Bug 1014271 - RBAC: Removing role with "include-all"
RBAC: Removing role with "include-all"
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity urgent
: ER7
: EAP 6.2.0
Assigned To: Harald Pehl
Jakub Cechacek
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-01 11:18 EDT by Jakub Cechacek
Modified: 2015-02-01 18:00 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: Consequence: Workaround (if any): Results:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:18:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-239 Major Resolved Removing role with "include-all" 2016-06-20 04:29 EDT

  None (edit)
Description Jakub Cechacek 2013-10-01 11:18:30 EDT
Description of problem:
When trying to remove scoped role with active "include-all" option an "Failed to remove TestRole" error is thrown even though role is deleted. This might be a consequence of unsuccessful attempt to remove role mapping

Following error can be seen in console 
http://pastebin.test.redhat.com/167346

Steps to Reproduce:
1. Create new scoped role with active "include-all" 
2. Try to remove the role previously created  

Actual results:
Inconsistent access control configuration -- role-mapping is left in configuration 

Expected results:
Both role and it's mapping are removed
Comment 1 Harald Pehl 2013-10-02 05:43:45 EDT
Cannot reproduce with "jboss-eap-6.2.0-ER3.1". If you try to delete a scoped role (include-all flag does not matter) which is used in a role maping there is an error saying "cannot delete role because it's used in n role mapping(s)". If the scoped role is not used in any role mappings, it is successfully deleted. 

We decided to not automatically delete role mappings containing a scoped role the user is about to delete. As the role mappings might also contain other (scoped) roles, it's better to bring up an error IMHO.
Comment 2 Jakub Cechacek 2013-10-03 04:13:26 EDT
That's exactly a problem that the "include-all" attribute doesn't matter. The role itself is deleted (even though the error is indeed there). However it will be kept in <role-mapping/> section. 

I've observed that role mappings done through "include-all" attribute seem to require server restart. Consequently after you delete the role with "include-add" and restart EAP there will be errors due to invalid role mapping (as the role doesn't exist, however the mapping element is still present in configuration)
Comment 3 JBoss JIRA Server 2013-10-04 06:29:05 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-239

Can confirm the error now. Will provide a fix ASAP
Comment 4 JBoss JIRA Server 2013-10-08 04:52:44 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-239 to Coding In Progress
Comment 5 JBoss JIRA Server 2013-10-09 09:56:58 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-239

Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270
Comment 6 JBoss JIRA Server 2013-10-09 09:58:40 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-239

Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270. That is if you want to delete a scoped role, make sure it does not have the include-all flag set. Otherwise the console runs into the error described at WFLY-2270.
Comment 7 JBoss JIRA Server 2013-10-09 10:14:42 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-239

Added workaround to the console: Whenever one deletes a scoped role which has include-all=true, the include-all flag is set to false in an extra DMR operation, before the actual scoped role is removed.
Comment 8 JBoss JIRA Server 2013-10-09 10:23:28 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-239 to Resolved
Comment 9 JBoss JIRA Server 2013-10-09 10:23:28 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-239

Resolved with workaround (see last comment)
Comment 10 Harald Pehl 2013-10-29 09:49:35 EDT
Fixed in HAL 2.0.5.Final
Comment 11 Jakub Cechacek 2013-10-31 08:49:30 EDT
Verified 6.2.0.ER7

Note You need to log in before you can comment on or make changes to this bug.