Bug 1012571 - RBAC: Missing server controls in topology view for Host scoped roles
RBAC: Missing server controls in topology view for Host scoped roles
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity urgent
: CR1
: EAP 6.2.0
Assigned To: Harald Pehl
Jakub Cechacek
Russell Dickenson
:
Depends On:
Blocks: 1024560
  Show dependency treegraph
 
Reported: 2013-09-26 12:27 EDT by Jakub Cechacek
Modified: 2013-12-15 11:18 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: Consequence: Workaround (if any): Results:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:18:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-221 Major Resolved Missing server controls in topology view for Server scoped roles 2015-11-13 06:06 EST

  None (edit)
Description Jakub Cechacek 2013-09-26 12:27:06 EDT
Start / Restar / Stop links are missing in topology view for Server Scoped roles
Comment 1 JBoss JIRA Server 2013-09-30 07:05:25 EDT
Heiko Braun <ike.braun@googlemail.com> made a comment on jira HAL-221

[~bstansberry] Can you comment on this?
Comment 2 Brian Stansberry 2013-09-30 18:07:05 EDT
The permission metadata is incorrect, although the op (restart at least) works:

[domain@localhost:9999 /] /host=master/server-config=server-one:read-resource-description(operations=true,access-control=trim-descriptions){roles=test}
{
    "outcome" => "success",
    "result" => {
        "description" => undefined,
        "attributes" => undefined,
        "operations" => undefined,
        "children" => {
            "system-property" => {"model-description" => undefined},
            "interface" => {"model-description" => undefined},
            "jvm" => {"model-description" => undefined},
            "path" => {"model-description" => undefined}
        },
        "access-control" => {
            "default" => {
                "read" => true,
                "write" => false,
                "attributes" => {
                    ....
                },
                "operations" => {
                    "read-children-names" => {"execute" => true},
                    "stop" => {"execute" => false},
                    "read-operation-description" => {"execute" => true},
                    "restart" => {"execute" => false},
                    "remove" => {"execute" => false},
                    "read-resource-description" => {"execute" => true},
                    "read-resource" => {"execute" => true},
                    "add" => {"execute" => false},
                    "read-attribute" => {"execute" => true},
                    "whoami" => {"execute" => true},
                    "read-children-types" => {"execute" => true},
                    "read-operation-names" => {"execute" => true},
                    "undefine-attribute" => {"execute" => true},
                    "read-children-resources" => {"execute" => true},
                    "start" => {"execute" => false},
                    "write-attribute" => {"execute" => true}
                }
            },
            "exceptions" => {}
        }
    }
}
[domain@localhost:9999 /] /host=master/server-config=server-one:restart{roles=test}
{
    "outcome" => "success",
    "result" => "STARTING"
}

The "test" role was a server-group-scoped-role based on "Operator."
Comment 5 Heiko Braun 2013-10-02 05:07:36 EDT
Looks like it's not fixed. I'll therefore reset it to "assigned"
Comment 6 JBoss JIRA Server 2013-10-02 05:10:02 EDT
Heiko Braun <ike.braun@googlemail.com> made a comment on jira HAL-221

[~bstansberry] I was looking at the PR again. It5 sesm you've fixed the server-config:<start|stop> permissions, but not server-group:<start-servers|stop-servers> one. Hence this issue still exists.
Comment 7 JBoss JIRA Server 2013-10-02 05:10:14 EDT
Heiko Braun <ike.braun@googlemail.com> made a comment on jira HAL-221

[~bstansberry] I was looking at the PR again. It seems you've fixed the server-config:<start|stop> permissions, but not server-group:<start-servers|stop-servers> one. Hence this issue still exists.
Comment 8 Brian Stansberry 2013-10-02 08:22:20 EDT
Weird. The update I did to the metadata covered the server-group ones as well. And the handlers for the ops already had the appropriate calls to trigger an authz check.
Comment 12 Jakub Cechacek 2013-10-08 12:15:31 EDT
Links are still missing when logged in as Host Scoped role
Comment 14 JBoss JIRA Server 2013-10-09 02:52:36 EDT
Heiko Braun <ike.braun@googlemail.com> updated the status of jira HAL-221 to Resolved
Comment 16 Brian Stansberry 2013-10-26 14:09:20 EDT
This may not be an RBAC bug per se or about host scoped roles. There's a flaw in how operation description metadata was created that resulted in the flag that states these are RUNTIME_ONLY getting dropped:

https://issues.jboss.org/browse/WFLY-2390

The effect of that is no Operator role (base or scoped) would be shown as having permissions for these ops.
Comment 17 Brian Stansberry 2013-10-28 08:26:21 EDT
https://github.com/jbossas/jboss-eap/pull/639 addresses the WFLY-2390 issue and allows the Operator role to be able to start/stop, etc. There's some test issue we're sorting on that PR this morning, but it basically works.

However, for host scoped roles, the console still doesn't show the UI elements needed. When I test via the CLI I see "execute" => "true" for all of these in the r-r-d response for /host=xxx/server-config=yyy. So, I'm assigning this back to the console team. If there's something not correct in the r-r-d response that I missed, please let me know.
Comment 20 JBoss JIRA Server 2013-10-29 05:29:04 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-221 to Reopened
Comment 21 JBoss JIRA Server 2013-10-29 05:29:04 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-221

Reopened as https://github.com/jbossas/jboss-eap/pull/639 is merged.
Comment 22 JBoss JIRA Server 2013-10-29 20:08:01 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-221 to Coding In Progress
Comment 23 JBoss JIRA Server 2013-10-29 20:33:28 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-221 to Resolved
Comment 24 JBoss JIRA Server 2013-10-29 20:33:28 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-221

Host and server group scoped roles show the right lifecycle links now. However if a principle is assigned to several scoped roles it might be that links are visible, but the user does not have the right for the underlying operation. In that case clicking on the link will result in an error message (which is still better than not seeing the link at all).

A real solution is targeted with HAL-290.
Comment 26 Brian Stansberry 2013-10-30 09:02:43 EDT
Moving to CR1 as ER7 was already tagged.
Comment 27 Jakub Cechacek 2013-11-11 06:32:25 EST
Verified with 6.2.0.CR1 preview

Note You need to log in before you can comment on or make changes to this bug.