Description of problem: It is not possible to see the children of a resource if you are logged in with a user having a custom role, with resource permissions only. Version-Release number of selected component: 4.2 How reproducible: Always Steps to Reproduce: 1. login as "rhqadmin". 2. assume you have one platform imported, containing a JBoss 4.2.3 server and the RHQ agent. 3. create a group called "mygroup" containing this platform. 4. create a role named "operator". 5. give it no global permissions. 6. give it resource permissions: - all IMPLIED - inventory Read&Write - manage measurements Read&Write - manage alerts: Read&Write - control: Read&Write - manage events: Read&Write 7. create a new user "tom" 8. assign "tom" the "operator" role 9. assign "mygroup" to "operator" role 10. logout 11. login as "tom" 12. go to "Inventory / Platforms" 13. select the platform 14. in the resources tree on the left side, try to expand the JBoss resource or the RHQ-Agent resource. Actual results: Children are not displayed. On the top banner I get the error message "Failed to load children for node". In "message center" the details are these: --------------------------------------------------------------------- java.lang.RuntimeException:[1326275804239] org.rhq.enterprise.server.authz.PermissionException:Subject [tom] requires InventoryManager permission for requested query criteria. --------------------------------------------------------------------- Expected results: I should be able to normally browse the children of JBoss or RHQ-Agent. In RHQ server log there is this exception: --------------------------------------------------------------------- 2012-01-11 11:01:45,931 WARN [gwt-log] Sending exception to client: [1326276105930] org.rhq.enterprise.server.authz.PermissionException: Subject [tom] requires InventoryManager permission for requested query criteria. at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourcesByCriteria(ResourceManagerBean.java:2452) --------------------------------------------------------------------- Additional info: If I go to "Inventory / All groups" and select "mygroup", then it's "Inventory" tab, in the list of members click on the JBoss then in the resources tree, I can see all the JBoss children normally.
I think the problem can be solved in either of these 2 places: - org.rhq.enterprise.gui.coregui.client.inventory.resource.detail.ResourceTreeDatasource.java, line 148, should not be set to true. - org.rhq.enterprise.server.resource.ResourceManagerBean.java, lines 2451-2454 should be commented. Probably the second one is more appropriate.
*** Bug 773237 has been marked as a duplicate of this bug. ***
I tested this in 4.3.0-SNAPSHOT and it seems to be working as designed. If you create a non-recursive group, the user has access only to the resources that are explictly members of that group. If, however, you mark the group as recursive, the user should have access to all the child resources of the group. If the group is non-recursive, you shouldn't have seen its child resources in the nav tree. Conversely, if you defined your group as recursive, you should not see any authorization exceptions when navigating through the resource tree - in another words, the tree should only contain the resources the current user has at least read access to. I was not able to trigger a situation where the authz would seem to be broken - the above examples behaved as they should. I am therefore closing this bug. If you still think this is not behaving correctly or that I have misunderstood or forgot about something, please re-open it or create a new more specific bug. I did discover one glitch while testing this though - if the group "recursiveness" is updated, it's assignment to different roles is lost. I consider that unrelated to this bug though, so I created a new BZ for that - bug 785160
Hi, I am also able to reproduce this bug on RHQ 4.2.0. The resource group I tested is recursive. There are many ways the see the JBossAS resource in the tree: 1. Inventory -> Platforms, select the platform then expand the resource tree until the JBossAS resource. This is the case when the bug appears. 2. Inventory -> Servers, select the JBossAS resource. In this case it's ok, JBossAS resource children are visible. 3. Inventory -> All groups, select the group "mygroup". This is also ok. I am pretty sure that there is a problem in the indicated code: findResourcesByCriteria() method checks if the user has the "Manage Inventory" global permission, which it's not necessary in this case. Regards, Costel
Ok, thanks for the pointers and futher information. In fact, Vlad already pointed to the part of code that was responsible for this behavior. It was the ResourceTreeDatasource and this issue was already fixed for JBoss ON 3.0.0, which means that it is going to be available in the upcoming RHQ 4.3.0. See bug 751091 for details. *** This bug has been marked as a duplicate of bug 751091 ***