Bug 1243175 - [GSS](6.4.z) datasource test-connection from cli is always enabled with user who has even Operator role.
Summary: [GSS](6.4.z) datasource test-connection from cli is always enabled with user ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR2
: EAP 6.4.5
Assignee: Dominik Pospisil
QA Contact: Pavel Jelinek
URL:
Whiteboard:
Depends On:
Blocks: 1235745 1259955
TreeView+ depends on / blocked
 
Reported: 2015-07-14 23:58 UTC by jooho lee
Modified: 2019-09-12 08:38 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The datasource "Test Connection" webconsole button did not use correct operation when reading logged user privilegues to determine if the button should be visible or not. The button was hidden for operator role even if the role is allowed to perform the test connection operation. Also, in domain mode the "Test Connection" button has been removed from the subsystem configuration page as performing the test operation requires choosing a running server with the given profile which is not clear to the user. The fix is applicable only to subsystem configuration page. The runtime view still remains unfixed and is a known bug.
Clone Of:
Environment:
Last Closed: 2017-01-17 11:36:41 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1278401 0 unspecified CLOSED Test Connection button should be available for Operator in Runtime view 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1290282 0 unspecified CLOSED [GSS] (6.4.z) Can't see Test Connection button in JBoss Management Console in Domain Mode after applying patch 6.4.5 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker HAL-856 0 Minor Open DataSources - use test-connection-in-pool op for determining verify button privilegues 2017-10-18 04:02:01 UTC
Red Hat Issue Tracker PRODMGT-1333 0 Minor Resolved datasource test-connection from cli is always enabled with user who has even Operator role 2017-10-18 04:02:01 UTC

Internal Links: 1278401 1290282

Description jooho lee 2015-07-14 23:58:32 UTC
Description of problem:

Under the rbac enabled EAP environment, EAP Admin console make "test-connection" button on Datasource menu appeared or disappeared depending on the role of users. For example, if role of user is Operator, the button would not be appeared but Maintainer do.
However, on CLI, the operation "test-connection-in-pool" is always executable.
I am not sure which is working properly but it should give same result "do or not" on admin console and cli for same role.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:

1. Set up RBAC in domain.xml like following:
~~~
<management>
<access-control provider="rbac" permission-combination-policy="permissive">
<role-mapping>
<role name="Administrator">
<include>
<group realm="ManagementRealm" name="Administrator"/>
</include>
</role>
<role name="Auditor">
<include>
<group realm="ManagementRealm" name="Auditor"/>
</include>
</role>
<role name="Deployer">
<include>
<group realm="ManagementRealm" name="Deployer"/>
</include>
</role>
<role name="Maintainer">
<include>
<group realm="ManagementRealm" name="Maintainer"/>
</include>
</role>
<role name="Monitor">
<include>
<group realm="ManagementRealm" name="Monitor"/>
</include>
</role>
<role name="Operator">
<include>
<group realm="ManagementRealm" name="Operator"/>
</include>
</role>
<role name="SuperUser">
<include>
<user name="$local"/>
<group realm="ManagementRealm" name="SuperUser"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
~~~


2. host.xml
~~~
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="true">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
...
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management-native" port="9999"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket interface="management-web" port="9990"/>
</http-interface>
</management-interfaces>
..
~~~


3. add user & group
domain/configuration/mgmt-users.proerties
~~~
jboss=1ab58a9a2eba20747214dec27389a263
~~~
domain/configuration/mgmt-groups.proerties
~~~
#jboss= Maintainer, Monitor, Deployer, Operator
jboss= Operator
~~~

4. Login admin console with jboss/!qaz2wsx & go to datasource menu -> connection(sub menu) --> There is no test-connection button.

5. Login CLI with jboss/!qaz2wsx & try following command
/host=HOST_CONTOLLER_NAME/server=SERVER_NAME/subsystem=datasources/data-source=ExampleDS:test-connection-in-pool

example :
/host=jhouse-mac-book.local/server=server0/subsystem=datasources/data-source=ExampleDS:test-connection-in-pool

Note) EAP server has to be started to execute above command.
If you change role to Maintainer (step3), you also see test-connection button on admin console.

Actual results:
test-connection operation is executed. 

Expected results:
test-connection operation is not available.

Additional info:

Comment 1 Brian Stansberry 2015-07-15 00:57:44 UTC
I'm changing the component on this, as Operator should be able to execute this operation and can do so in the CLI.

Comment 2 Brian Stansberry 2015-07-15 01:06:00 UTC
Note that I believe the web console has behavior such that it enables a datasource if it isn't enabled in order to test the connection. In other words, the button in the console may represent a more complex action than the :test-connection-in-pool operation does in the CLI.

An Operator is not able to enable a datasource, as that involves a persistent configuration change, and thus may be prevented from performing the more complex web console action.

Comment 4 JBoss JIRA Server 2015-09-09 18:36:12 UTC
John Doyle <jdoyle> updated the status of jira PRODMGT-1333 to Resolved

Comment 8 Pavel Jelinek 2015-11-04 11:42:13 UTC
For EAP 6.4.5.CP.CR1 this is just partially fixed. 
Whereas in configuration > Subsystems > Connector > Datasources > (XA) DATASOURCES > Connection the 'Tests Connection' button is available for Operator role now 
in Runtime > System Status > Subsystems > Datasources > (XA) DATA SOURCES the button is not available for Operator yet.

Comment 9 Heiko Braun 2015-11-05 14:18:48 UTC
To clarify: 

That button should not be available under Configuration>Profile>... in domain mode. The underlying operation requires an active server to be chosen that uses the specific profile that contains the datasource. These requirements are only given under Runtime > Monitor > Datasources.

The fix for this issue (BZ1243175) is only applicable to standalone mode. As a side effect it also removed the test-connection button (BZ1278401).

I would suggest to proceed as follows:

- Within the scope of standalone servers this issue (BZ1243175) doesn't cause regresssion and can be closed as verified.
- The issue that describes it as regression (BZ1278401) can be closed as not a bug

Comment 10 Pavel Jelinek 2015-11-06 09:24:26 UTC
'Tests Connection' button is not available for Operator in Runtime > System Status > Subsystems > Datasources > (XA) DATA SOURCES regardless if the mode is domain or standalone - this is wrong and the reason why currently this bugzilla is FailedQA.

'Tests Connection' button is not available for domain mode in Configuration > Subsystems > Connector > Datasources > (XA) DATASOURCES > Connection regardless if RBAC is 'switched on' - might be ok, not yet decided if this is bug or bug fix, this decision should be made on BZ#1278401, but anyway this is NOT reason why this BZ#1243175 is FailedQA.

Comment 11 Dominik Pospisil 2015-11-06 11:16:41 UTC
Based on above comments, I have created PR to fix the runtime DS view. Leaving the subsystem config view as it is.

https://github.com/hal/core/pull/95

Comment 17 Pavel Jelinek 2015-11-12 14:15:25 UTC
Verified for EAP 6.4.5.CP.CR1 that 'Tests Connection' button is available for STANDALONE mode in Configuration > Subsystems > Connector > Datasources > (XA) DATASOURCES > Connection.
For more details see 'Doc Text' of this bugzilla.

Comment 21 Dominik Pospisil 2016-01-04 10:46:17 UTC
*** Bug 1278401 has been marked as a duplicate of this bug. ***

Comment 22 Petr Penicka 2017-01-17 11:36:41 UTC
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.


Note You need to log in before you can comment on or make changes to this bug.