if you want to delete a scoped role, make sure it does not have the include-all flag set. Otherwise the console runs into the error described at WFLY-2270.
Comment 7 JBoss JIRA Server 2013-10-09 14:14:42 UTC 
Harald Pehl <hpehl> made a comment on jira HAL-239

Added workaround to the console: Whenever one deletes a scoped role which has include-all=true, the include-all flag is set to false in an extra DMR operation, before the actual scoped role is removed.
Comment 8 JBoss JIRA Server 2013-10-09 14:23:28 UTC 
Harald Pehl <hpehl> updated the status of jira HAL-239 to Resolved
Comment 9 JBoss JIRA Server 2013-10-09 14:23:28 UTC 
Harald Pehl <hpehl> made a comment on jira HAL-239

Resolved with workaround (see last comment)
Comment 10 Harald Pehl 2013-10-29 13:49:35 UTC 
Fixed in HAL 2.0.5.Final
Comment 11 Jakub Cechacek 2013-10-31 12:49:30 UTC 
Verified 6.2.0.ER7