Bug 999455

Summary: Kie-user and admin don't have permissions to send and consume JMS messages
Product: [Retired] JBoss BRMS Platform 6 Reporter: Ivo Bek <ibek>
Component: Build and AssemblyAssignee: Ryan Zhang <rzhang>
Status: CLOSED CURRENTRELEASE QA Contact: Ivo Bek <ibek>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.0CC: atangrin, etirelli, ibek, jcoleman, lpetrovi, mbaluch, mrietvel, mswiders, paradhya, rrajasek, rzhang
Target Milestone: ER5   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-06 20:19:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivo Bek 2013-08-21 11:03:37 UTC
Description of problem:

I think that user in group kie-user and/or admin should have permissions to send and consume JMS messages. Standalone.xml only contains permissions for user in group guest.

I mean the security settings below:

<security-setting match="#">
  <permission type="send" roles="guest"/>
  <permission type="consume" roles="guest"/>
  <permission type="createNonDurableQueue" roles="guest"/>
  <permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 4 Marco Rietveld 2013-08-26 09:20:12 UTC
Hi Ivo, 

JMS rights are different from REST rights, so to speak, and JMS is also not used in the same way: it's in fact possible (likely?) that users will want a different user to have access to the JMS queues than the users who have access to the UI and REST api. 

Would it be okay to add documentation describing how to modify the standalone(-full).xml (or domain.xml) to give access to the queues?

Comment 5 Marek Baluch 2013-08-26 11:25:17 UTC
Hi Marco,

I believe that the product should be pre-configured to include the roles Ivo mentioned above. That would be up to productization though. 

Other than that I believe that documenting the proper way to change the groups would be sufficient.

If you don't mind I will change the Component to 'Build and Assembly'.

@M

Comment 6 Marco Rietveld 2013-08-27 12:45:13 UTC
Marek, 

That sounds good. I've chancged the component. 

Would you mind assigning this to the right person? (Doug? Nick?)

Comment 10 Prakash Aradhya 2013-09-17 02:00:20 UTC
Internal Whiteboard: Beta Blocker → Blocker
Not critical for Beta, but need to address for GA

Comment 11 Ryan Zhang 2013-09-30 08:48:11 UTC
It has been fixed and will target it on ER4.

Comment 15 Ivo Bek 2013-10-15 09:50:52 UTC
FailedQA in BPMS-6.0.0.ER4:

the standalone.xml and standalone-full.xml still don't contain group admin and/or (kie-user, analyst).

<security-setting match="#">
  <permission type="send" roles="guest"/>
  <permission type="consume" roles="guest"/>
  <permission type="createNonDurableQueue" roles="guest"/>
  <permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>

this is my proposal of the expected configuration:

<security-setting match="KIE.#"> <!-- probably I would change the queue match for the queues in business central only -->
  <permission type="send" roles="admin"/> <!-- at least admin should be able to send JMS', the same for consume -->
  <permission type="consume" roles="admin"/>
  <permission type="createNonDurableQueue" roles="admin"/>
  <permission type="deleteNonDurableQueue" roles="admin"/>
</security-setting>

Comment 17 Ivo Bek 2013-12-04 08:33:27 UTC
Verified in BPMS 6.0.0.ER5