1010672 – RBAC: Unable to access console as role scoped to host Master

Bug 1010672 - RBAC: Unable to access console as role scoped to host Master

Summary: RBAC: Unable to access console as role scoped to host Master

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	ER3
Target Release:	EAP 6.2.0
Assignee:	Kabir Khan
QA Contact:	Jakub Cechacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:	1011994
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-22 11:56 UTC by Jakub Cechacek
Modified:	2015-02-01 23:00 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-12-15 16:20:31 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
Domain setup (25.63 KB, image/png) 2013-09-22 11:56 UTC, Jakub Cechacek	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-2139	0	Major	Resolved	ProxyStepHandler/Controller need to check access before attempting to read information	2013-11-25 12:08:23 UTC

Description Jakub Cechacek 2013-09-22 11:56:01 UTC

Created attachment 801184 [details]
Domain setup

It is not possible to access console as user scoped to Master host (see attached domain topology). Roles scoped to Slave host can access the console without no issues. Roles scoped to Master are able to access console whenever the slave host is not running. 

The following error can be found in Javascript console after authentication

JavascriptConsole Error: 

2013-09-21 15:39:58,615 [ERROR] Unknown error
Class$S129: Unexpected HTTP response: 500

Request
{
    "operation" => "read-children-resources",
    "child-type" => "host",
    "address" => []
}

Response

Internal Server Error
{

    "outcome" => "failed",
    "rolled-back" => true
}

Comment 4 John Doyle 2013-09-23 20:01:16 UTC

Yes, let's list this as a known issue with the feature for Beta.

@Pavel, adding you as need info to ensure you see this exception

Comment 7 Brian Stansberry 2013-09-25 14:22:03 UTC

A comment on the scope of this issue:

The specific console issue reported is a symptom of a somewhat larger problem that could affect other requests, which is why we pushed to fix it in ER3.

The general issue relates to certain operations that have the effect of internally executing multiple other operations and then aggregating their results. Examples:

/<anyaddresspath>/xyz=*:read-resource

/<anyaddresspath>:read-children-resources(child-type=xyz)

The latter in essence does the same thing as the former. Both determine a list of resources of type "xyz", execute :read-resource against each, and aggregate the results into an overall response.

One of the interesting challenges with RBAC is handling these requests, where for some resources of type=xyz a user may have permissions, while not having such permissions for others.

We had solved this problem for cases where all the operations execute on the same domain process (e.g. /profile=full/subsystem=*), but the call path that calls that involved multiple hosts (e.g. /host=*) traverse resulted in that solution being bypassed. This bug is about fixing this problem.

ER3 has a fix for it, but that fix has problems (see https://bugzilla.redhat.com/show_bug.cgi?id=1011994). We now have a simpler fix in place for WildFly.

Comment 9 Jakub Cechacek 2013-09-30 09:06:00 UTC

Verified 6.2.0.ER3

Note You need to log in before you can comment on or make changes to this bug.