Bug 1012592 - RBAC: deployer role can't create new deployment [NEEDINFO]
RBAC: deployer role can't create new deployment
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
Unspecified Unspecified
unspecified Severity urgent
: ER4
: EAP 6.2.0
Assigned To: Heiko Braun
Jakub Cechacek
Russell Dickenson
Depends On:
Blocks: eap62-beta-blockers 1014047
  Show dependency treegraph
Reported: 2013-09-26 13:13 EDT by Jakub Cechacek
Modified: 2013-12-15 11:15 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-15 11:15:10 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
myarboro: needinfo? (hbraun)

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-1916 Major Resolved Deployer role within domain 2014-03-12 08:00:08 EDT

  None (edit)
Description Jakub Cechacek 2013-09-26 13:13:41 EDT
The deployer role can't create (upload to content repository) new deployment. By the name of this role I would expect that at least global deployer is able to do so.
Comment 1 Brian Stansberry 2013-09-26 13:14:58 EDT
If you have the low level op details, that would be helpful, as this sounds more like a server-side problem.
Comment 2 Jakub Cechacek 2013-09-26 13:48:26 EDT
Brian: unfortunately that's all I've got. You will have to ask Heiko about what is going on under the hood
Comment 3 Brian Stansberry 2013-09-26 18:09:33 EDT
WFLY-1916 seems to indicate the opposite problem from the description of this one.

No matter, though. I'm going to assume this is a server-side constraints issue and dig into it. I'd change the component to Domain Management but don't want to screw up the flags.
Comment 4 Heiko Braun 2013-09-27 01:23:05 EDT
Why do you think it's the opposite of WFLY-1916?
Comment 6 Brian Stansberry 2013-09-27 08:53:00 EDT
(In reply to Heiko Braun from comment #4)
> Why do you think it's the opposite of WFLY-1916?

The comment on WFLY-1916 implies the global deployment resources are OK but you had an issue with the server-group resources:

"the deplyer requires write access to:
a) /server-group=*
b) /deployment=*
But currently only the later seems to be given."

This description of this BZ discusses file uploads, which relates to the global level.

So not really the opposite, just different.

You assigned this to yourself but I'll look into it anyway. This general area could stand a bit more testing, so not a waste.
Comment 7 Brian Stansberry 2013-09-30 17:50:14 EDT
I was looking into Deployer role perms a bit and I discovered that actually the upload ops were insufficiently restrictive, not overly restrictive. That is, any role could upload content to the deployment repo and get back a hash for that content. That is, use the upload-deployment-[bytes|stream|url] ops. That's different from being able to create a deployment=xxx resource referencing that content though.

https://github.com/bstansberry/wildfly/commits/WFLY-2179 has the fix (and test) for that. Before I send a PR for that though I'd like to know it doesn't break the console.
Comment 8 Heiko Braun 2013-10-01 07:25:06 EDT
accidentally removed the blocker
Comment 10 Vladimir Dosoudil 2013-10-01 08:07:21 EDT
Moving back to ASSIGNED (https://docspace.corp.redhat.com/docs/DOC-154626).
There's no PR to eap 6.x github repo https://github.com/jbossas/jboss-eap/
Comment 11 Vladimir Dosoudil 2013-10-01 08:49:03 EDT
The umbrella issue 1014047 is available now.
Comment 12 Jakub Cechacek 2013-10-04 06:50:02 EDT
Verified 6.2.0.ER3

Note You need to log in before you can comment on or make changes to this bug.