Red Hat Bugzilla – Bug 1018521
RBAC: role-mapping are assumed to be in form of type-principal@realm in Role assignment administration
Last modified: 2015-02-01 18:00:47 EST
Console assumes that all role-mappings names are in form of type-principal@realm (e.g. user-someuser@SomeRealm or group-somegroup@SomeRealm). Consequently it is not possible to manage role mappings created through other management interfaces and named differently.
Steps to reproduce:
1) create role mapping
/core-service=management/access=authorization/role-mapping=MONITOR/include=monitor:add(name=monitor, type=user, realm=ManagementRealm)
2) Navigate to Administration - Role Assignment
3) Try to remove role assignments for user monitor
Expected result: role-mappings for user monitor are removed
Actual result: Error message (Unable to remove...) due to different naming than expected.
Harald Pehl <email@example.com> made a comment on jira HAL-272
Fixed the wrong addressing "type-principal@realm". Mappings created through other management interfaces like the CLI are honored now.
However there's still one open issue: When creating a role-mapping through the CLI using a non-formal role name like "MONITOR", the role name is used as is in the persistent configuration (instead the formal role name "Monitor"). This causes the problems described above. In other words the fix is only valid if formal role names are used in all management interfaces.
Harald Pehl <firstname.lastname@example.org> updated the status of jira HAL-272 to Resolved
Fixed in HAL 2.0.5.Final