Bug 1379978 - [GSS](6.4.z) EAP RBAC domain mode, "Deployer" role and constraints
Summary: [GSS](6.4.z) EAP RBAC domain mode, "Deployer" role and constraints
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security, CLI
Version: 6.4.0
Hardware: All
OS: Linux
high
high
Target Milestone: CR1
: EAP 6.4.13
Assignee: Radovan STANCEL
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On: 1381325
Blocks: 1395353 eap6413-payload
TreeView+ depends on / blocked
 
Reported: 2016-09-28 10:01 UTC by Lei Yu
Modified: 2020-03-11 15:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-03 16:41:49 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-6235 0 Critical Verified [GSS](7.1.0) EAP RBAC domain mode, "Deployer" role and constraints 2018-09-17 20:57:19 UTC
Red Hat Issue Tracker JBEAP-6766 0 Critical Verified [GSS](7.0.z) EAP RBAC domain mode, "Deployer" role and constraints 2018-09-17 20:57:19 UTC

Description Lei Yu 2016-09-28 10:01:13 UTC
Description of problem:

https://access.redhat.com/support/cases/01699736
https://access.redhat.com/solutions/1189913

We have a cu who wants the "Deployer" role in RBAC to be able to create 
datasources and set the username/password. (not read, only write)

In standalone mode this is no problem.
- set the management interface to use LDAP, authentication + authorization
- enable RBAC, add "Deployer" with some user in it.
- grant the needed constraints as summarized in the above "solutions" 
article.
=> works as expected, the Deployer user can add the ds including the u/p.


However, we then move to domain mode:

- 2x EAP 6.4.10 installation, setup as master-slave
- on each controller, added one instance using a server-group set to 
"full-ha" profile
- RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
- applied the constraints
- added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
- restarted the whole setup

trying to add a datasource into the (active) "full-ha" fails with:

[domain@orac.usersys.redhat.com:9999 /] 
/profile=full-ha/subsystem=datasources/data-source=oracle12DS:add(jndi-name="java:jboss/datasources/oracle12DS",use-ccm=true,connection-url="jdbc:oracle:thin:@zen.usersys.redhat.com:1521/ora12",driver-name=oracle,user-name=tom,password=tom,pool-prefill=true,min-pool-size=2,max-pool-size=10,pool-use-strict-min=true,valid-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker",stale-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker",exception-sorter-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter",validate-on-match=true)
{
     "outcome" => "failed",
     "result" => undefined,
     "failure-description" => "JBAS010839: Operation failed or was 
rolled back on all servers.",
     "rolled-back" => true,
     "server-groups" => {"slaves" => {"host" => {
         "master" => {"i1" => {"response" => {
             "outcome" => "failed",
             "failure-description" => "JBAS013456: Unauthorized to 
execute operation 'add' for resource '[
     (\"subsystem\" => \"datasources\"),
     (\"data-source\" => \"oracle12DS\")
]' -- \"JBAS013475: Permission denied\"",
             "rolled-back" => true
         }}},
         "slave1" => {"i2" => {"response" => {
             "outcome" => "failed",
             "result" => undefined,
             "failure-description" => "JBAS013456: Unauthorized to 
execute operation 'add' for resource '[
     (\"subsystem\" => \"datasources\"),
     (\"data-source\" => \"oracle12DS\")
]' -- \"JBAS013475: Permission denied\"",
             "rolled-back" => true
         }}}
     }}}
}

Repeating without username/password also gives the same error. So it 
would seem that it's not even the sensitivity constraints but something 
before.

Repeat the same on a non-active "full" profile -> the datasource 
(including u/p) is created as requested.




Steps to Reproduce:

1) 2x EAP 6.4.10 installation, setup as master-slave
on each controller, added one instance using a server-group set to
"full-ha" profile
2) RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
applied the constraints
3) added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
restarted the whole setup
4) log in as a deployer user using CLI, try to add jdbc driver to full profile, failed with "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... "

Actual results:

Exception: "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... "

Expected results:

jdbc driver/datasource added successfully

Additional info:

This works fine in standalone mode

Comment 3 Ivo Hradek 2017-01-04 11:05:03 UTC
Verified with EAP 6.4.13.CP.CR1;

Comment 5 Petr Penicka 2017-02-03 16:41:49 UTC
Released with EAP 6.4.13 on Feb 02 2017.


Note You need to log in before you can comment on or make changes to this bug.