If I understand correctly, roles that have include-all=true in their role mappings should be added to all authenticated users. In my tests, though, this only works in standalone mode. In domain mode, if I set a role mapping to include-all, this setting is not reflected (at least not immediately; maybe it would work after restart, but that's wrong anyway). It doesn't matter which role is set to be include-all -- in my tests, I use both standard roles and scoped roles and it consistently doesn't work. There's probably some wrong caching going on. The failing test case is in my pull request https://github.com/wildfly/wildfly/pull/5166 (it's the "RBAC tests for include-all role mappings in domain" commit). If it's more convenient, the pull request is the same as my rbac branch (https://github.com/Ladicek/wildfly/commits/rbac). This might be related to bug 1014271.
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2216 Let me reproduce, once I can see what is happening I can better confirm which area this is in.
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-2216 to Coding In Progress
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2216 The following commands are sufficient to reproduce this (ensure the provider is set to rbac before starting the server): - {code} [domain@localhost:9990 /] ./core-service=management/access=authorization/role-mapping=Operator:add { "outcome" => "success", "result" => undefined, "server-groups" => {"main-server-group" => {"host" => {"master" => { "server-one" => {"response" => {"outcome" => "success"}}, "server-two" => {"response" => {"outcome" => "success"}} }}}} } [domain@localhost:9990 /] ./core-service=management/access=authorization/role-mapping=Operator:write-attribute(name=include-all, value=true) { "outcome" => "success", "result" => undefined, "server-groups" => {"main-server-group" => {"host" => {"master" => { "server-one" => {"response" => {"outcome" => "success"}}, "server-two" => {"response" => {"outcome" => "success"}} }}}} } [domain@localhost:9990 /] :whoami(verbose=true) { "outcome" => "success", "result" => { "identity" => { "username" => "$local", "realm" => "ManagementRealm" }, "mapped-roles" => ["SUPERUSER"] } } {code}
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2216 Manually restarting the domain leads to the expected result being output: - {code} [domain@localhost:9990 /] :whoami(verbose=true) { "outcome" => "success", "result" => { "identity" => { "username" => "$local", "realm" => "ManagementRealm" }, "mapped-roles" => [ "SUPERUSER", "OPERATOR" ] } } {code} This indicates something messed up regarding the shared config in domain mode.
Verified with EAP 6.2.0.ER6.