Bug 1012592 - RBAC: deployer role can't create new deployment
Summary: RBAC: deployer role can't create new deployment
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ER4
: EAP 6.2.0
Assignee: Heiko Braun
QA Contact: Jakub Cechacek
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks: eap62-beta-blockers 1014047
TreeView+ depends on / blocked
 
Reported: 2013-09-26 17:13 UTC by Jakub Cechacek
Modified: 2023-09-14 01:51 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-12-15 16:15:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-1916 0 Major Resolved Deployer role within domain 2014-03-12 12:00:08 UTC

Description Jakub Cechacek 2013-09-26 17:13:41 UTC 
The deployer role can't create (upload to content repository) new deployment. By the name of this role I would expect that at least global deployer is able to do so.
Comment 1 Brian Stansberry 2013-09-26 17:14:58 UTC 
If you have the low level op details, that would be helpful, as this sounds more like a server-side problem.
Comment 2 Jakub Cechacek 2013-09-26 17:48:26 UTC 
Brian: unfortunately that's all I've got. You will have to ask Heiko about what is going on under the hood
Comment 3 Brian Stansberry 2013-09-26 22:09:33 UTC 
WFLY-1916 seems to indicate the opposite problem from the description of this one.

No matter, though. I'm going to assume this is a server-side constraints issue and dig into it. I'd change the component to Domain Management but don't want to screw up the flags.
Comment 4 Heiko Braun 2013-09-27 05:23:05 UTC 
Why do you think it's the opposite of WFLY-1916?
Comment 6 Brian Stansberry 2013-09-27 12:53:00 UTC 
(In reply to Heiko Braun from comment #4)
> Why do you think it's the opposite of WFLY-1916?

The comment on WFLY-1916 implies the global deployment resources are OK but you had an issue with the server-group resources:

"the deplyer requires write access to:
a) /server-group=*
b) /deployment=*
But currently only the later seems to be given."

This description of this BZ discusses file uploads, which relates to the global level.

So not really the opposite, just different.

You assigned this to yourself but I'll look into it anyway. This general area could stand a bit more testing, so not a waste.
Comment 7 Brian Stansberry 2013-09-30 21:50:14 UTC 
I was looking into Deployer role perms a bit and I discovered that actually the upload ops were insufficiently restrictive, not overly restrictive. That is, any role could upload content to the deployment repo and get back a hash for that content. That is, use the upload-deployment-[bytes|stream|url] ops. That's different from being able to create a deployment=xxx resource referencing that content though.

https://github.com/bstansberry/wildfly/commits/WFLY-2179 has the fix (and test) for that. Before I send a PR for that though I'd like to know it doesn't break the console.
Comment 8 Heiko Braun 2013-10-01 11:25:06 UTC 
accidentally removed the blocker
Comment 10 Vladimir Dosoudil 2013-10-01 12:07:21 UTC 
Moving back to ASSIGNED (https://docspace.corp.redhat.com/docs/DOC-154626).
There's no PR to eap 6.x github repo https://github.com/jbossas/jboss-eap/
Comment 11 Vladimir Dosoudil 2013-10-01 12:49:03 UTC 
The umbrella issue 1014047 is available now.
Comment 12 Jakub Cechacek 2013-10-04 10:50:02 UTC 
Verified 6.2.0.ER3
Comment 17 Red Hat Bugzilla 2023-09-14 01:51:10 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.