Description of problem: When trying to remove scoped role with active "include-all" option an "Failed to remove TestRole" error is thrown even though role is deleted. This might be a consequence of unsuccessful attempt to remove role mapping Following error can be seen in console http://pastebin.test.redhat.com/167346 Steps to Reproduce: 1. Create new scoped role with active "include-all" 2. Try to remove the role previously created Actual results: Inconsistent access control configuration -- role-mapping is left in configuration Expected results: Both role and it's mapping are removed
Cannot reproduce with "jboss-eap-6.2.0-ER3.1". If you try to delete a scoped role (include-all flag does not matter) which is used in a role maping there is an error saying "cannot delete role because it's used in n role mapping(s)". If the scoped role is not used in any role mappings, it is successfully deleted. We decided to not automatically delete role mappings containing a scoped role the user is about to delete. As the role mappings might also contain other (scoped) roles, it's better to bring up an error IMHO.
That's exactly a problem that the "include-all" attribute doesn't matter. The role itself is deleted (even though the error is indeed there). However it will be kept in <role-mapping/> section. I've observed that role mappings done through "include-all" attribute seem to require server restart. Consequently after you delete the role with "include-add" and restart EAP there will be errors due to invalid role mapping (as the role doesn't exist, however the mapping element is still present in configuration)
Harald Pehl <hpehl> made a comment on jira HAL-239 Can confirm the error now. Will provide a fix ASAP
Harald Pehl <hpehl> updated the status of jira HAL-239 to Coding In Progress
Harald Pehl <hpehl> made a comment on jira HAL-239 Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270
Harald Pehl <hpehl> made a comment on jira HAL-239 Fixed errors in console. What's remaining is the fix for WFLY-2270. Till then use the workaround described in WFLY-2270. That is if you want to delete a scoped role, make sure it does not have the include-all flag set. Otherwise the console runs into the error described at WFLY-2270.
Harald Pehl <hpehl> made a comment on jira HAL-239 Added workaround to the console: Whenever one deletes a scoped role which has include-all=true, the include-all flag is set to false in an extra DMR operation, before the actual scoped role is removed.
Harald Pehl <hpehl> updated the status of jira HAL-239 to Resolved
Harald Pehl <hpehl> made a comment on jira HAL-239 Resolved with workaround (see last comment)
Fixed in HAL 2.0.5.Final
Verified 6.2.0.ER7