Red Hat Bugzilla – Bug 784988
JON 3.0.1 RC#1 CLI permissions with users other than rhqadmin
Last modified: 2013-08-05 20:42:01 EDT
Description of problem: CLI permissions with users other than rhqadmin
Version-Release number of selected component (if applicable): JON 3.0.1 RC#1
Steps to Reproduce:
1. create a new role. accept the defaults. expressly note that the new role has implied read permission on the inventory.
2. create a new user. assign the role created in step #1.
3. using the CLI ... login using the new user, eg.
New user (with implied read permission on inventory) cannot read inventory
mfoley@localhost:7080$ [mfoley@foleymonsterbox1 bin]$ ./rhq-cli.sh -u mfoley -p password
RHQ - RHQ Enterprise Remote CLI 4.2.0.JON.3.0.1.GA
Remote server version is: 3.0.1.GA (784c8ce:5cde182)
mfoley@localhost:7080$ var myresource = ProxyFactory.getResource(10034)
Wrapped org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=mfoley]] does not have permission to view resource  (<Unknown source>#1)
var myresource = ProxyFactory.getResource(10034)
Expected results: user with implied read permission for inventory can use CLI commands that read inventory
12/30/2012 BZ triage meeting mfoley, ccrouch, loleary, asantos
I think you might be confusing the INVENTORY-read Resource permission with the MANAGE_INVENTORY global permission. INVENTORY-read is the permission that is always implied. However, since it is a Resource permission, it only applies to the set of Resources that are members of one or more of the groups associated with the role. For example, for the user to view Resource 10034 (assuming the user did not have MANAGE_INVENTORY or MANAGE_SECURITY), that Resource would have to be in one of that user's role's groups.