Description of problem:
https://access.redhat.com/support/cases/01699736https://access.redhat.com/solutions/1189913
We have a cu who wants the "Deployer" role in RBAC to be able to create
datasources and set the username/password. (not read, only write)
In standalone mode this is no problem.
- set the management interface to use LDAP, authentication + authorization
- enable RBAC, add "Deployer" with some user in it.
- grant the needed constraints as summarized in the above "solutions"
article.
=> works as expected, the Deployer user can add the ds including the u/p.
However, we then move to domain mode:
- 2x EAP 6.4.10 installation, setup as master-slave
- on each controller, added one instance using a server-group set to
"full-ha" profile
- RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
- applied the constraints
- added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
- restarted the whole setup
trying to add a datasource into the (active) "full-ha" fails with:
[domain.redhat.com:9999 /]
/profile=full-ha/subsystem=datasources/data-source=oracle12DS:add(jndi-name="java:jboss/datasources/oracle12DS",use-ccm=true,connection-url="jdbc:oracle:thin:@zen.usersys.redhat.com:1521/ora12",driver-name=oracle,user-name=tom,password=tom,pool-prefill=true,min-pool-size=2,max-pool-size=10,pool-use-strict-min=true,valid-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker",stale-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker",exception-sorter-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter",validate-on-match=true)
{
"outcome" => "failed",
"result" => undefined,
"failure-description" => "JBAS010839: Operation failed or was
rolled back on all servers.",
"rolled-back" => true,
"server-groups" => {"slaves" => {"host" => {
"master" => {"i1" => {"response" => {
"outcome" => "failed",
"failure-description" => "JBAS013456: Unauthorized to
execute operation 'add' for resource '[
(\"subsystem\" => \"datasources\"),
(\"data-source\" => \"oracle12DS\")
]' -- \"JBAS013475: Permission denied\"",
"rolled-back" => true
}}},
"slave1" => {"i2" => {"response" => {
"outcome" => "failed",
"result" => undefined,
"failure-description" => "JBAS013456: Unauthorized to
execute operation 'add' for resource '[
(\"subsystem\" => \"datasources\"),
(\"data-source\" => \"oracle12DS\")
]' -- \"JBAS013475: Permission denied\"",
"rolled-back" => true
}}}
}}}
}
Repeating without username/password also gives the same error. So it
would seem that it's not even the sensitivity constraints but something
before.
Repeat the same on a non-active "full" profile -> the datasource
(including u/p) is created as requested.
Steps to Reproduce:
1) 2x EAP 6.4.10 installation, setup as master-slave
on each controller, added one instance using a server-group set to
"full-ha" profile
2) RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
applied the constraints
3) added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
restarted the whole setup
4) log in as a deployer user using CLI, try to add jdbc driver to full profile, failed with "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... "
Actual results:
Exception: "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... "
Expected results:
jdbc driver/datasource added successfully
Additional info:
This works fine in standalone mode