[jboss-jira] [JBoss JIRA] (WFLY-2278) Deployer can't modify data source when datasources set as application resources

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Wed Nov 6 16:16:03 EST 2013 

    [ https://issues.jboss.org/browse/WFLY-2278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12851554#comment-12851554 ] 

RH Bugzilla Integration commented on WFLY-2278:
-----------------------------------------------

Harald Pehl <hpehl at redhat.com> made a comment on [bug 1017786|https://bugzilla.redhat.com/show_bug.cgi?id=1017786]

The console uses @AccessControl annotations to bind 1-n resources to presenters. Presenters are the "P" in the MVP architecture used in the console. Most presenters are addressable using an URL like http://localhost:9990/console/App.html#datasources. 

When the presenter is shown for the first time, the console reads the access control metadata of its configured resources to decide whether operations can be executed or attributes are readable/writable. 

The datasource presenter is configured using the following resources:
@AccessControl(resources = {
    "/{selected.profile}/subsystem=datasources/data-source=*",
    "/{selected.profile}/subsystem=datasources/xa-data-source=*"
})

The current implementation uses an "all-or-nothing" rule: If not all resources are writable, none will be writable. To cut a long story short. Making also the xa-data-source an application resource will give the deployer the permissions to edit both the data-source and the xa-data-source resource:

/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application, value=true)

/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=xa-data-source:write-attribute(name=configured-application, value=true)
                
> Deployer can't modify data source when datasources set as application resources
> -------------------------------------------------------------------------------
>
>                 Key: WFLY-2278
>                 URL: https://issues.jboss.org/browse/WFLY-2278
>             Project: WildFly
>          Issue Type: Sub-task
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management
>            Reporter: Ladislav Thon
>            Assignee: Brian Stansberry
>              Labels: rbac-filed-by-qa
>             Fix For: 8.0.0.CR1
>
>
> When data sources are made application resources, deployer should be able to modify them. This doesn't work, as opposed to e.g. mail sessions. For example:
> {code}
> /core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application, value=true)
> {"outcome" => "success"}
> [standalone at localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:write-attribute(name=jndi-name, value="java:jboss/datasources/ExampleDS_XXX"){roles=deployer}
> {
>     "outcome" => "failed",
>     "failure-description" => "JBAS013456: Unauthorized to execute operation 'write-attribute' for resource '[
>     (\"subsystem\" => \"datasources\"),
>     (\"data-source\" => \"ExampleDS\")
> ]' -- \"JBAS013475: Permission denied\"",
>     "rolled-back" => true
> }
> [standalone at localhost:9990 /] /core-service=management/access=authorization/constraint=application-classification/type=mail/classification=mail-session:write-attribute(name=configured-application, value=true)
> {"outcome" => "success"}
> [standalone at localhost:9990 /] /subsystem=mail/mail-session=java\:jboss\/mail\/Default:write-attribute(name=jndi-name, value="java:jboss/mail/Default_XXX"){roles=deployer} 
> {
>     "outcome" => "success",
>     "response-headers" => {
>         "operation-requires-reload" => true,
>         "process-state" => "reload-required"
>     }
> }
> {code}
> I have a test case for this as a last commit in my branch https://github.com/Ladicek/wildfly/commits/rbac (that is the commit called _RBAC test case for application types_).
> Brian, in case you are not the right assignee, please reassign.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list