Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-2010

RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem

    Details

      Description

      This is the issue Jakub has been talking about for quite some time now.

      If I do /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions) as a user that has the Maintainer role, the response says that I can :add a new datasource.

      [standalone@localhost:9990 /] /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions) 
      {
          "outcome" => "success",
          "result" => {
              "description" => undefined,
              "attributes" => undefined,
              "operations" => undefined,
              "children" => {
                  "jdbc-driver" => {"model-description" => undefined},
                  "data-source" => {"model-description" => undefined},
                  "xa-data-source" => {"model-description" => undefined}
              },
              "access-control" => {
                  "default" => {
                      "read" => true,
                      "write" => true,
                      "attributes" => {"installed-drivers" => {
                          "read" => true,
                          "write" => true
                      }},
                      "operations" => {
                          "read-children-names" => {"execute" => true},
                          "read-operation-description" => {"execute" => true},
                          "remove" => {"execute" => true},
                          "get-installed-driver" => {"execute" => true},
                          "read-resource-description" => {"execute" => true},
                          "read-resource" => {"execute" => true},
                          "add" => {"execute" => true},
                          "read-attribute" => {"execute" => true},
                          "whoami" => {"execute" => true},
                          "installed-drivers-list" => {"execute" => true},
                          "read-children-types" => {"execute" => true},
                          "read-operation-names" => {"execute" => true},
                          "undefine-attribute" => {"execute" => true},
                          "read-children-resources" => {"execute" => true},
                          "write-attribute" => {"execute" => true}
                      }
                  },
                  "exceptions" => {}
              }
          }
      }
      

      Yet if I try to do that, it fails:

      /subsystem=datasources/data-source=TestDS:add(connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1", jndi-name="java:jboss/datasources/TestDS", driver-name="h2")
      {
          "outcome" => "failed",
          "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[
          (\"subsystem\" => \"datasources\"),
          (\"data-source\" => \"TestDS\")
      ]' -- \"Permission denied\"",
          "rolled-back" => true
      }
      

      I have a test case for this that I will submit in a pull request in few minutes.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  brian.stansberry Brian Stansberry
                  Reporter:
                  lthon Ladislav Thon
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: