Domain mode, RBAC: multiple users and multiple servergroup based roles. One user will be able to deploy application (to his servergroup) while the other cannot. This works fine when using the CLI Setup - standard 6.4.1 in domain mode, using "full-ha" - two users - one host-based role, based on "maintainer" assign 'master' and *both* users. - two server-groups, each with one server in them based on "Deployer" - assign user1 to sg1, user2 to sg2 - in the console login as user1 - start/stop of servers works fine - user1 can deploy an application and assign/enable it on sg1 - login as user2 - start/stop of servers works fine - user2 cannot handle any deployments -> all related buttons are not visible. testing with: <access-control provider="rbac"> <server-group-scoped-roles> <role name="sg1" base-role="Deployer"> <server-group name="slaves"/> </role> <role name="sg2" base-role="Deployer"> <server-group name="slaves2"/> </role> </server-group-scoped-roles> <host-scoped-roles> <role name="hostmaster" base-role="Maintainer"> <host name="master"/> </role> </host-scoped-roles> <role-mapping> <role name="SuperUser"> <include> <user name="tom"/> </include> </role> <role name="hostmaster"> <include> <user name="user1"/> <user name="user2"/> </include> </role> <role name="sg1"> <include> <user name="user1"/> </include> </role> <role name="sg2"> <include> <user name="user2"/> </include> </role> </role-mapping> </access-control> CLI with user1/2: [domain.redhat.com:9999 /] :whoami(verbose=true) { "outcome" => success", "result" => { "identity" => { "username" => "user1", "realm" => "LdapManagementRealm" }, "mapped-roles" => [ "sg1", "hostmaster" ] } } [domain.redhat.com:9999 /] :whoami(verbose=true) { "outcome" => "success", "result" => { "identity" => { "username" => "user2", "realm" => "LdapManagementRealm" }, "mapped-roles" => [ "sg2", "hostmaster" ] } } [domain.redhat.com:9999 /] /core-service=management/access=authorization:read-resource(recursive=true) { "outcome" => "success", "result" => { "permission-combination-policy" => "permissive", "provider" => "rbac", ... "host-scoped-role" => {"hostmaster" => { "base-role" => "Maintainer", "hosts" => ["master"] }}, "role-mapping" => { "SuperUser" => { "include-all" => false, "exclude" => undefined, "include" => {"user-tom" => { "name" => "tom", "realm" => undefined, "type" => "USER" }} }, "hostmaster" => { "include-all" => false, "exclude" => undefined, "include" => { "user-user1" => { "name" => "user1", "realm" => undefined, "type" => "USER" }, "user-user2" => { "name" => "user2", "realm" => undefined, "type" => "USER" } } }, "sg1" => { "include-all" => false, "exclude" => undefined, "include" => {"user-user1" => { "name" => "user1", "realm" => undefined, "type" => "USER" }} }, "sg2" => { "include-all" => false, "exclude" => undefined, "include" => {"user-user2" => { "name" => "user2", "realm" => undefined, "type" => "USER" }} } }, "server-group-scoped-role" => { "sg1" => { "base-role" => "Deployer", "server-groups" => ["slaves"] }, "sg2" => { "base-role" => "Deployer", "server-groups" => ["slaves2"] } } } } previously user1 deployed "ShowSystemProperties.war" and assigned/enabled it on slaves (sg1) and deployed (to repo only) jdbc.war logged in as user2, console does not allow handling deployments -> no buttons visible but in the CLI: [domain.redhat.com:9999 /] /server-group=slaves2/deployment=jdbc.war:add(enabled=true) { "outcome" => "success", "result" => undefined, "server-groups" => {"slaves2" => {"host" => {"master" => {"i2" => {"response" => {"outcome" => "success"}}}}}} } => works ok + refresh console -> jdbc.war shows up. Still as user2 (ShowSystemProperties is deployed to group slaves, only allowed to be handled by user1) [domain.redhat.com:9999 /] /server-group=slaves/deployment=ShowSystemProperties.war:remove { "outcome" => "failed", "failure-description" => {"domain-failure-description" => "JBAS013456: Unauthorized to execute operation 'remove' for resource '[ (\"server-group\" => \"slaves\"), (\"deployment\" => \"ShowSystemProperties.war\") ]' -- \"JBAS013475: Permission denied\""}, "rolled-back" => true } [domain.redhat.com:9999 /] exit [tom@orac Master]$ cli Username: user1 Password: [domain.redhat.com:9999 /] /server-group=slaves/deployment=ShowSystemProperties.war:remove { "outcome" => "success", "result" => undefined, "server-groups" => {"slaves" => {"host" => {"master" => {"i1" => {"response" => {"outcome" => "success"}}}}}} } => works as designed. conclusion: it's a console issue.... and the architecture underneath is working ok This bug should be linked to the console component upgrade for EAP 6.4 CP3 or up
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Open
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Closed
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Reopened
Heiko Braun <ike.braun> updated the status of jira HAL-760 to Resolved
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Resolved