Bug 1230394

Summary: [GSS](6.4.z) ManagementPermissionAuthorizer is limited to the standard roles for its authorizeJmxOperation impl
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: Domain ManagementAssignee: dhorton
Status: CLOSED CURRENTRELEASE QA Contact: Martin Simka <msimka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: bbaranow, bmaxwell, brian.stansberry, cdewolf, dandread, jawilson, lthon
Target Milestone: CR1   
Target Release: EAP 6.4.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 10:13:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1219165    
Attachments:
Description Flags
ee6-singleton-mbean.jar none

Description Derek Horton 2015-06-10 19:32:30 UTC 
Description of problem:

ManagementPermissionAuthorizer.authorizeJmxOperation uses hard coded decision making based on the standard 7 roles. This is inflexible and specifically doesn't allow scoped roles to function properly.

Steps to Reproduce:
1.  Create a server-group-scoped-role and assign a user ("testuser") to that role:

    <management>
        <access-control provider="rbac">
            <server-group-scoped-roles>
                <role name="test_main_server_grp" base-role="SuperUser">
                    <server-group name="main-server-group"/>
                </role>
            </server-group-scoped-roles>
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <user alias="jconsole" realm="ApplicationRealm" name="jconsole"/>
                    </include>
                </role>
                <role name="test_main_server_grp">
                    <include>
                        <user alias="testuser" realm="ApplicationRealm" name="testuser"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>

2.  Deploy an mbean

3.  Use bin/jconsole.sh to connect as the "testuser" 

4.  Try to modify the mbean.  "testuser" should have access to modify the mbean.
Comment 2 Derek Horton 2015-06-10 19:52:48 UTC 
Created attachment 1037416 [details]
ee6-singleton-mbean.jar
Comment 3 Derek Horton 2015-06-10 19:53:56 UTC 
More reproducer notes:

- deploy the attached ee6-singleton-mbean.jar

- try to modify attribute of "com.jboss.examples.ee6.ejb:type=EE6ExampleSingleton"
Comment 5 Petr Penicka 2017-01-17 10:13:15 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.