Bug 1015493

Summary: include-all role mappings don't work in domain
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ladislav Thon <lthon>
Component: Domain ManagementAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact: Ladislav Thon <lthon>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: brian.stansberry, emuckenh
Target Milestone: ER6   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:22:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 999622    

Description Ladislav Thon 2013-10-04 11:53:30 UTC 
If I understand correctly, roles that have include-all=true in their role mappings should be added to all authenticated users. In my tests, though, this only works in standalone mode.

In domain mode, if I set a role mapping to include-all, this setting is not reflected (at least not immediately; maybe it would work after restart, but that's wrong anyway). It doesn't matter which role is set to be include-all -- in my tests, I use both standard roles and scoped roles and it consistently doesn't work. There's probably some wrong caching going on.

The failing test case is in my pull request https://github.com/wildfly/wildfly/pull/5166 (it's the "RBAC tests for include-all role mappings in domain" commit). If it's more convenient, the pull request is the same as my rbac branch (https://github.com/Ladicek/wildfly/commits/rbac).

This might be related to bug 1014271.
Comment 1 JBoss JIRA Server 2013-10-04 13:29:55 UTC 
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2216

Let me reproduce, once I can see what is happening I can better confirm which area this is in.
Comment 2 JBoss JIRA Server 2013-10-04 16:14:18 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-2216 to Coding In Progress
Comment 3 JBoss JIRA Server 2013-10-04 16:18:37 UTC 
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2216

The following commands are sufficient to reproduce this (ensure the provider is set to rbac before starting the server): -

{code}
[domain@localhost:9990 /] ./core-service=management/access=authorization/role-mapping=Operator:add
{
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => {"main-server-group" => {"host" => {"master" => {
        "server-one" => {"response" => {"outcome" => "success"}},
        "server-two" => {"response" => {"outcome" => "success"}}
    }}}}
}
[domain@localhost:9990 /] ./core-service=management/access=authorization/role-mapping=Operator:write-attribute(name=include-all, value=true)
{
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => {"main-server-group" => {"host" => {"master" => {
        "server-one" => {"response" => {"outcome" => "success"}},
        "server-two" => {"response" => {"outcome" => "success"}}
    }}}}
}
[domain@localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {
        "identity" => {
            "username" => "$local",
            "realm" => "ManagementRealm"
        },
        "mapped-roles" => ["SUPERUSER"]
    }
}
{code}
Comment 4 JBoss JIRA Server 2013-10-04 16:21:21 UTC 
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2216

Manually restarting the domain leads to the expected result being output: -

{code}
[domain@localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {
        "identity" => {
            "username" => "$local",
            "realm" => "ManagementRealm"
        },
        "mapped-roles" => [
            "SUPERUSER",
            "OPERATOR"
        ]
    }
}
{code}

This indicates something messed up regarding the shared config in domain mode.
Comment 8 Ladislav Thon 2013-10-21 10:41:38 UTC 
Verified with EAP 6.2.0.ER6.