Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6766

[GSS](7.0.z) EAP RBAC domain mode, "Deployer" role and constraints

    XMLWordPrintable

Details

    • Hide
      • 2x EAP 6.4.10 installation, setup as master-slave
      • on each controller, added one instance using a server-group set to
        "full-ha" profile
      • RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
      • applied the constraints
      • added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
      • restarted the whole setup
      • log in as a deployer user using CLI, try to add jdbc driver to full profile, failed with "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... "
      Show
      2x EAP 6.4.10 installation, setup as master-slave on each controller, added one instance using a server-group set to "full-ha" profile RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser) applied the constraints added a JDBC driver (module + driver) to "full-ha" and to "full" profiles restarted the whole setup log in as a deployer user using CLI, try to add jdbc driver to full profile, failed with "WFLYCTL0313: Unauthorized to execute operation 'add' for resource ... "
    • Compatibility/Configuration, User Experience
    • EAP 7.0.4

    Description

      Hi,

      https://access.redhat.com/support/cases/01699736
      https://access.redhat.com/solutions/1189913

      We have a cu who wants the "Deployer" role in RBAC to be able to create
      datasources and set the username/password. (not read, only write)

      In standalone mode this is no problem.

      • set the management interface to use LDAP, authentication + authorization
      • enable RBAC, add "Deployer" with some user in it.
      • grant the needed constraints as summarized in the above "solutions"
        article.
        => works as expected, the Deployer user can add the ds including the u/p.

      However, we then move to domain mode:

      • 2x EAP 6.4.10 installation, setup as master-slave
      • on each controller, added one instance using a server-group set to
        "full-ha" profile
      • RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
      • applied the constraints
      • added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
      • restarted the whole setup

      trying to add a datasource into the (active) "full-ha" fails with:

      [domain@orac.usersys.redhat.com:9999 /]
      /profile=full-ha/subsystem=datasources/data-source=oracle12DS:add(jndi-name="java:jboss/datasources/oracle12DS",use-ccm=true,connection-url="jdbc:oracle:thin:@zen.usersys.redhat.com:1521/ora12",driver-name=oracle,user-name=tom,password=tom,pool-prefill=true,min-pool-size=2,max-pool-size=10,pool-use-strict-min=true,valid-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker",stale-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker",exception-sorter-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter",validate-on-match=true)
      {
      "outcome" => "failed",
      "result" => undefined,
      "failure-description" => "JBAS010839: Operation failed or was
      rolled back on all servers.",
      "rolled-back" => true,
      "server-groups" => {"slaves" => {"host" => {
      "master" => {"i1" => {"response" =>

      { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[ (\"subsystem\" => \"datasources\"), (\"data-source\" => \"oracle12DS\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }

      }},
      "slave1" => {"i2" => {"response" =>

      { "outcome" => "failed", "result" => undefined, "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[ (\"subsystem\" => \"datasources\"), (\"data-source\" => \"oracle12DS\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }

      }}
      }}}
      }

      Repeating without username/password also gives the same error. So it
      would seem that it's not even the sensitivity constraints but something
      before.

      Repeat the same on a non-active "full" profile -> the datasource
      (including u/p) is created as requested.

      Attachments

        Issue Links

          Activity

            People

              ehugonne1@redhat.com Emmanuel Hugonnet
              rhn-support-bmaxwell Brad Maxwell
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: