Bug 724480 - (BRMS-425) Users with analyst permissions cannot open assets
Users with analyst permissions cannot open assets
Status: VERIFIED
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: 3rd Party (Show other bugs)
5.1.0 GA,BRMS 5.2.0-Dev1
Unspecified Unspecified
medium Severity medium
: ---
: BRMS 5.2.0.GA
Assigned To: Mark Proctor
Jiri Locker
http://jira.jboss.org/jira/browse/BRM...
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-02 14:37 EDT by Jiri Locker
Modified: 2014-10-26 21:14 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have package wide access via SuggestionCompletionEngine explicitly, ensuring they can open the assets.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AnalystTrouble.png (110.56 KB, image/png)
2010-11-02 14:40 EDT, Jiri Locker
no flags Details
UserPermissions.png (96.33 KB, image/png)
2010-11-08 12:36 EST, Jiri Locker
no flags Details
jmx-console-users.properties (160 bytes, application/octet-stream)
2010-11-08 12:36 EST, Jiri Locker
no flags Details
jmx-console-roles.properties (101 bytes, application/octet-stream)
2010-11-08 12:36 EST, Jiri Locker
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker BRMS-425 Critical Closed Users with analyst permissions cannot open assets 2014-06-15 21:34:31 EDT

  None (edit)
Description Jiri Locker 2010-11-02 14:37:15 EDT
Affects Testing: Regression
securitylevel_name: Public
Comment 1 Jiri Locker 2010-11-02 14:40:16 EDT
Attachment: Added: AnalystTrouble.png
Comment 2 Jiri Locker 2010-11-02 14:45:16 EDT
The error messeges are:

Unable to validate package configuration (eg, DSLs, models) for [somePackage]. Suggestion completions may not operate correctly for graphical editors for this package.
Unable to get content assistance for this rule.

and this gets dumped into server.log:

2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract org.drools.ide.common.client.modeldriven.SuggestionCompletionEngine org.drools.guvnor.client.rpc.RepositoryService.loadSuggestionCompletionEngine(java.lang.String) throws com.google.gwt.user.client.rpc.SerializationException' threw an unexpected exception: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[Package name: somePackage,package.readonly]
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:378)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:581)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.web.ContextFilter$1.process(ContextFilter.java:42)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:53)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.web.ContextFilter.doFilter(ContextFilter.java:37)
2010-11-02 19:42:31,597 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at java.lang.Thread.run(Thread.java:619)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[Package name: somePackage,package.readonly]
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.security.Identity.checkPermission(Identity.java:581)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.drools.guvnor.server.ServiceImplementation.loadSuggestionCompletionEngine(ServiceImplementation.java:1563)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at sun.reflect.GeneratedMethodAccessor379.invoke(Unknown Source)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at java.lang.reflect.Method.invoke(Method.java:597)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:157)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:166)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:102)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.drools.guvnor.server.ServiceImplementation_$$_javassist_6.loadSuggestionCompletionEngine(ServiceImplementation_$$_javassist_6.java)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at org.drools.guvnor.server.RepositoryServiceServlet.loadSuggestionCompletionEngine(RepositoryServiceServlet.java:236)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at sun.reflect.GeneratedMethodAccessor447.invoke(Unknown Source)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at java.lang.reflect.Method.invoke(Method.java:597)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)
2010-11-02 19:42:31,598 ERROR [STDERR] (http-127.0.0.1-8080-13) 	... 30 more
Comment 3 Tihomir Surdilovic 2010-11-08 09:27:22 EST
can you please describe (or show screenshot) of the permissions of your "ba" user? Also the soa-users/roles.properties would be nice to have.

thanks.
Comment 4 Jiri Locker 2010-11-08 12:36:28 EST
See UserPermissions.png, there are two business analyst users:
ba is [analyst] for: category=myNewCategory
baro is [analyst.readonly] for: category=myNewCategory
both are affected by the issue.

I find it suspicious that the permission type reported by the exception message "Authorization check failed for permission[Package name: somePackage,package.readonly]" doesn't match the user's permission type.

The only explanation I can think of is that having access to artifacts in myNewCategory is not enough if the user doesn't have at least [package.readonly] permission for the package that the artifact belongs to. But notice that this is not how it used to work in 5.0.x.
Comment 5 Jiri Locker 2010-11-08 12:36:28 EST
Attachment: Added: UserPermissions.png
Attachment: Added: jmx-console-users.properties
Attachment: Added: jmx-console-roles.properties
Comment 6 Anne-Louise Tangring 2010-11-09 11:13:42 EST
This is not a blocker for BRMS 5.1.0.
Comment 7 Jiri Locker 2010-11-29 14:23:03 EST
Affects Testing: Added: [Regression]
Comment 8 Anne-Louise Tangring 2011-05-31 14:57:11 EDT
Triaged by BRMS PM team for 5.2.
Comment 9 Jiri Locker 2011-06-27 06:42:21 EDT
Link: Added: This issue depends GUVNOR-1499
Comment 10 lcarlon 2011-08-14 23:53:08 EDT
Changed release note field to - release note not required as per https://issues.jboss.org/browse/BRMS-425
Comment 11 lcarlon 2011-08-22 00:26:31 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
pending completion of this bug, will doc in release notes as known issue, or resolved.
Comment 12 Jervis Liu 2011-08-24 00:07:19 EDT
https://issues.jboss.org/browse/GUVNOR-1499
Comment 13 Jiri Locker 2011-08-30 08:35:07 EDT
Fix verified in ER3.
Comment 14 lcarlon 2011-08-30 23:31:20 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,3 @@
-pending completion of this bug, will doc in release notes as known issue, or resolved.+https://bugzilla.redhat.com/show_bug.cgi?id=724480
+
+When users with analyst permissions tried to load package information with category permissions, but the user had not been granted permissions for every category in the package, the assets would not open. This was resolved by allowing analysts package wide access when authoring rules.
Comment 15 lcarlon 2011-08-30 23:35:01 EDT
Hi Jervis,

I've added a release note for this bug (see technical note field above) could you please provide a tech review to confirm the information given is correct.

Thanks
Lee
Comment 16 Jervis Liu 2011-08-31 04:12:47 EDT
Hi, I revised the release note as below:

A user with analyst permissions can not open an asset even when the user has been assigned category permissions that have access to the category that the asset belongs to. 

This was fixed by allowing analyst to have access to package wide SuggestionCompletionEngine explicitly.
Comment 17 lcarlon 2011-08-31 19:07:57 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,3 +1,3 @@
 https://bugzilla.redhat.com/show_bug.cgi?id=724480
 
-When users with analyst permissions tried to load package information with category permissions, but the user had not been granted permissions for every category in the package, the assets would not open. This was resolved by allowing analysts package wide access when authoring rules.+Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have access to package wide SuggestionCompletionEngine explicitly, ensuring they can open the assets.
Comment 18 lcarlon 2011-08-31 19:08:24 EDT
Thanks for the clarification, Jervis.

Lee
Comment 19 lcarlon 2011-09-14 00:28:54 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,3 +1 @@
-https://bugzilla.redhat.com/show_bug.cgi?id=724480
-
 Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have access to package wide SuggestionCompletionEngine explicitly, ensuring they can open the assets.
Comment 20 lcarlon 2011-10-05 01:18:42 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have access to package wide SuggestionCompletionEngine explicitly, ensuring they can open the assets.+Users with analyst permissions could not open assets even when they had been assigned category permission that granted access to the category the asset belonged to. This was fixed by allowing analysts to have package wide access via SuggestionCompletionEngine explicitly, ensuring they can open the assets.

Note You need to log in before you can comment on or make changes to this bug.