[wildfly-dev] WFCORE-276 - :whoami(verbose=true) Fails for user with no roles.
Darran Lofthouse
darran.lofthouse at jboss.com
Mon Nov 24 14:08:21 EST 2014
On 24/11/14 19:04, Brian Stansberry wrote:
> On 11/24/14, 12:37 PM, Darran Lofthouse wrote:
>> Hello Alexey / Brian,
>>
>> Just trying to get to the bottom of a failure where
>> :whoami(verbose=true) is being performed by a user in the CLI with no
>> roles and the following error is received and looking for some ideas.
>>
>> "WFLYCTL0313: Unauthorized to execute operation
>> 'read-operation-description' for resource '[]' -- "WFLYCTL0332:
>> Permission denied""
>>
>> The call to the :whoami operation would be fine except as there is a
>> parameter the CLI is attempting to validate the parameters by making a
>> call to read-operation-description and it is that call that is failing.
>>
>> Personally I think this operation working is important as it enables
>> some debugging of role assignment, i.e. if a user has not been granted
>> the expected roles this call helps provide some information about that.
>>
>> So unless we are going to say the user should not be calling whoami we
>> broadly have two options: -
>>
>> 1 - Make a special case in the CLI and skip the
>> read-operation-description call.
>>
>
> There should be a high level command in the CLI for this anyway. I don't
> really like the low level op being handled as a special case, but a high
> level command is fine with me.
Thanks - That could work, will look at that option.
>> 2 - Access control changes to make it possible to call
>> read-operation-description for the whoami operation.
>>
>
> -1. I'd much rather not even allow the use of this op than go this route.
>
> Related to this, today isn't good but let's chat some time soon re: how
> to make the interactive-mode CLI behavior more user-friendly when the
> user has no permissions, e.g. can't read the root resource. For example,
> output a message informing the user of this and, if reasonably do-able,
> limiting the tab completion list to just a few things. Just the message
> would help a lot; something analogous to this message we print when the
> user isn't connected:
At the moment the CLI could also use the :whoami operation to check a
user does have at least one role but that will not help much if a
non-role based access control provider is ever installed.
> You are disconnected at the moment. Type 'connect' to connect to the
> server or 'help' for the list of supported commands.
>
>> Regards,
>> Darran Lofthouse.
>
>
More information about the wildfly-dev
mailing list