Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-2010

RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem

XMLWordPrintable

      This is the issue Jakub has been talking about for quite some time now.

      If I do /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions) as a user that has the Maintainer role, the response says that I can :add a new datasource.

      [standalone@localhost:9990 /] /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions) 
{
    "outcome" => "success",
    "result" => {
        "description" => undefined,
        "attributes" => undefined,
        "operations" => undefined,
        "children" => {
            "jdbc-driver" => {"model-description" => undefined},
            "data-source" => {"model-description" => undefined},
            "xa-data-source" => {"model-description" => undefined}
        },
        "access-control" => {
            "default" => {
                "read" => true,
                "write" => true,
                "attributes" => {"installed-drivers" => {
                    "read" => true,
                    "write" => true
                }},
                "operations" => {
                    "read-children-names" => {"execute" => true},
                    "read-operation-description" => {"execute" => true},
                    "remove" => {"execute" => true},
                    "get-installed-driver" => {"execute" => true},
                    "read-resource-description" => {"execute" => true},
                    "read-resource" => {"execute" => true},
                    "add" => {"execute" => true},
                    "read-attribute" => {"execute" => true},
                    "whoami" => {"execute" => true},
                    "installed-drivers-list" => {"execute" => true},
                    "read-children-types" => {"execute" => true},
                    "read-operation-names" => {"execute" => true},
                    "undefine-attribute" => {"execute" => true},
                    "read-children-resources" => {"execute" => true},
                    "write-attribute" => {"execute" => true}
                }
            },
            "exceptions" => {}
        }
    }
}

      Yet if I try to do that, it fails:

      /subsystem=datasources/data-source=TestDS:add(connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1", jndi-name="java:jboss/datasources/TestDS", driver-name="h2")
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[
    (\"subsystem\" => \"datasources\"),
    (\"data-source\" => \"TestDS\")
]' -- \"Permission denied\"",
    "rolled-back" => true
}

      I have a test case for this that I will submit in a pull request in few minutes.

              bstansbe@redhat.com Brian Stansberry
              lthon@redhat.com Ladislav Thon
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: