-
Bug
-
Resolution: Done
-
Major
-
None
-
None
When asking for the access control metadata using (r-r-d) on existing resources I get an exceptions block:
/server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]} { "outcome" => "success", "result" => [{ "address" => [("server-group" => "*")], "outcome" => "success", "result" => { "description" => undefined, "attributes" => undefined, "operations" => undefined, "notifications" => undefined, "children" => { "deployment" => {"model-description" => undefined}, "jvm" => {"model-description" => undefined}, "deployment-overlay" => {"model-description" => undefined}, "system-property" => {"model-description" => undefined} }, "access-control" => { "default" => { "read" => true, "write" => false, "attributes" => { "management-subsystem-endpoint" => { "read" => true, "write" => false }, "profile" => { "read" => true, "write" => false }, "socket-binding-default-interface" => { "read" => true, "write" => false }, "socket-binding-group" => { "read" => true, "write" => false }, "socket-binding-port-offset" => { "read" => true, "write" => false } }, "operations" => { "read-children-types" => {"execute" => true}, "whoami" => {"execute" => true}, "map-clear" => {"execute" => false}, "list-get" => {"execute" => true}, "write-attribute" => {"execute" => false}, "replace-deployment" => {"execute" => false}, "stop-servers" => {"execute" => false}, "remove" => {"execute" => false}, "list-add" => {"execute" => false}, "map-put" => {"execute" => false}, "read-attribute-group-names" => {"execute" => true}, "restart-servers" => {"execute" => false}, "resume-servers" => {"execute" => false}, "read-resource-description" => {"execute" => true}, "read-resource" => {"execute" => true}, "add" => {"execute" => false}, "suspend-servers" => {"execute" => false}, "reload-servers" => {"execute" => false}, "query" => {"execute" => true}, "read-operation-description" => {"execute" => true}, "map-get" => {"execute" => true}, "list-clear" => {"execute" => false}, "read-attribute" => {"execute" => true}, "map-remove" => {"execute" => false}, "read-attribute-group" => {"execute" => true}, "undefine-attribute" => {"execute" => false}, "read-children-names" => {"execute" => true}, "start-servers" => {"execute" => false}, "read-operation-names" => {"execute" => true}, "list-remove" => {"execute" => false}, "read-children-resources" => {"execute" => true} } }, "exceptions" => {"[(\"server-group\" => \"main-server-group\")]" => { "read" => true, "write" => true, "attributes" => { "management-subsystem-endpoint" => { "read" => true, "write" => false }, "profile" => { "read" => true, "write" => true }, "socket-binding-default-interface" => { "read" => true, "write" => false }, "socket-binding-group" => { "read" => true, "write" => true }, "socket-binding-port-offset" => { "read" => true, "write" => false } }, "operations" => { "read-children-types" => {"execute" => true}, "whoami" => {"execute" => true}, "map-clear" => {"execute" => true}, "list-get" => {"execute" => true}, "write-attribute" => {"execute" => true}, "replace-deployment" => {"execute" => true}, "stop-servers" => {"execute" => true}, "remove" => {"execute" => false}, "list-add" => {"execute" => true}, "map-put" => {"execute" => true}, "read-attribute-group-names" => {"execute" => true}, "restart-servers" => {"execute" => true}, "resume-servers" => {"execute" => true}, "read-resource-description" => {"execute" => true}, "read-resource" => {"execute" => true}, "add" => {"execute" => false}, "suspend-servers" => {"execute" => true}, "reload-servers" => {"execute" => true}, "query" => {"execute" => true}, "read-operation-description" => {"execute" => true}, "map-get" => {"execute" => true}, "list-clear" => {"execute" => true}, "read-attribute" => {"execute" => true}, "map-remove" => {"execute" => true}, "read-attribute-group" => {"execute" => true}, "undefine-attribute" => {"execute" => true}, "read-children-names" => {"execute" => true}, "start-servers" => {"execute" => true}, "read-operation-names" => {"execute" => true}, "list-remove" => {"execute" => true}, "read-children-resources" => {"execute" => true} }, "address" => [("server-group" => "main-server-group")] }} } } }] }
However when using the same operation on non-existng resources I don't see an exception block:
/server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]} { "outcome" => "success", "result" => [{ "address" => [ ("server-group" => "*"), ("deployment" => "*") ], "outcome" => "success", "result" => { "description" => undefined, "access-constraints" => {"application" => {"deployment" => {"type" => "core"}}}, "attributes" => undefined, "operations" => undefined, "notifications" => undefined, "children" => {}, "access-control" => { "default" => { "read" => true, "write" => false, "attributes" => { "enabled" => { "read" => true, "write" => false }, "name" => { "read" => true, "write" => false }, "runtime-name" => { "read" => true, "write" => false } }, "operations" => { "read-children-types" => {"execute" => true}, "whoami" => {"execute" => true}, "map-clear" => {"execute" => false}, "list-get" => {"execute" => true}, "write-attribute" => {"execute" => false}, "remove" => {"execute" => false}, "deploy" => {"execute" => false}, "list-add" => {"execute" => false}, "map-put" => {"execute" => false}, "read-attribute-group-names" => {"execute" => true}, "redeploy" => {"execute" => false}, "read-resource-description" => {"execute" => true}, "read-resource" => {"execute" => true}, "add" => {"execute" => false}, "query" => {"execute" => true}, "read-operation-description" => {"execute" => true}, "map-get" => {"execute" => true}, "list-clear" => {"execute" => false}, "read-attribute" => {"execute" => true}, "map-remove" => {"execute" => false}, "read-attribute-group" => {"execute" => true}, "undefine-attribute" => {"execute" => false}, "read-children-names" => {"execute" => true}, "read-operation-names" => {"execute" => true}, "list-remove" => {"execute" => false}, "read-children-resources" => {"execute" => true}, "undeploy" => {"execute" => false} } }, "exceptions" => {} } } }] }
Some notes on the domain:
- Built from WildFly 10 master
- No deployments present
- Role main-maintainer is a server group scoped role based on Maintainer and scoped to main-server-group
- Role other-monitor is a server group scoped role based on Monitor and scoped to other-server-group
What we would need is a way to always get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.
