Red Hat Bugzilla – Bug 588822
Request ability for a Read-only Role
Last modified: 2014-05-29 14:39:27 EDT
Description of problem:
Customer is requesting a Read-Only Role in JON, only monitoring allowed no operations or configuration allowed.
Another customer is requesting a Read-Only Mode for JON to do monitoring. Setting up User roles in JON will not work for them because it is an application team installing it and the system admin team has no way to prevent them from changing configuration or shutting down the jboss servers which they are responsible for.
The customer will only change configuration of JBoss but shutting down JBoss, applying changes and restarting.
"Setting up User roles in JON will not work for them because it is an
application team installing it and the system admin team has no way to prevent
them from changing configuration or shutting down the jboss servers which they
are responsible for."
Can you expand on what you mean here? JON users can be created that have read-only access to the systems being managed. I presume the "application team" in this context would not be using JON to do the installation/provisioning of instances.
Hello, I am the originator of this request. What are asking for is the ability to restrict the "Operations" tab. Currently, a user with Read-Only access for Inventory can still perform all the Operations such as Stop, Start, Restart, etc. Much like the JMX Console in JBOSS. We want to be able to provide access to the Inventory, but not allow Operations.
This appears to be a duplicate of Bug 535825
It's still not clear to me why the JON authorization system would not provide what you need. If the sysadmin team is concerned about the appdev team giving themselves too much access, then either have the sysadmin install and administer the JON environment and set up roles and users with limited access for the appdev team, or have the appdev team setup JON but then turn over the rhqadmin superuser account to the sysadmin team and let them change the rhqadmin password to something only they know.
Fyi, the docs on setting up JON authorization are here:
The JON authorization system does not solve the issue. The sysadmin group has exclusive use of the rhqadmin account. I cannot create a role or user that will limit the "Operations" tab, with the most restrictive settings in the GUI. I want the developers to see all the information in the Inventory section, all of the graphs, all of the performance data, ect.
In JBOSS JMX Console, it is the same way. You either have access to the JMX Console, and can stop, start, destroy, etc. web applications, or you can't. All or nothing. We limit access to the JMX Console with user name and password.
just seeing this bug for the first time. i might be misunderstanding the issue, but as long as you create a role without any permissions, add all the resources in your inventory to that role, users in that role should be able to see everything but do nothing.
however, if this is about implementing the JBAS/EAP management features in such a way that it takes action using a limited-security user on the remote OS, that is something we would need to enhance about the JBAS/EAP plugin.
Well, the initial request was simply for a "Read-Only" role. You are correct that a role can be created that contains no permissions but in that case, each resource that should be included in the "no permission" role would need to be added to the role. This could be done via a auto-calculating dynagroup but seems a bit hokey considering "Read Only" is a standard authorization concept. So this request is to expose such a permission for a role that does not require each resource to be added to the role but instead allows users to have such a role. For example, "monitor_user" would have the ability to log-in to JON via the UI and see all configuration, all metrics, all alerts, all groups, etc. but would not have the ability to change configuration, modify alerts, modify groups, invoke operations, etc.
Additionally, it appears that one particular case wanted finer grained control over what operations and for what resources an operation could be invoked but I do not think this was the intent of this BZ.
We have also seen a few instances where users of Embedded JOPR required the ability to restrict access to the admin-console of an EAP instance. These requests also followed the lines of the two distinct requests identified by this BZ. One request being that they needed "Read Only" access to the admin-console -- allow a user to see what is in inventory, what configuration is in use, what is available/unavailable, etc. The other request being finer-grained control over the inventoried resources such as a user that could invoke certain opertaions on the EAP instance or a datasource resource but not others. Again, the later being outside of the scope of the original intent of this BZ request.
ccrouch - can this be closed?
No RBAS change like this is planned. A role is fundamentally read/view only if it has no permissions assigned. But it is still required to associate the resource group containing the viewable resources.