<div dir="ltr">I changed that to an enhancement request as it's not a bug. It was intended to use view/manage-users role, but that can be questioned.</div><div class="gmail_extra"><br><div class="gmail_quote">On 14 September 2016 at 12:24, Edgar Vonk - Info.nl <span dir="ltr"><<a href="mailto:Edgar@info.nl" target="_blank">Edgar@info.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ok, thanks! I created <a href="https://issues.jboss.org/browse/KEYCLOAK-3576" rel="noreferrer" target="_blank">https://issues.jboss.org/<wbr>browse/KEYCLOAK-3576</a><br>
<div class="HOEnZb"><div class="h5"><br>
> On 14 Sep 2016, at 10:20, Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br>
><br>
> It seems that for view/update UserFederation, we currently require permissions to "view-users" or "manage-users" . This looks like a bug as admin, who is able just to manage users, shouldn't be allowed to manage user federation providers. It seems this should either be "view-realm" or "manage-realm" or separate dedicated roles for user federation providers.<br>
><br>
> Could you please create JIRA?<br>
><br>
> Thanks,<br>
> Marek<br>
><br>
> On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:<br>
>> Hi Marek,<br>
>><br>
>> Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue.<br>
>><br>
>> We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ‘Configure - User Federation’ menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation?<br>
>><br>
>> cheers<br>
>><br>
>> Edgar<br>
>><br>
>><br>
>>> On 08 Sep 2016, at 14:04, Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br>
>>><br>
>>> Hi Edgar,<br>
>>><br>
>>> I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-<wbr>realm/attack-detection/brute-<wbr>force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format.<br>
>>><br>
>>> Feel free to create JIRA if you find steps to reproduce it from clean KC.<br>
>>><br>
>>> Marek<br>
>>><br>
>>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:<br>
>>>> Hi Marek,<br>
>>>><br>
>>>> It’s the brute force detection REST endpoint that is causing the issue.<br>
>>>><br>
>>>> /auth/admin/realms/our-custom-<wbr>realm/attack-detection/brute-<wbr>force/users?username=<a href="mailto:edgar@info.nl">edgar@<wbr>info.nl</a><br>
>>>><br>
>>>> gives a: “Failed to load resource: the server responded with a status of 405 (Method Not Allowed)"<br>
>>>><br>
>>>><br>
>>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <<a href="mailto:Edgar@info.nl">Edgar@info.nl</a>> wrote:<br>
>>>>><br>
>>>>> Hi Marek,<br>
>>>>><br>
>>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately.<br>
>>>>><br>
>>>>> Will try to find the endpoint in question and report back!<br>
>>>>><br>
>>>>> cheers<br>
>>>>><br>
>>>>>> On 07 Sep 2016, at 11:24, Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br>
>>>>>><br>
>>>>>> I guess you need to add "view-users" role as well?<br>
>>>>>><br>
>>>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires.<br>
>>>>>><br>
>>>>>> Marek<br>
>>>>>><br>
>>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:<br>
>>>>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred” with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems.<br>
>>>>>>><br>
>>>>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something?<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> [0m [31m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_<wbr>jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: <a href="http://javax.ws.rs">javax.ws.rs</a>.<wbr>NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>registry.SegmentNode.match(<wbr>SegmentNode.java:377)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>registry.SegmentNode.match(<wbr>SegmentNode.java:116)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>registry.RootNode.match(<wbr>RootNode.java:43)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>LocatorRegistry.<wbr>getResourceInvoker(<wbr>LocatorRegistry.java:79)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.<wbr>invokeOnTargetObject(<wbr>ResourceLocatorInvoker.java:<wbr>129)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.invoke(<wbr>ResourceLocatorInvoker.java:<wbr>107)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.<wbr>invokeOnTargetObject(<wbr>ResourceLocatorInvoker.java:<wbr>133)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.invoke(<wbr>ResourceLocatorInvoker.java:<wbr>107)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.<wbr>invokeOnTargetObject(<wbr>ResourceLocatorInvoker.java:<wbr>133)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.invoke(<wbr>ResourceLocatorInvoker.java:<wbr>101)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>SynchronousDispatcher.invoke(<wbr>SynchronousDispatcher.java:<wbr>395)<br>
>>>>>>> at org.jboss.resteasy.core.<wbr>SynchronousDispatcher.invoke(<wbr>SynchronousDispatcher.java:<wbr>202)<br>
>>>>>>> at org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>ServletContainerDispatcher.<wbr>service(<wbr>ServletContainerDispatcher.<wbr>java:221)<br>
>>>>>>> at org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>HttpServletDispatcher.service(<wbr>HttpServletDispatcher.java:56)<br>
>>>>>>> at org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>HttpServletDispatcher.service(<wbr>HttpServletDispatcher.java:51)<br>
>>>>>>> at javax.servlet.http.<wbr>HttpServlet.service(<wbr>HttpServlet.java:790)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>ServletHandler.handleRequest(<wbr>ServletHandler.java:85)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>FilterHandler$FilterChainImpl.<wbr>doFilter(FilterHandler.java:<wbr>129)<br>
>>>>>>> at org.keycloak.services.filters.<wbr>KeycloakSessionServletFilter.<wbr>doFilter(<wbr>KeycloakSessionServletFilter.<wbr>java:90)<br>
>>>>>>> at io.undertow.servlet.core.<wbr>ManagedFilter.doFilter(<wbr>ManagedFilter.java:60)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>FilterHandler$FilterChainImpl.<wbr>doFilter(FilterHandler.java:<wbr>131)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>FilterHandler.handleRequest(<wbr>FilterHandler.java:84)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>security.<wbr>ServletSecurityRoleHandler.<wbr>handleRequest(<wbr>ServletSecurityRoleHandler.<wbr>java:62)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>ServletDispatchingHandler.<wbr>handleRequest(<wbr>ServletDispatchingHandler.<wbr>java:36)<br>
>>>>>>> at org.wildfly.extension.<wbr>undertow.security.<wbr>SecurityContextAssociationHand<wbr>ler.handleRequest(<wbr>SecurityContextAssociationHand<wbr>ler.java:78)<br>
>>>>>>> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>security.<wbr>SSLInformationAssociationHandl<wbr>er.handleRequest(<wbr>SSLInformationAssociationHandl<wbr>er.java:131)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>security.<wbr>ServletAuthenticationCallHandl<wbr>er.handleRequest(<wbr>ServletAuthenticationCallHandl<wbr>er.java:57)<br>
>>>>>>> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)<br>
>>>>>>> at io.undertow.security.handlers.<wbr>AbstractConfidentialityHandler<wbr>.handleRequest(<wbr>AbstractConfidentialityHandler<wbr>.java:46)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>security.<wbr>ServletConfidentialityConstrai<wbr>ntHandler.handleRequest(<wbr>ServletConfidentialityConstrai<wbr>ntHandler.java:64)<br>
>>>>>>> at io.undertow.security.handlers.<wbr>AuthenticationMechanismsHandle<wbr>r.handleRequest(<wbr>AuthenticationMechanismsHandle<wbr>r.java:60)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>security.<wbr>CachedAuthenticatedSessionHand<wbr>ler.handleRequest(<wbr>CachedAuthenticatedSessionHand<wbr>ler.java:77)<br>
>>>>>>> at io.undertow.security.handlers.<wbr>NotificationReceiverHandler.<wbr>handleRequest(<wbr>NotificationReceiverHandler.<wbr>java:50)<br>
>>>>>>> at io.undertow.security.handlers.<wbr>AbstractSecurityContextAssocia<wbr>tionHandler.handleRequest(<wbr>AbstractSecurityContextAssocia<wbr>tionHandler.java:43)<br>
>>>>>>> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)<br>
>>>>>>> at org.wildfly.extension.<wbr>undertow.security.jacc.<wbr>JACCContextIdHandler.<wbr>handleRequest(<wbr>JACCContextIdHandler.java:61)<br>
>>>>>>> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)<br>
>>>>>>> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler.<wbr>handleFirstRequest(<wbr>ServletInitialHandler.java:<wbr>284)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler.<wbr>dispatchRequest(<wbr>ServletInitialHandler.java:<wbr>263)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler.access$<wbr>000(ServletInitialHandler.<wbr>java:81)<br>
>>>>>>> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler$1.<wbr>handleRequest(<wbr>ServletInitialHandler.java:<wbr>174)<br>
>>>>>>> at io.undertow.server.Connectors.<wbr>executeRootHandler(Connectors.<wbr>java:202)<br>
>>>>>>> at io.undertow.server.<wbr>HttpServerExchange$1.run(<wbr>HttpServerExchange.java:793)<br>
>>>>>>> at java.util.concurrent.<wbr>ThreadPoolExecutor.runWorker(<wbr>ThreadPoolExecutor.java:1142)<br>
>>>>>>> at java.util.concurrent.<wbr>ThreadPoolExecutor$Worker.run(<wbr>ThreadPoolExecutor.java:617)<br>
>>>>>>> at java.lang.Thread.run(Thread.<wbr>java:745)<br>
>>>>>>><br>
>>>>>>> ______________________________<wbr>_________________<br>
>>>>>>> keycloak-user mailing list<br>
>>>>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br>
>>>>> ______________________________<wbr>_________________<br>
>>>>> keycloak-user mailing list<br>
>>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br>
>>><br>
><br>
<br>
<br>
______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a></div></div></blockquote></div><br></div>