Bug 999455 - Kie-user and admin don't have permissions to send and consume JMS messages
Kie-user and admin don't have permissions to send and consume JMS messages
Status: CLOSED CURRENTRELEASE
Product: JBoss BRMS Platform 6
Classification: JBoss
Component: Build and Assembly (Show other bugs)
6.0.0
Unspecified Unspecified
high Severity high
: ER5
: 6.0.0
Assigned To: Ryan Zhang
Ivo Bek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-21 07:03 EDT by Ivo Bek
Modified: 2014-08-06 16:19 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-06 16:19:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivo Bek 2013-08-21 07:03:37 EDT
Description of problem:

I think that user in group kie-user and/or admin should have permissions to send and consume JMS messages. Standalone.xml only contains permissions for user in group guest.

I mean the security settings below:

<security-setting match="#">
  <permission type="send" roles="guest"/>
  <permission type="consume" roles="guest"/>
  <permission type="createNonDurableQueue" roles="guest"/>
  <permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 4 Marco Rietveld 2013-08-26 05:20:12 EDT
Hi Ivo, 

JMS rights are different from REST rights, so to speak, and JMS is also not used in the same way: it's in fact possible (likely?) that users will want a different user to have access to the JMS queues than the users who have access to the UI and REST api. 

Would it be okay to add documentation describing how to modify the standalone(-full).xml (or domain.xml) to give access to the queues?
Comment 5 Marek Baluch 2013-08-26 07:25:17 EDT
Hi Marco,

I believe that the product should be pre-configured to include the roles Ivo mentioned above. That would be up to productization though. 

Other than that I believe that documenting the proper way to change the groups would be sufficient.

If you don't mind I will change the Component to 'Build and Assembly'.

@M
Comment 6 Marco Rietveld 2013-08-27 08:45:13 EDT
Marek, 

That sounds good. I've chancged the component. 

Would you mind assigning this to the right person? (Doug? Nick?)
Comment 10 Prakash Aradhya 2013-09-16 22:00:20 EDT
Internal Whiteboard: Beta Blocker → Blocker
Not critical for Beta, but need to address for GA
Comment 11 Ryan Zhang 2013-09-30 04:48:11 EDT
It has been fixed and will target it on ER4.
Comment 15 Ivo Bek 2013-10-15 05:50:52 EDT
FailedQA in BPMS-6.0.0.ER4:

the standalone.xml and standalone-full.xml still don't contain group admin and/or (kie-user, analyst).

<security-setting match="#">
  <permission type="send" roles="guest"/>
  <permission type="consume" roles="guest"/>
  <permission type="createNonDurableQueue" roles="guest"/>
  <permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>

this is my proposal of the expected configuration:

<security-setting match="KIE.#"> <!-- probably I would change the queue match for the queues in business central only -->
  <permission type="send" roles="admin"/> <!-- at least admin should be able to send JMS', the same for consume -->
  <permission type="consume" roles="admin"/>
  <permission type="createNonDurableQueue" roles="admin"/>
  <permission type="deleteNonDurableQueue" roles="admin"/>
</security-setting>
Comment 17 Ivo Bek 2013-12-04 03:33:27 EST
Verified in BPMS 6.0.0.ER5

Note You need to log in before you can comment on or make changes to this bug.