Bug 1240664 - [GSS](6.4.z) RBAC servergroup scoped roles deployments
Summary: [GSS](6.4.z) RBAC servergroup scoped roles deployments
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console
Version: 6.4.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ryan Emerson
QA Contact: Pavel Jelinek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-07 13:04 UTC by Tom Fonteyne
Modified: 2019-09-12 08:36 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-05 10:43:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker HAL-757 0 Critical Resolved Server-group-scoped-roles not respected in Domain mode 2017-11-13 01:50:44 UTC
Red Hat Issue Tracker HAL-760 0 Critical Resolved (Master)Server-group-scoped-roles not respected in Domain mode 2017-11-13 01:50:44 UTC

Description Tom Fonteyne 2015-07-07 13:04:08 UTC
Domain mode, RBAC: multiple users and multiple servergroup based roles. One user will be able to deploy application (to his servergroup) while the other cannot.
This works fine when using the CLI

Setup
- standard 6.4.1 in domain mode, using "full-ha"
- two users
- one host-based role, based on "maintainer"
  assign 'master' and *both* users.
- two server-groups, each with one server in them
  based on "Deployer"
- assign user1 to sg1, user2 to sg2
- in the console login as user1
  - start/stop of servers works fine
  - user1 can deploy an application and assign/enable it on sg1
- login as user2
  - start/stop of servers works fine
  - user2 cannot handle any deployments -> all related buttons are not visible.

testing with:

       <access-control provider="rbac">
            <server-group-scoped-roles>
                <role name="sg1" base-role="Deployer">
                    <server-group name="slaves"/>
                </role>
                <role name="sg2" base-role="Deployer">
                    <server-group name="slaves2"/>
                </role>
            </server-group-scoped-roles>
            <host-scoped-roles>
                <role name="hostmaster" base-role="Maintainer">
                    <host name="master"/>
                </role>
            </host-scoped-roles>
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="tom"/>
                    </include>
                </role>
                <role name="hostmaster">
                    <include>
                        <user name="user1"/>
                        <user name="user2"/>
                    </include>
                </role>
                <role name="sg1">
                    <include>
                        <user name="user1"/>
                    </include>
                </role>
                <role name="sg2">
                    <include>
                        <user name="user2"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

CLI with user1/2:

[domain.redhat.com:9999 /] :whoami(verbose=true)
{                                                                                                                                                                                                              
    "outcome" => success",
    "result" => {
        "identity" => {
            "username" => "user1",
            "realm" => "LdapManagementRealm"
        },
        "mapped-roles" => [
            "sg1",
            "hostmaster"
        ]
    }
}

[domain.redhat.com:9999 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {
        "identity" => {
            "username" => "user2",
            "realm" => "LdapManagementRealm"
        },
        "mapped-roles" => [
            "sg2",
            "hostmaster"
        ]
    }
}


[domain.redhat.com:9999 /] /core-service=management/access=authorization:read-resource(recursive=true)
{
    "outcome" => "success",
    "result" => {
        "permission-combination-policy" => "permissive",
        "provider" => "rbac",
...
        "host-scoped-role" => {"hostmaster" => {
            "base-role" => "Maintainer",
            "hosts" => ["master"]
        }},
        "role-mapping" => {
            "SuperUser" => {
                "include-all" => false,
                "exclude" => undefined,
                "include" => {"user-tom" => {
                    "name" => "tom",
                    "realm" => undefined,
                    "type" => "USER"
                }}
            },
            "hostmaster" => {
                "include-all" => false,
                "exclude" => undefined,
                "include" => {
                    "user-user1" => {
                        "name" => "user1",
                        "realm" => undefined,
                        "type" => "USER"
                    },
                    "user-user2" => {
                        "name" => "user2",
                        "realm" => undefined,
                        "type" => "USER"
                    }
                }
            },
            "sg1" => {
                "include-all" => false,
                "exclude" => undefined,
                "include" => {"user-user1" => {
                    "name" => "user1",
                    "realm" => undefined,
                    "type" => "USER"
                }}
            },
            "sg2" => {
                "include-all" => false,
                "exclude" => undefined,
                "include" => {"user-user2" => {
                    "name" => "user2",
                    "realm" => undefined,
                    "type" => "USER"
                }}
            }
        },
        "server-group-scoped-role" => {
            "sg1" => {
                "base-role" => "Deployer",
                "server-groups" => ["slaves"]
            },
            "sg2" => {
                "base-role" => "Deployer",
                "server-groups" => ["slaves2"]
            }
        }
    }
}

previously user1 deployed "ShowSystemProperties.war" and assigned/enabled it on slaves (sg1) and deployed (to repo only) jdbc.war

logged in as user2, console does not allow handling deployments -> no buttons visible

but in the CLI:

[domain.redhat.com:9999 /] /server-group=slaves2/deployment=jdbc.war:add(enabled=true)
{
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => {"slaves2" => {"host" => {"master" => {"i2" => {"response" => {"outcome" => "success"}}}}}}
}

=> works ok + refresh console -> jdbc.war shows up.

Still as user2 (ShowSystemProperties is deployed to group slaves, only allowed to be handled by user1)

[domain.redhat.com:9999 /] /server-group=slaves/deployment=ShowSystemProperties.war:remove
{
    "outcome" => "failed",
    "failure-description" => {"domain-failure-description" => "JBAS013456: Unauthorized to execute operation 'remove' for resource '[
    (\"server-group\" => \"slaves\"),
    (\"deployment\" => \"ShowSystemProperties.war\")
]' -- \"JBAS013475: Permission denied\""},
    "rolled-back" => true
}
[domain.redhat.com:9999 /] exit

[tom@orac Master]$ cli
Username: user1
Password: 
[domain.redhat.com:9999 /] /server-group=slaves/deployment=ShowSystemProperties.war:remove
{
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => {"slaves" => {"host" => {"master" => {"i1" => {"response" => {"outcome" => "success"}}}}}}
}

=> works as designed.

conclusion: it's a console issue.... and the architecture underneath is working ok

This bug should be linked to the console component upgrade for EAP 6.4 CP3 or up

Comment 4 JBoss JIRA Server 2015-09-16 12:18:57 UTC
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Open

Comment 5 JBoss JIRA Server 2015-09-16 15:24:33 UTC
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Closed

Comment 6 JBoss JIRA Server 2015-09-30 13:36:46 UTC
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Reopened

Comment 8 JBoss JIRA Server 2015-10-01 06:59:48 UTC
Heiko Braun <ike.braun> updated the status of jira HAL-760 to Resolved

Comment 9 JBoss JIRA Server 2015-10-01 07:00:46 UTC
Heiko Braun <ike.braun> updated the status of jira HAL-757 to Resolved


Note You need to log in before you can comment on or make changes to this bug.