[wildfly-dev] WFCORE-276 - :whoami(verbose=true) Fails for user with no roles.
Brian Stansberry
brian.stansberry at redhat.com
Mon Nov 24 14:36:02 EST 2014
Sounds good.
On 11/24/14, 1:31 PM, Darran Lofthouse wrote:
> After a further check we have the contributed high level command handler
> for 'connection-info' which amongst other things outputs the output from
> :whoami(verbose=true) so in that case I don't think I need to duplicate
> this with another high level whoami operation.
>
> I will resolve the Jira I think, if anyone searches for the error they
> will find it now and I will comment that they should use connection-info
> instead.
>
> Regards,
> Darran Lofthouse.
>
>
> On 24/11/14 19:08, Darran Lofthouse wrote:
>>
>>
>> On 24/11/14 19:04, Brian Stansberry wrote:
>>> On 11/24/14, 12:37 PM, Darran Lofthouse wrote:
>>>> Hello Alexey / Brian,
>>>>
>>>> Just trying to get to the bottom of a failure where
>>>> :whoami(verbose=true) is being performed by a user in the CLI with no
>>>> roles and the following error is received and looking for some ideas.
>>>>
>>>> "WFLYCTL0313: Unauthorized to execute operation
>>>> 'read-operation-description' for resource '[]' -- "WFLYCTL0332:
>>>> Permission denied""
>>>>
>>>> The call to the :whoami operation would be fine except as there is a
>>>> parameter the CLI is attempting to validate the parameters by making a
>>>> call to read-operation-description and it is that call that is failing.
>>>>
>>>> Personally I think this operation working is important as it enables
>>>> some debugging of role assignment, i.e. if a user has not been granted
>>>> the expected roles this call helps provide some information about that.
>>>>
>>>> So unless we are going to say the user should not be calling whoami we
>>>> broadly have two options: -
>>>>
>>>> 1 - Make a special case in the CLI and skip the
>>>> read-operation-description call.
>>>>
>>>
>>> There should be a high level command in the CLI for this anyway. I don't
>>> really like the low level op being handled as a special case, but a high
>>> level command is fine with me.
>>
>> Thanks - That could work, will look at that option.
>>
>>>> 2 - Access control changes to make it possible to call
>>>> read-operation-description for the whoami operation.
>>>>
>>>
>>> -1. I'd much rather not even allow the use of this op than go this
>>> route.
>>>
>>> Related to this, today isn't good but let's chat some time soon re: how
>>> to make the interactive-mode CLI behavior more user-friendly when the
>>> user has no permissions, e.g. can't read the root resource. For example,
>>> output a message informing the user of this and, if reasonably do-able,
>>> limiting the tab completion list to just a few things. Just the message
>>> would help a lot; something analogous to this message we print when the
>>> user isn't connected:
>>
>> At the moment the CLI could also use the :whoami operation to check a
>> user does have at least one role but that will not help much if a
>> non-role based access control provider is ever installed.
>>
>>> You are disconnected at the moment. Type 'connect' to connect to the
>>> server or 'help' for the list of supported commands.
>>>
>>>> Regards,
>>>> Darran Lofthouse.
>>>
>>>
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat
More information about the wildfly-dev
mailing list