Bug 773235 - Not possible to see children resources for a custom role
Not possible to see children resources for a custom role
Status: CLOSED DUPLICATE of bug 751091
Product: RHQ Project
Classification: Other
Component: Core UI (Show other bugs)
Unspecified Linux
high Severity high (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Mike Foley
: Reopened
: 773237 (view as bug list)
Depends On:
Blocks: jon310-sprint11/rhq44-sprint11
  Show dependency treegraph
Reported: 2012-01-11 05:19 EST by vlad crc
Modified: 2012-01-27 14:51 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-01-27 14:51:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description vlad crc 2012-01-11 05:19:54 EST
Description of problem:
It is not possible to see the children of a resource if you are logged in with a user having a custom role, with resource permissions only.

Version-Release number of selected component:

How reproducible:

Steps to Reproduce:
1. login as "rhqadmin".
2. assume you have one platform imported, containing a JBoss 4.2.3 server and the RHQ agent.
3. create a group called "mygroup" containing this platform.
4. create a role named "operator".
5. give it no global permissions.
6. give it resource permissions:
    - all IMPLIED
    - inventory Read&Write
    - manage measurements Read&Write
    - manage alerts: Read&Write
    - control: Read&Write
    - manage events: Read&Write
7. create a new user "tom"
8. assign "tom" the "operator" role
9. assign "mygroup" to "operator" role
10. logout
11. login as "tom"
12. go to "Inventory / Platforms"
13. select the platform
14. in the resources tree on the left side, try to expand the JBoss resource or the RHQ-Agent resource.

Actual results:
Children are not displayed. On the top banner I get the error message "Failed to load children for node".
In "message center" the details are these:

java.lang.RuntimeException:[1326275804239] org.rhq.enterprise.server.authz.PermissionException:Subject [tom] requires InventoryManager permission for requested query criteria.

Expected results:
I should be able to normally browse the children of JBoss or RHQ-Agent.

In RHQ server log there is this exception:
2012-01-11 11:01:45,931 WARN  [gwt-log] Sending exception to client: [1326276105930]
org.rhq.enterprise.server.authz.PermissionException: Subject [tom] requires InventoryManager permission for requested query criteria.
        at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourcesByCriteria(ResourceManagerBean.java:2452)

Additional info:
If I go to "Inventory / All groups" and select "mygroup", then it's "Inventory" tab, in the list of members click on the JBoss then in the resources tree, I can see all the JBoss children normally.
Comment 1 vlad crc 2012-01-11 08:58:13 EST
I think the problem can be solved in either of these 2 places:

- org.rhq.enterprise.gui.coregui.client.inventory.resource.detail.ResourceTreeDatasource.java, line 148, should not be set to true.

- org.rhq.enterprise.server.resource.ResourceManagerBean.java, lines 2451-2454 should be commented.

Probably the second one is more appropriate.
Comment 2 Lukas Krejci 2012-01-27 05:08:21 EST
*** Bug 773237 has been marked as a duplicate of this bug. ***
Comment 3 Lukas Krejci 2012-01-27 08:45:05 EST
I tested this in 4.3.0-SNAPSHOT and it seems to be working as designed.

If you create a non-recursive group, the user has access only to the resources that are explictly members of that group. If, however, you mark the group as recursive, the user should have access to all the child resources of the group.

If the group is non-recursive, you shouldn't have seen its child resources in the nav tree. Conversely, if you defined your group as recursive, you should not see any authorization exceptions when navigating through the resource tree - in another words, the tree should only contain the resources the current user has at least read access to.

I was not able to trigger a situation where the authz would seem to be broken - the above examples behaved as they should.

I am therefore closing this bug. If you still think this is not behaving correctly or that I have misunderstood or forgot about something, please re-open it or create a new more specific bug.

I did discover one glitch while testing this though - if the group "recursiveness" is updated, it's assignment to different roles is lost. I consider that unrelated to this bug though, so I created a new BZ for that - bug 785160
Comment 4 Costel C 2012-01-27 11:09:45 EST

I am also able to reproduce this bug on RHQ 4.2.0.
The resource group I tested is recursive.

There are many ways the see the JBossAS resource in the tree:

1. Inventory -> Platforms, select the platform then expand the resource tree until the JBossAS resource.  This is the case when the bug appears.

2. Inventory -> Servers, select the JBossAS resource. In this case it's ok, JBossAS resource children are visible.  

3. Inventory -> All groups, select the group "mygroup". This is also ok.

I am pretty sure that there is a problem in the indicated code: findResourcesByCriteria() method checks if the user has the "Manage Inventory" global permission, which it's not necessary in this case.

Comment 5 Lukas Krejci 2012-01-27 14:51:44 EST
Ok, thanks for the pointers and futher information.

In fact, Vlad already pointed to the part of code that was responsible for this behavior. It was the ResourceTreeDatasource and this issue was already fixed for JBoss ON 3.0.0, which means that it is going to be available in the upcoming RHQ 4.3.0. See bug 751091 for details.

*** This bug has been marked as a duplicate of bug 751091 ***

Note You need to log in before you can comment on or make changes to this bug.