Bug 1018521 - RBAC: role-mapping are assumed to be in form of type-principal@realm in Role assignment administration
RBAC: role-mapping are assumed to be in form of type-principal@realm in Role...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity urgent
: ER7
: ---
Assigned To: Heiko Braun
Jakub Cechacek
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-12 17:11 EDT by Jakub Cechacek
Modified: 2015-02-01 18:00 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Causes: Consequence: Workaround (if any): Result:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:19:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-272 Major Resolved RBAC: role-mapping are assumed to be in form of type-principal@realm in Role assignment administration 2013-11-21 14:31:17 EST

  None (edit)
Description Jakub Cechacek 2013-10-12 17:11:24 EDT
Console assumes that all role-mappings names are in form of type-principal@realm (e.g. user-someuser@SomeRealm or group-somegroup@SomeRealm). Consequently it is not possible to manage role mappings created through other management interfaces and named differently.  

Steps to reproduce:

1) create role mapping
/core-service=management/access=authorization/role-mapping=MONITOR:add()
/core-service=management/access=authorization/role-mapping=MONITOR/include=monitor:add(name=monitor, type=user, realm=ManagementRealm)

2) Navigate to Administration - Role Assignment 
3) Try to remove role assignments for user monitor 

Expected result: role-mappings for user monitor are removed
Actual result: Error message (Unable to remove...) due to different naming than expected.
Comment 1 JBoss JIRA Server 2013-10-13 17:09:16 EDT
Harald Pehl <hpehl@redhat.com> made a comment on jira HAL-272

Fixed the wrong addressing "type-principal@realm". Mappings created through other management interfaces like the CLI are honored now. 

However there's still one open issue: When creating a role-mapping through the CLI using a non-formal role name like "MONITOR", the role name is used as is in the persistent configuration (instead the formal role name "Monitor"). This causes the problems described above. In other words the fix is only valid if formal role names are used in all management interfaces.
Comment 2 JBoss JIRA Server 2013-10-14 06:25:52 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-272 to Resolved
Comment 3 Harald Pehl 2013-10-29 09:51:10 EDT
Fixed in HAL 2.0.5.Final
Comment 4 Jakub Cechacek 2013-10-31 10:03:33 EDT
Verified 6.2.0.ER7

Note You need to log in before you can comment on or make changes to this bug.