Bug 729965
| Summary: | Error in server log on clicking a resource link by a user having access to the resource | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] RHQ Project | Reporter: | Sunil Kondkar <skondkar> | ||||
| Component: | Core UI | Assignee: | Ian Springer <ian.springer> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 4.1 | CC: | ccrouch, hrupp, ian.springer | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-02-07 19:28:45 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 729848, 730796 | ||||||
| Attachments: |
|
||||||
Created attachment 517781 [details]
Screenshot
[master b7d5d48] (http://git.fedorahosted.org/git/?p=rhq/rhq.git;a=commit;h=b7d5d48) fixes the issue with a non-admin user not being able to view Resources they are authorized to view. It turned out to be a regression caused by the recent drift work. As for the user being able to click on Ancestry Resource links for Resources they are not authorized to view, this is a known issue and one we do not currently plan on fixing. Here's a discussion I had w/ Jay on IRC: (03:09:55 PM) ips: jshaughn1: part of a bz i'm looking at is that resources in the ancestry field are links even if the current user doesn't have authz to view the resources (03:10:46 PM) jshaughn1: ips: that's a known (03:10:51 PM) ips: was that an oversight or something you chose not to address for some reason? (03:10:58 PM) jshaughn1: I'm not sure we really want to do anything about that (03:11:17 PM) jshaughn1: yeah, it didn't seem worthwhile to worry about that (03:11:27 PM) jshaughn1: it's true they can get a lazy exception (03:11:38 PM) jshaughn1: if they try to nav to a place they can't get to (03:11:39 PM) ips: yeah, it seems you could deal with it either by including another boolean in the ancestry field (eg - authorizedToView) (03:11:52 PM) ips: or making some extra calls to the server from coregui (03:12:02 PM) jshaughn1: it's more a matter of having to take that hit (03:12:21 PM) jshaughn1: for what I perceive is little gain (03:12:32 PM) mazz: wouldn't that require additional server-side access to determine that? (03:12:34 PM) ips: the former would suck because you'd have to worry about refreshing that boolean whenever perms got changed (03:12:43 PM) jshaughn1: yes, ips (03:12:51 PM) jshaughn1: so, that leads to the next topic (03:13:06 PM) ips: and the latter would suck for the usual hassle of making multiple async calls (03:13:10 PM) jshaughn1: in my mind we would perhaps be able to do this efficiently if/when we flatten permissions (03:13:32 PM) jshaughn1: pre-computing the permission matrix would make it potentially feasible (03:14:05 PM) jshaughn1: I'm pretty much pro-flattening the user-resource-perm mappings (03:14:09 PM) ips: like in a bitmap as a field on Resource? (03:14:46 PM) jshaughn1: probably not that, more like as a straight relational representation that would make for easy efficient joins (03:15:03 PM) ips: well i guess they would be different per Role (03:15:14 PM) jshaughn1: no, I think it would be the union (03:15:44 PM) jshaughn1: basically flattening todays role-group-resource-user perm joins (03:16:12 PM) jshaughn1: and keeping it up to date on perm and inventory changes (03:17:38 PM) jshaughn1: and then, perhaps, updating the ancestry pre-compute stuff to maybe do the perm checking in advance, not sure. (03:18:10 PM) jshaughn1: not sure about tying the two precomputes together or not (03:18:24 PM) ips: besides the ancestry use case, what other advantages would there be? (03:18:34 PM) ips: just the improved perf of not having to do those joins? (03:21:39 PM) pilhuhn: jshaughn1 +1 (03:21:52 PM) jshaughn1: ips - yes (03:21:53 PM) pilhuhn: ips we are doing those crappy joins on basically every server call I noticed another related issue where when you to try to view a Resource you don't have authz to view, you get a nasty uncaught server exception error. This is one I think we should fix. See https://bugzilla.redhat.com/show_bug.cgi?id=730112. Verified on build#279 (Version: 4.1.0-SNAPSHOT Build Number: fb70d80) When the authorized user clicks on the resource name link in Inventory tab of the group or clicks on the resource name link in 'Inventory'->Resources->Servers->resource name link, the resource tree is rendered and there is no error in server log. Marking as verified. changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE |
Description of problem: Created a role with default permissions and added a user and a compatible resource group(Ex: RHQ AGENT) to the role. Logged in to RHQ as the user added. When navigated to the 'Inventory' tab of the resource group and clicked on the resource name link, it did not render the resource tree and did not display the resource details. The server log displays below: 2011-08-11 15:59:54,355 ERROR [org.hibernate.hql.PARSER] Unable to locate appropriate constructor on class [org.rhq.core.domain.resource.composite.ResourceComposite] [cause=org.hibernate.PropertyNotFoundException: no appropriate constructor in class: org.rhq.core.domain.resource.composite.ResourceComposite] 2011-08-11 15:59:54,359 WARN [gwt-log] Sending exception to client: [1313058594358] javax.ejb.EJBException: java.lang.IllegalArgumentException: org.hibernate.hql.ast.QuerySyntaxException: Unable to locate appropriate constructor on class [org.rhq.core.domain.resource.composite.ResourceComposite] [SELECT new org.rhq.core.domain.resource.composite.ResourceComposite( resource, resource.currentAvailability.availabilityType, ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 8 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 4 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 10 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 7 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 14 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 13 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 11 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 9 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 6 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 5 )) FROM org.rhq.core.domain.resource.Resource resource WHERE ( resource.id = :id AND resource.inventoryStatus = :inventoryStatus ) AND ( resource.id IN ( SELECT innerAlias.id FROM resource innerAlias JOIN innerAlias.implicitGroups g JOIN g.roles r JOIN r.subjects s WHERE s.id = 10001 ) ) ] at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84) at $Proxy335.findResourceCompositesByCriteria(Unknown Source) at org.rhq.enterprise.gui.coregui.server.gwt.ResourceGWTServiceImpl.findResourceCompositesByCriteria(ResourceGWTServiceImpl.java:138) at sun.reflect.GeneratedMethodAccessor515.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224) at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at org.rhq.enterprise.gui.coregui.server.gwt.AbstractGWTServiceImpl.service(AbstractGWTServiceImpl.java:82) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at sun.reflect.GeneratedMethodAccessor283.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.rhq.enterprise.gui.coregui.server.filter.CacheControlFilter.doFilter(CacheControlFilter.java:70) at sun.reflect.GeneratedMethodAccessor292.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.rhq.helpers.rtfilter.filter.RtFilter.doFilter(RtFilter.java:124) at sun.reflect.GeneratedMethodAccessor287.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at sun.reflect.GeneratedMethodAccessor286.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.IllegalArgumentException: org.hibernate.hql.ast.QuerySyntaxException: Unable to locate appropriate constructor on class [org.rhq.core.domain.resource.composite.ResourceComposite] [SELECT new org.rhq.core.domain.resource.composite.ResourceComposite( resource, resource.currentAvailability.availabilityType, ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 8 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 4 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 10 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 7 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 14 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 13 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 11 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 9 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 6 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 5 )) FROM org.rhq.core.domain.resource.Resource resource WHERE ( resource.id = :id AND resource.inventoryStatus = :inventoryStatus ) AND ( resource.id IN ( SELECT innerAlias.id FROM resource innerAlias JOIN innerAlias.implicitGroups g JOIN g.roles r JOIN r.subjects s WHERE s.id = 10001 ) ) ] at org.hibernate.ejb.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:616) at org.hibernate.ejb.AbstractEntityManagerImpl.createQuery(AbstractEntityManagerImpl.java:95) at org.jboss.ejb3.entity.TransactionScopedEntityManager.createQuery(TransactionScopedEntityManager.java:134) at org.rhq.enterprise.server.util.CriteriaQueryGenerator.getQuery(CriteriaQueryGenerator.java:743) at org.rhq.enterprise.server.util.CriteriaQueryRunner.getCollection(CriteriaQueryRunner.java:98) at org.rhq.enterprise.server.util.CriteriaQueryRunner.execute(CriteriaQueryRunner.java:69) at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourceCompositesByCriteria(ResourceManagerBean.java:2461) at sun.reflect.GeneratedMethodAccessor516.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.rhq.enterprise.server.common.PerformanceMonitorInterceptor.monitorHibernatePerformance(PerformanceMonitorInterceptor.java:32) at sun.reflect.GeneratedMethodAccessor187.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.common.TransactionInterruptInterceptor.addCheckedActionToTransactionManager(TransactionInterruptInterceptor.java:77) at sun.reflect.GeneratedMethodAccessor186.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.authz.RequiredPermissionsInterceptor.checkRequiredPermissions(RequiredPermissionsInterceptor.java:156) at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) ... 96 more Caused by: org.hibernate.hql.ast.QuerySyntaxException: Unable to locate appropriate constructor on class [org.rhq.core.domain.resource.composite.ResourceComposite] [SELECT new org.rhq.core.domain.resource.composite.ResourceComposite( resource, resource.currentAvailability.availabilityType, ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 8 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 4 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 10 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 7 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 14 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 13 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 11 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 9 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 6 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 5 )) FROM org.rhq.core.domain.resource.Resource resource WHERE ( resource.id = :id AND resource.inventoryStatus = :inventoryStatus ) AND ( resource.id IN ( SELECT innerAlias.id FROM resource innerAlias JOIN innerAlias.implicitGroups g JOIN g.roles r JOIN r.subjects s WHERE s.id = 10001 ) ) ] at org.hibernate.hql.ast.QuerySyntaxException.convert(QuerySyntaxException.java:31) at org.hibernate.hql.ast.QuerySyntaxException.convert(QuerySyntaxException.java:24) at org.hibernate.hql.ast.ErrorCounter.throwQueryException(ErrorCounter.java:59) at org.hibernate.hql.ast.QueryTranslatorImpl.analyze(QueryTranslatorImpl.java:235) at org.hibernate.hql.ast.QueryTranslatorImpl.doCompile(QueryTranslatorImpl.java:160) at org.hibernate.hql.ast.QueryTranslatorImpl.compile(QueryTranslatorImpl.java:111) at org.hibernate.engine.query.HQLQueryPlan.<init>(HQLQueryPlan.java:77) at org.hibernate.engine.query.HQLQueryPlan.<init>(HQLQueryPlan.java:56) at org.hibernate.engine.query.QueryPlanCache.getHQLQueryPlan(QueryPlanCache.java:72) at org.hibernate.impl.AbstractSessionImpl.getHQLQueryPlan(AbstractSessionImpl.java:133) at org.hibernate.impl.AbstractSessionImpl.createQuery(AbstractSessionImpl.java:112) at org.hibernate.impl.SessionImpl.createQuery(SessionImpl.java:1623) at org.hibernate.ejb.AbstractEntityManagerImpl.createQuery(AbstractEntityManagerImpl.java:92) ... 128 more l.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.IllegalArgumentException: org.hibernate.hql.ast.QuerySyntaxException: Unable to locate appropriate constructor on class [org.rhq.core.domain.resource.composite.ResourceComposite] [SELECT new org.rhq.core.domain.resource.composite.ResourceComposite( resource, resource.currentAvailability.availabilityType, ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 8 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 4 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 10 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 7 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 14 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 13 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 11 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 9 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 6 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 5 )) FROM org.rhq.core.domain.resource.Resource resource WHERE ( resource.id = :id AND resource.inventoryStatus = :inventoryStatus ) AND ( resource.id IN ( SELECT innerAlias.id FROM resource innerAlias JOIN innerAlias.implicitGroups g JOIN g.roles r JOIN r.subjects s WHERE s.id = 10001 ) ) ] at org.hibernate.ejb.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:616) at org.hibernate.ejb.AbstractEntityManagerImpl.createQuery(AbstractEntityManagerImpl.java:95) at org.jboss.ejb3.entity.TransactionScopedEntityManager.createQuery(TransactionScopedEntityManager.java:134) at org.rhq.enterprise.server.util.CriteriaQueryGenerator.getQuery(CriteriaQueryGenerator.java:743) at org.rhq.enterprise.server.util.CriteriaQueryRunner.getCollection(CriteriaQueryRunner.java:98) at org.rhq.enterprise.server.util.CriteriaQueryRunner.execute(CriteriaQueryRunner.java:69) at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourceCompositesByCriteria(ResourceManagerBean.java:2461) at sun.reflect.GeneratedMethodAccessor516.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.rhq.enterprise.server.common.PerformanceMonitorInterceptor.monitorHibernatePerformance(PerformanceMonitorInterceptor.java:32) at sun.reflect.GeneratedMethodAccessor187.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.common.TransactionInterruptInterceptor.addCheckedActionToTransactionManager(TransactionInterruptInterceptor.java:77) at sun.reflect.GeneratedMethodAccessor186.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.authz.RequiredPermissionsInterceptor.checkRequiredPermissions(RequiredPermissionsInterceptor.java:156) at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) ... 96 more Caused by: org.hibernate.hql.ast.QuerySyntaxException: Unable to locate appropriate constructor on class [org.rhq.core.domain.resource.composite.ResourceComposite] [SELECT new org.rhq.core.domain.resource.composite.ResourceComposite( resource, resource.currentAvailability.availabilityType, ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 8 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 4 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 10 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 7 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 14 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 13 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 11 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 9 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 6 ), ( SELECT count(p) FROM resource.implicitGroups g JOIN g.roles r JOIN r.subjects s JOIN r.permissions p WHERE s.id = 10001 AND p = 5 )) FROM org.rhq.core.domain.resource.Resource resource WHERE ( resource.id = :id AND resource.inventoryStatus = :inventoryStatus ) AND ( resource.id IN ( SELECT innerAlias.id FROM resource innerAlias JOIN innerAlias.implicitGroups g JOIN g.roles r JOIN r.subjects s WHERE s.id = 10001 ) ) ] at org.hibernate.hql.ast.QuerySyntaxException.convert(QuerySyntaxException.java:31) at org.hibernate.hql.ast.QuerySyntaxException.convert(QuerySyntaxException.java:24) at org.hibernate.hql.ast.ErrorCounter.throwQueryException(ErrorCounter.java:59) at org.hibernate.hql.ast.QueryTranslatorImpl.analyze(QueryTranslatorImpl.java:235) at org.hibernate.hql.ast.QueryTranslatorImpl.doCompile(QueryTranslatorImpl.java:160) at org.hibernate.hql.ast.QueryTranslatorImpl.compile(QueryTranslatorImpl.java:111) at org.hibernate.engine.query.HQLQueryPlan.<init>(HQLQueryPlan.java:77) at org.hibernate.engine.query.HQLQueryPlan.<init>(HQLQueryPlan.java:56) at org.hibernate.engine.query.QueryPlanCache.getHQLQueryPlan(QueryPlanCache.java:72) at org.hibernate.impl.AbstractSessionImpl.getHQLQueryPlan(AbstractSessionImpl.java:133) at org.hibernate.impl.AbstractSessionImpl.createQuery(AbstractSessionImpl.java:112) at org.hibernate.impl.SessionImpl.createQuery(SessionImpl.java:1623) at org.hibernate.ejb.AbstractEntityManagerImpl.createQuery(AbstractEntityManagerImpl.java:92) ... 128 more ------------------------------------------- Version-Release number of selected component (if applicable): Build: rhq 4.1.0 beta build#47 (Version: 4.1.0.Beta Build Number: a0c6101) Browser: Firefox 3.6.3 Database: Postgres 8.4.2 OS: Fedora13 java version: 1.6.0_18 How reproducible: Always Steps to Reproduce: 1. Login to RHQ as rhqadmin. 2. Create a compatible group of resource. ( I created a compatible group with one RHQ Agent resource) 3. Create a user 'testuser'. 4. Create a role with default permissions. 5. Add the resource group and the user to the role 6. Login to RHQ as the user 'testuser'. 7. Navigate to the 'Inventory' tab of the compatible group. 8. Click on the resource name link 'RHQ AGENT'. 9. It navigates to the 'Inventory' main menu and does not render the resource tree and the server log displays error. Actual results: It does not render the resource tree and the server log displays error. Expected results: It should render the resource tree and no error in the server log. Additional info: 1. Observed the same issue when the same user 'testuser' clicks the resource link 'RHQ AGENT' in 'Inventory'->Resources->Servers->resource name link. 2. There is another link for platform name in 'Ancestry' column. Clicking on the link displays the same error in server log. This link should be disabled for the user 'testuser' as the user does not have permissions to access the platform. Please refer the screenshot for the links.