Bug 1015493 - include-all role mappings don't work in domain
Summary: include-all role mappings don't work in domain
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ER6
: EAP 6.2.0
Assignee: Darran Lofthouse
QA Contact: Ladislav Thon
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks: 999622
TreeView+ depends on / blocked
 
Reported: 2013-10-04 11:53 UTC by Ladislav Thon
Modified: 2013-12-15 16:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-15 16:22:36 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-2216 0 Major Resolved include-all role mappings don't work in domain 2013-10-21 10:41:45 UTC

Description Ladislav Thon 2013-10-04 11:53:30 UTC
If I understand correctly, roles that have include-all=true in their role mappings should be added to all authenticated users. In my tests, though, this only works in standalone mode.

In domain mode, if I set a role mapping to include-all, this setting is not reflected (at least not immediately; maybe it would work after restart, but that's wrong anyway). It doesn't matter which role is set to be include-all -- in my tests, I use both standard roles and scoped roles and it consistently doesn't work. There's probably some wrong caching going on.

The failing test case is in my pull request https://github.com/wildfly/wildfly/pull/5166 (it's the "RBAC tests for include-all role mappings in domain" commit). If it's more convenient, the pull request is the same as my rbac branch (https://github.com/Ladicek/wildfly/commits/rbac).

This might be related to bug 1014271.

Comment 1 JBoss JIRA Server 2013-10-04 13:29:55 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2216

Let me reproduce, once I can see what is happening I can better confirm which area this is in.

Comment 2 JBoss JIRA Server 2013-10-04 16:14:18 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-2216 to Coding In Progress

Comment 3 JBoss JIRA Server 2013-10-04 16:18:37 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2216

The following commands are sufficient to reproduce this (ensure the provider is set to rbac before starting the server): -

{code}
[domain@localhost:9990 /] ./core-service=management/access=authorization/role-mapping=Operator:add
{
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => {"main-server-group" => {"host" => {"master" => {
        "server-one" => {"response" => {"outcome" => "success"}},
        "server-two" => {"response" => {"outcome" => "success"}}
    }}}}
}
[domain@localhost:9990 /] ./core-service=management/access=authorization/role-mapping=Operator:write-attribute(name=include-all, value=true)
{
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => {"main-server-group" => {"host" => {"master" => {
        "server-one" => {"response" => {"outcome" => "success"}},
        "server-two" => {"response" => {"outcome" => "success"}}
    }}}}
}
[domain@localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {
        "identity" => {
            "username" => "$local",
            "realm" => "ManagementRealm"
        },
        "mapped-roles" => ["SUPERUSER"]
    }
}
{code}

Comment 4 JBoss JIRA Server 2013-10-04 16:21:21 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2216

Manually restarting the domain leads to the expected result being output: -

{code}
[domain@localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {
        "identity" => {
            "username" => "$local",
            "realm" => "ManagementRealm"
        },
        "mapped-roles" => [
            "SUPERUSER",
            "OPERATOR"
        ]
    }
}
{code}

This indicates something messed up regarding the shared config in domain mode.

Comment 8 Ladislav Thon 2013-10-21 10:41:38 UTC
Verified with EAP 6.2.0.ER6.


Note You need to log in before you can comment on or make changes to this bug.