Description of problem: Under the rbac enabled EAP environment, EAP Admin console make "test-connection" button on Datasource menu appeared or disappeared depending on the role of users. For example, if role of user is Operator, the button would not be appeared but Maintainer do. However, on CLI, the operation "test-connection-in-pool" is always executable. I am not sure which is working properly but it should give same result "do or not" on admin console and cli for same role. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set up RBAC in domain.xml like following: ~~~ <management> <access-control provider="rbac" permission-combination-policy="permissive"> <role-mapping> <role name="Administrator"> <include> <group realm="ManagementRealm" name="Administrator"/> </include> </role> <role name="Auditor"> <include> <group realm="ManagementRealm" name="Auditor"/> </include> </role> <role name="Deployer"> <include> <group realm="ManagementRealm" name="Deployer"/> </include> </role> <role name="Maintainer"> <include> <group realm="ManagementRealm" name="Maintainer"/> </include> </role> <role name="Monitor"> <include> <group realm="ManagementRealm" name="Monitor"/> </include> </role> <role name="Operator"> <include> <group realm="ManagementRealm" name="Operator"/> </include> </role> <role name="SuperUser"> <include> <user name="$local"/> <group realm="ManagementRealm" name="SuperUser"/> </include> </role> </role-mapping> </access-control> </management> ~~~ 2. host.xml ~~~ <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> <authorization map-groups-to-roles="true"> <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/> </authorization> </security-realm> ... <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management-native" port="9999"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket interface="management-web" port="9990"/> </http-interface> </management-interfaces> .. ~~~ 3. add user & group domain/configuration/mgmt-users.proerties ~~~ jboss=1ab58a9a2eba20747214dec27389a263 ~~~ domain/configuration/mgmt-groups.proerties ~~~ #jboss= Maintainer, Monitor, Deployer, Operator jboss= Operator ~~~ 4. Login admin console with jboss/!qaz2wsx & go to datasource menu -> connection(sub menu) --> There is no test-connection button. 5. Login CLI with jboss/!qaz2wsx & try following command /host=HOST_CONTOLLER_NAME/server=SERVER_NAME/subsystem=datasources/data-source=ExampleDS:test-connection-in-pool example : /host=jhouse-mac-book.local/server=server0/subsystem=datasources/data-source=ExampleDS:test-connection-in-pool Note) EAP server has to be started to execute above command. If you change role to Maintainer (step3), you also see test-connection button on admin console. Actual results: test-connection operation is executed. Expected results: test-connection operation is not available. Additional info:
I'm changing the component on this, as Operator should be able to execute this operation and can do so in the CLI.
Note that I believe the web console has behavior such that it enables a datasource if it isn't enabled in order to test the connection. In other words, the button in the console may represent a more complex action than the :test-connection-in-pool operation does in the CLI. An Operator is not able to enable a datasource, as that involves a persistent configuration change, and thus may be prevented from performing the more complex web console action.
John Doyle <jdoyle> updated the status of jira PRODMGT-1333 to Resolved
For EAP 6.4.5.CP.CR1 this is just partially fixed. Whereas in configuration > Subsystems > Connector > Datasources > (XA) DATASOURCES > Connection the 'Tests Connection' button is available for Operator role now in Runtime > System Status > Subsystems > Datasources > (XA) DATA SOURCES the button is not available for Operator yet.
To clarify: That button should not be available under Configuration>Profile>... in domain mode. The underlying operation requires an active server to be chosen that uses the specific profile that contains the datasource. These requirements are only given under Runtime > Monitor > Datasources. The fix for this issue (BZ1243175) is only applicable to standalone mode. As a side effect it also removed the test-connection button (BZ1278401). I would suggest to proceed as follows: - Within the scope of standalone servers this issue (BZ1243175) doesn't cause regresssion and can be closed as verified. - The issue that describes it as regression (BZ1278401) can be closed as not a bug
'Tests Connection' button is not available for Operator in Runtime > System Status > Subsystems > Datasources > (XA) DATA SOURCES regardless if the mode is domain or standalone - this is wrong and the reason why currently this bugzilla is FailedQA. 'Tests Connection' button is not available for domain mode in Configuration > Subsystems > Connector > Datasources > (XA) DATASOURCES > Connection regardless if RBAC is 'switched on' - might be ok, not yet decided if this is bug or bug fix, this decision should be made on BZ#1278401, but anyway this is NOT reason why this BZ#1243175 is FailedQA.
Based on above comments, I have created PR to fix the runtime DS view. Leaving the subsystem config view as it is. https://github.com/hal/core/pull/95
Verified for EAP 6.4.5.CP.CR1 that 'Tests Connection' button is available for STANDALONE mode in Configuration > Subsystems > Connector > Datasources > (XA) DATASOURCES > Connection. For more details see 'Doc Text' of this bugzilla.
*** Bug 1278401 has been marked as a duplicate of this bug. ***
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.