Description of problem: https://access.redhat.com/support/cases/01699736 https://access.redhat.com/solutions/1189913 We have a cu who wants the "Deployer" role in RBAC to be able to create datasources and set the username/password. (not read, only write) In standalone mode this is no problem. - set the management interface to use LDAP, authentication + authorization - enable RBAC, add "Deployer" with some user in it. - grant the needed constraints as summarized in the above "solutions" article. => works as expected, the Deployer user can add the ds including the u/p. However, we then move to domain mode: - 2x EAP 6.4.10 installation, setup as master-slave - on each controller, added one instance using a server-group set to "full-ha" profile - RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser) - applied the constraints - added a JDBC driver (module + driver) to "full-ha" and to "full" profiles - restarted the whole setup trying to add a datasource into the (active) "full-ha" fails with: [domain.redhat.com:9999 /] /profile=full-ha/subsystem=datasources/data-source=oracle12DS:add(jndi-name="java:jboss/datasources/oracle12DS",use-ccm=true,connection-url="jdbc:oracle:thin:@zen.usersys.redhat.com:1521/ora12",driver-name=oracle,user-name=tom,password=tom,pool-prefill=true,min-pool-size=2,max-pool-size=10,pool-use-strict-min=true,valid-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker",stale-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker",exception-sorter-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter",validate-on-match=true) { "outcome" => "failed", "result" => undefined, "failure-description" => "JBAS010839: Operation failed or was rolled back on all servers.", "rolled-back" => true, "server-groups" => {"slaves" => {"host" => { "master" => {"i1" => {"response" => { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[ (\"subsystem\" => \"datasources\"), (\"data-source\" => \"oracle12DS\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }}}, "slave1" => {"i2" => {"response" => { "outcome" => "failed", "result" => undefined, "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[ (\"subsystem\" => \"datasources\"), (\"data-source\" => \"oracle12DS\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }}} }}} } Repeating without username/password also gives the same error. So it would seem that it's not even the sensitivity constraints but something before. Repeat the same on a non-active "full" profile -> the datasource (including u/p) is created as requested. Steps to Reproduce: 1) 2x EAP 6.4.10 installation, setup as master-slave on each controller, added one instance using a server-group set to "full-ha" profile 2) RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser) applied the constraints 3) added a JDBC driver (module + driver) to "full-ha" and to "full" profiles restarted the whole setup 4) log in as a deployer user using CLI, try to add jdbc driver to full profile, failed with "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... " Actual results: Exception: "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... " Expected results: jdbc driver/datasource added successfully Additional info: This works fine in standalone mode
Verified with EAP 6.4.13.CP.CR1;
Released with EAP 6.4.13 on Feb 02 2017.