Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-2010

RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem

    XMLWordPrintable

Details

    Description

      This is the issue Jakub has been talking about for quite some time now.

      If I do /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions) as a user that has the Maintainer role, the response says that I can :add a new datasource.

      [standalone@localhost:9990 /] /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions) 
{
    "outcome" => "success",
    "result" => {
        "description" => undefined,
        "attributes" => undefined,
        "operations" => undefined,
        "children" => {
            "jdbc-driver" => {"model-description" => undefined},
            "data-source" => {"model-description" => undefined},
            "xa-data-source" => {"model-description" => undefined}
        },
        "access-control" => {
            "default" => {
                "read" => true,
                "write" => true,
                "attributes" => {"installed-drivers" => {
                    "read" => true,
                    "write" => true
                }},
                "operations" => {
                    "read-children-names" => {"execute" => true},
                    "read-operation-description" => {"execute" => true},
                    "remove" => {"execute" => true},
                    "get-installed-driver" => {"execute" => true},
                    "read-resource-description" => {"execute" => true},
                    "read-resource" => {"execute" => true},
                    "add" => {"execute" => true},
                    "read-attribute" => {"execute" => true},
                    "whoami" => {"execute" => true},
                    "installed-drivers-list" => {"execute" => true},
                    "read-children-types" => {"execute" => true},
                    "read-operation-names" => {"execute" => true},
                    "undefine-attribute" => {"execute" => true},
                    "read-children-resources" => {"execute" => true},
                    "write-attribute" => {"execute" => true}
                }
            },
            "exceptions" => {}
        }
    }
}

      Yet if I try to do that, it fails:

      /subsystem=datasources/data-source=TestDS:add(connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1", jndi-name="java:jboss/datasources/TestDS", driver-name="h2")
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[
    (\"subsystem\" => \"datasources\"),
    (\"data-source\" => \"TestDS\")
]' -- \"Permission denied\"",
    "rolled-back" => true
}

      I have a test case for this that I will submit in a pull request in few minutes.

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. WFLY-2005 Host scoped role adding JVM config

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              bstansbe@redhat.com Brian Stansberry
              lthon@redhat.com Ladislav Thon
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: