Start / Restar / Stop links are missing in topology view for Server Scoped roles
Heiko Braun <ike.braun> made a comment on jira HAL-221 [~bstansberry] Can you comment on this?
The permission metadata is incorrect, although the op (restart at least) works: [domain@localhost:9999 /] /host=master/server-config=server-one:read-resource-description(operations=true,access-control=trim-descriptions){roles=test} { "outcome" => "success", "result" => { "description" => undefined, "attributes" => undefined, "operations" => undefined, "children" => { "system-property" => {"model-description" => undefined}, "interface" => {"model-description" => undefined}, "jvm" => {"model-description" => undefined}, "path" => {"model-description" => undefined} }, "access-control" => { "default" => { "read" => true, "write" => false, "attributes" => { .... }, "operations" => { "read-children-names" => {"execute" => true}, "stop" => {"execute" => false}, "read-operation-description" => {"execute" => true}, "restart" => {"execute" => false}, "remove" => {"execute" => false}, "read-resource-description" => {"execute" => true}, "read-resource" => {"execute" => true}, "add" => {"execute" => false}, "read-attribute" => {"execute" => true}, "whoami" => {"execute" => true}, "read-children-types" => {"execute" => true}, "read-operation-names" => {"execute" => true}, "undefine-attribute" => {"execute" => true}, "read-children-resources" => {"execute" => true}, "start" => {"execute" => false}, "write-attribute" => {"execute" => true} } }, "exceptions" => {} } } } [domain@localhost:9999 /] /host=master/server-config=server-one:restart{roles=test} { "outcome" => "success", "result" => "STARTING" } The "test" role was a server-group-scoped-role based on "Operator."
Looks like it's not fixed. I'll therefore reset it to "assigned"
Heiko Braun <ike.braun> made a comment on jira HAL-221 [~bstansberry] I was looking at the PR again. It5 sesm you've fixed the server-config:<start|stop> permissions, but not server-group:<start-servers|stop-servers> one. Hence this issue still exists.
Heiko Braun <ike.braun> made a comment on jira HAL-221 [~bstansberry] I was looking at the PR again. It seems you've fixed the server-config:<start|stop> permissions, but not server-group:<start-servers|stop-servers> one. Hence this issue still exists.
Weird. The update I did to the metadata covered the server-group ones as well. And the handlers for the ops already had the appropriate calls to trigger an authz check.
Links are still missing when logged in as Host Scoped role
Heiko Braun <ike.braun> updated the status of jira HAL-221 to Resolved
This may not be an RBAC bug per se or about host scoped roles. There's a flaw in how operation description metadata was created that resulted in the flag that states these are RUNTIME_ONLY getting dropped: https://issues.jboss.org/browse/WFLY-2390 The effect of that is no Operator role (base or scoped) would be shown as having permissions for these ops.
https://github.com/jbossas/jboss-eap/pull/639 addresses the WFLY-2390 issue and allows the Operator role to be able to start/stop, etc. There's some test issue we're sorting on that PR this morning, but it basically works. However, for host scoped roles, the console still doesn't show the UI elements needed. When I test via the CLI I see "execute" => "true" for all of these in the r-r-d response for /host=xxx/server-config=yyy. So, I'm assigning this back to the console team. If there's something not correct in the r-r-d response that I missed, please let me know.
Harald Pehl <hpehl> updated the status of jira HAL-221 to Reopened
Harald Pehl <hpehl> made a comment on jira HAL-221 Reopened as https://github.com/jbossas/jboss-eap/pull/639 is merged.
Harald Pehl <hpehl> updated the status of jira HAL-221 to Coding In Progress
Harald Pehl <hpehl> updated the status of jira HAL-221 to Resolved
Harald Pehl <hpehl> made a comment on jira HAL-221 Host and server group scoped roles show the right lifecycle links now. However if a principle is assigned to several scoped roles it might be that links are visible, but the user does not have the right for the underlying operation. In that case clicking on the link will result in an error message (which is still better than not seeing the link at all). A real solution is targeted with HAL-290.
Moving to CR1 as ER7 was already tagged.
Verified with 6.2.0.CR1 preview