Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-832

Access control exceptions missing for non-existent resources

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 2.0.0.CR7
    • Management
    • None

    Description

      When asking for the access control metadata using (r-r-d) on existing resources I get an exceptions block:

      /server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
      {
          "outcome" => "success",
          "result" => [{
              "address" => [("server-group" => "*")],
              "outcome" => "success",
              "result" => {
                  "description" => undefined,
                  "attributes" => undefined,
                  "operations" => undefined,
                  "notifications" => undefined,
                  "children" => {
                      "deployment" => {"model-description" => undefined},
                      "jvm" => {"model-description" => undefined},
                      "deployment-overlay" => {"model-description" => undefined},
                      "system-property" => {"model-description" => undefined}
                  },
                  "access-control" => {
                      "default" => {
                          "read" => true,
                          "write" => false,
                          "attributes" => {
                              "management-subsystem-endpoint" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "profile" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "socket-binding-default-interface" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "socket-binding-group" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "socket-binding-port-offset" => {
                                  "read" => true,
                                  "write" => false
                              }
                          },
                          "operations" => {
                              "read-children-types" => {"execute" => true},
                              "whoami" => {"execute" => true},
                              "map-clear" => {"execute" => false},
                              "list-get" => {"execute" => true},
                              "write-attribute" => {"execute" => false},
                              "replace-deployment" => {"execute" => false},
                              "stop-servers" => {"execute" => false},
                              "remove" => {"execute" => false},
                              "list-add" => {"execute" => false},
                              "map-put" => {"execute" => false},
                              "read-attribute-group-names" => {"execute" => true},
                              "restart-servers" => {"execute" => false},
                              "resume-servers" => {"execute" => false},
                              "read-resource-description" => {"execute" => true},
                              "read-resource" => {"execute" => true},
                              "add" => {"execute" => false},
                              "suspend-servers" => {"execute" => false},
                              "reload-servers" => {"execute" => false},
                              "query" => {"execute" => true},
                              "read-operation-description" => {"execute" => true},
                              "map-get" => {"execute" => true},
                              "list-clear" => {"execute" => false},
                              "read-attribute" => {"execute" => true},
                              "map-remove" => {"execute" => false},
                              "read-attribute-group" => {"execute" => true},
                              "undefine-attribute" => {"execute" => false},
                              "read-children-names" => {"execute" => true},
                              "start-servers" => {"execute" => false},
                              "read-operation-names" => {"execute" => true},
                              "list-remove" => {"execute" => false},
                              "read-children-resources" => {"execute" => true}
                          }
                      },
                      "exceptions" => {"[(\"server-group\" => \"main-server-group\")]" => {
                          "read" => true,
                          "write" => true,
                          "attributes" => {
                              "management-subsystem-endpoint" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "profile" => {
                                  "read" => true,
                                  "write" => true
                              },
                              "socket-binding-default-interface" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "socket-binding-group" => {
                                  "read" => true,
                                  "write" => true
                              },
                              "socket-binding-port-offset" => {
                                  "read" => true,
                                  "write" => false
                              }
                          },
                          "operations" => {
                              "read-children-types" => {"execute" => true},
                              "whoami" => {"execute" => true},
                              "map-clear" => {"execute" => true},
                              "list-get" => {"execute" => true},
                              "write-attribute" => {"execute" => true},
                              "replace-deployment" => {"execute" => true},
                              "stop-servers" => {"execute" => true},
                              "remove" => {"execute" => false},
                              "list-add" => {"execute" => true},
                              "map-put" => {"execute" => true},
                              "read-attribute-group-names" => {"execute" => true},
                              "restart-servers" => {"execute" => true},
                              "resume-servers" => {"execute" => true},
                              "read-resource-description" => {"execute" => true},
                              "read-resource" => {"execute" => true},
                              "add" => {"execute" => false},
                              "suspend-servers" => {"execute" => true},
                              "reload-servers" => {"execute" => true},
                              "query" => {"execute" => true},
                              "read-operation-description" => {"execute" => true},
                              "map-get" => {"execute" => true},
                              "list-clear" => {"execute" => true},
                              "read-attribute" => {"execute" => true},
                              "map-remove" => {"execute" => true},
                              "read-attribute-group" => {"execute" => true},
                              "undefine-attribute" => {"execute" => true},
                              "read-children-names" => {"execute" => true},
                              "start-servers" => {"execute" => true},
                              "read-operation-names" => {"execute" => true},
                              "list-remove" => {"execute" => true},
                              "read-children-resources" => {"execute" => true}
                          },
                          "address" => [("server-group" => "main-server-group")]
                      }}
                  }
              }
          }]
      }
      

      However when using the same operation on non-existng resources I don't see an exception block:

      /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
      {
          "outcome" => "success",
          "result" => [{
              "address" => [
                  ("server-group" => "*"),
                  ("deployment" => "*")
              ],
              "outcome" => "success",
              "result" => {
                  "description" => undefined,
                  "access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
                  "attributes" => undefined,
                  "operations" => undefined,
                  "notifications" => undefined,
                  "children" => {},
                  "access-control" => {
                      "default" => {
                          "read" => true,
                          "write" => false,
                          "attributes" => {
                              "enabled" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "name" => {
                                  "read" => true,
                                  "write" => false
                              },
                              "runtime-name" => {
                                  "read" => true,
                                  "write" => false
                              }
                          },
                          "operations" => {
                              "read-children-types" => {"execute" => true},
                              "whoami" => {"execute" => true},
                              "map-clear" => {"execute" => false},
                              "list-get" => {"execute" => true},
                              "write-attribute" => {"execute" => false},
                              "remove" => {"execute" => false},
                              "deploy" => {"execute" => false},
                              "list-add" => {"execute" => false},
                              "map-put" => {"execute" => false},
                              "read-attribute-group-names" => {"execute" => true},
                              "redeploy" => {"execute" => false},
                              "read-resource-description" => {"execute" => true},
                              "read-resource" => {"execute" => true},
                              "add" => {"execute" => false},
                              "query" => {"execute" => true},
                              "read-operation-description" => {"execute" => true},
                              "map-get" => {"execute" => true},
                              "list-clear" => {"execute" => false},
                              "read-attribute" => {"execute" => true},
                              "map-remove" => {"execute" => false},
                              "read-attribute-group" => {"execute" => true},
                              "undefine-attribute" => {"execute" => false},
                              "read-children-names" => {"execute" => true},
                              "read-operation-names" => {"execute" => true},
                              "list-remove" => {"execute" => false},
                              "read-children-resources" => {"execute" => true},
                              "undeploy" => {"execute" => false}
                          }
                      },
                      "exceptions" => {}
                  }
              }
          }]
      }
      

      Some notes on the domain:

      • Built from WildFly 10 master
      • No deployments present
      • Role main-maintainer is a server group scoped role based on Maintainer and scoped to main-server-group
      • Role other-monitor is a server group scoped role based on Monitor and scoped to other-server-group

      What we would need is a way to always get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.

      Attachments

        Issue Links

          Activity

            People

              kkhan1@redhat.com Kabir Khan
              hpehl@redhat.com Harald Pehl
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: