Bug 1149104

Summary: RBAC: map-groups-to-roles attribute doesn't work
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Josef Cacek <jcacek>
Component: Domain Management, SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED NOTABUG QA Contact: Petr Kremensky <pkremens>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.1CC: darran.lofthouse, emuckenh, myarboro
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-03 09:14:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1149099    
Bug Blocks: 1149108    

Description Josef Cacek 2014-10-03 08:42:41 UTC 
When I set map-groups-to-roles attribute to true in a security realm, the user still doesn't get the role (with name matching to Group) assigned.

Reproducer:

1) Add "admin" user with "SuperUser" group to Management interface:

./add-user.sh -u admin -p admin.1234 -r ManagementRealm -g SuperUser

2) use CLI to set map-groups-to-roles flag, remove local authentication and enable RBAC:
(this step will probably finish with CLI freeze due to bug 1149099)

./jboss-cli.sh -c << EOF
/core-service=management/security-realm=ManagementRealm:write-attribute(name=map-groups-to-roles,value=true)
/core-service=management/security-realm=ManagementRealm/authentication=local:remove
/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
/core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=permissive)
reload
EOF

3) run any command (e.g. ls) in CLI:

./jboss-cli.sh --user=admin --password=admin.1234 -c ls

Output:
Failed to fetch the list of children: {
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'composite' for resource '[]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
Comment 1 Darran Lofthouse 2014-10-03 09:14:28 UTC 
The ability to automatically assume a 1:1 mapping between groups and roles is not supported for domain management access control and was deliberately disabled under the following issue: -

https://issues.jboss.org/browse/WFLY-2063

The configuration that is present on the realm is there for the benefit of applications where there is a need to automatically map 1:1 from group membership to role names.