Description of problem: CLI permissions with users other than rhqadmin Version-Release number of selected component (if applicable): JON 3.0.1 RC#1 How reproducible: 100% Steps to Reproduce: 1. create a new role. accept the defaults. expressly note that the new role has implied read permission on the inventory. 2. create a new user. assign the role created in step #1. 3. using the CLI ... login using the new user, eg. Actual results: New user (with implied read permission on inventory) cannot read inventory mfoley@localhost:7080$ [mfoley@foleymonsterbox1 bin]$ ./rhq-cli.sh -u mfoley -p password RHQ - RHQ Enterprise Remote CLI 4.2.0.JON.3.0.1.GA Remote server version is: 3.0.1.GA (784c8ce:5cde182) Login successful mfoley@localhost:7080$ var myresource = ProxyFactory.getResource(10034) Wrapped org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=mfoley]] does not have permission to view resource [10034] (<Unknown source>#1) var myresource = ProxyFactory.getResource(10034) ^ Expected results: user with implied read permission for inventory can use CLI commands that read inventory Additional info:
12/30/2012 BZ triage meeting mfoley, ccrouch, loleary, asantos
I think you might be confusing the INVENTORY-read Resource permission with the MANAGE_INVENTORY global permission. INVENTORY-read is the permission that is always implied. However, since it is a Resource permission, it only applies to the set of Resources that are members of one or more of the groups associated with the role. For example, for the user to view Resource 10034 (assuming the user did not have MANAGE_INVENTORY or MANAGE_SECURITY), that Resource would have to be in one of that user's role's groups.