Bug 724480 (BRMS-425)
Summary: | Users with analyst permissions cannot open assets | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [JBoss] JBoss Enterprise BRMS Platform 5 | Reporter: | Jiri Locker <jlocker> | ||||||||||
Component: | 3rd Party | Assignee: | Mark Proctor <mproctor> | ||||||||||
Status: | VERIFIED --- | QA Contact: | Jiri Locker <jlocker> | ||||||||||
Severity: | medium | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | 5.1.0 GA, BRMS 5.2.0-Dev1 | CC: | rzhang | ||||||||||
Target Milestone: | --- | Keywords: | Regression | ||||||||||
Target Release: | BRMS 5.2.0.GA | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
URL: | http://jira.jboss.org/jira/browse/BRMS-425 | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: |
Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have package wide access via SuggestionCompletionEngine explicitly, ensuring they can open the assets.
|
Story Points: | --- | ||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | Type: | Bug | |||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Jiri Locker
2010-11-02 18:37:15 UTC
Attachment: Added: AnalystTrouble.png The error messeges are: Unable to validate package configuration (eg, DSLs, models) for [somePackage]. Suggestion completions may not operate correctly for graphical editors for this package. Unable to get content assistance for this rule. and this gets dumped into server.log: 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract org.drools.ide.common.client.modeldriven.SuggestionCompletionEngine org.drools.guvnor.client.rpc.RepositoryService.loadSuggestionCompletionEngine(java.lang.String) throws com.google.gwt.user.client.rpc.SerializationException' threw an unexpected exception: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[Package name: somePackage,package.readonly] 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:378) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:581) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.web.ContextFilter$1.process(ContextFilter.java:42) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:53) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.web.ContextFilter.doFilter(ContextFilter.java:37) 2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at java.lang.Thread.run(Thread.java:619) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[Package name: somePackage,package.readonly] 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.security.Identity.checkPermission(Identity.java:581) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.drools.guvnor.server.ServiceImplementation.loadSuggestionCompletionEngine(ServiceImplementation.java:1563) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at sun.reflect.GeneratedMethodAccessor379.invoke(Unknown Source) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at java.lang.reflect.Method.invoke(Method.java:597) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:157) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:166) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:102) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.drools.guvnor.server.ServiceImplementation_$$_javassist_6.loadSuggestionCompletionEngine(ServiceImplementation_$$_javassist_6.java) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at org.drools.guvnor.server.RepositoryServiceServlet.loadSuggestionCompletionEngine(RepositoryServiceServlet.java:236) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at sun.reflect.GeneratedMethodAccessor447.invoke(Unknown Source) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at java.lang.reflect.Method.invoke(Method.java:597) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562) 2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) ... 30 more can you please describe (or show screenshot) of the permissions of your "ba" user? Also the soa-users/roles.properties would be nice to have. thanks. See UserPermissions.png, there are two business analyst users: ba is [analyst] for: category=myNewCategory baro is [analyst.readonly] for: category=myNewCategory both are affected by the issue. I find it suspicious that the permission type reported by the exception message "Authorization check failed for permission[Package name: somePackage,package.readonly]" doesn't match the user's permission type. The only explanation I can think of is that having access to artifacts in myNewCategory is not enough if the user doesn't have at least [package.readonly] permission for the package that the artifact belongs to. But notice that this is not how it used to work in 5.0.x. Attachment: Added: UserPermissions.png Attachment: Added: jmx-console-users.properties Attachment: Added: jmx-console-roles.properties This is not a blocker for BRMS 5.1.0. Affects Testing: Added: [Regression] Triaged by BRMS PM team for 5.2. Link: Added: This issue depends GUVNOR-1499 Changed release note field to - release note not required as per https://issues.jboss.org/browse/BRMS-425 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: pending completion of this bug, will doc in release notes as known issue, or resolved. Fix verified in ER3. Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1,3 @@ -pending completion of this bug, will doc in release notes as known issue, or resolved.+https://bugzilla.redhat.com/show_bug.cgi?id=724480 + +When users with analyst permissions tried to load package information with category permissions, but the user had not been granted permissions for every category in the package, the assets would not open. This was resolved by allowing analysts package wide access when authoring rules. Hi Jervis, I've added a release note for this bug (see technical note field above) could you please provide a tech review to confirm the information given is correct. Thanks Lee Hi, I revised the release note as below: A user with analyst permissions can not open an asset even when the user has been assigned category permissions that have access to the category that the asset belongs to. This was fixed by allowing analyst to have access to package wide SuggestionCompletionEngine explicitly. Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,3 +1,3 @@ https://bugzilla.redhat.com/show_bug.cgi?id=724480 -When users with analyst permissions tried to load package information with category permissions, but the user had not been granted permissions for every category in the package, the assets would not open. This was resolved by allowing analysts package wide access when authoring rules.+Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have access to package wide SuggestionCompletionEngine explicitly, ensuring they can open the assets. Thanks for the clarification, Jervis. Lee Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,3 +1 @@ -https://bugzilla.redhat.com/show_bug.cgi?id=724480 - Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have access to package wide SuggestionCompletionEngine explicitly, ensuring they can open the assets. Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have access to package wide SuggestionCompletionEngine explicitly, ensuring they can open the assets.+Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have package wide access via SuggestionCompletionEngine explicitly, ensuring they can open the assets. |